Agentic Flows, RBAC, and Poisoning Risks

Describe tool-using agent flows, where RBAC applies, and how retrieval or tool inputs can poison outcomes.

The lesson is public. The pressure loop lives inside the app where submissions, revision, and AI review happen.

A retrieval architecture brief and an agent threat model.

Each lesson contributes to a week-level artifact and eventually to the shipped AI-native SaaS.

This lesson studies agentic systems as orchestrated workflows with memory, tools, and state transitions, not as magic “autonomous” entities.

Agents multiply failure surfaces: prompt injection, over-broad tool access, bad intermediate state, poisoned retrieval, and unclear authority boundaries.

An agent is a policy-constrained state machine wrapped around a model. The model reasons; the surrounding system must decide what actions are permitted and what evidence is trusted.

Once a model can choose tools, your problem stops being text generation and becomes workflow governance. Which tools can be called? With what arguments? Against which user context? What happens when retrieved context is hostile or stale? If you cannot answer those questions precisely, you do not have an agent architecture. You have a liability with a loop.

An internal research agent can search docs, draft a summary, and create a task. If it can also read unrestricted HR records because the retrieval layer ignored RBAC, you have turned orchestration convenience into a breach path.

Common failures include over-scoped tool credentials, agent memory that mixes users, and no validation between model reasoning and tool execution.

LangGraph Overview

Use this for the state-machine framing.

OWASP Agent Risks

Useful for attack surface awareness.

Cloudflare Agents and Tools

Bridge agent and tool-boundary thinking into platform concerns.