The Negative Trust Lecture

You are going to be tempted to trust the thing that has the credential.

Do not.

That is how this starts.

The machine is clean until the extension loads. The token is harmless until a process reads it. The agent is useful until it believes the wrong instruction. The CI job is routine until its supply chain is exploited. The internal request looks normal because, technically, it is normal. It has the right identity, the right session, the right signature, the right path through the system.

That is the problem.

Attackers do not need to break the door when someone has already opened it for them. They wait for authority to appear inside the environment they inhabit, and then they use it exactly the way the system was designed to accept.

So do not build systems that depend on trusted things staying trustworthy.

Give authority like you expect it to leak. Give it for one job. Give it for one place. Give it for one short window. Make it narrow enough that, when it is stolen, the blast is contained and the risk is already mitigated.

Let the workstation write the change. Let the agent propose the plan. Let CI build the artifact. But do not let the same place that handles untrusted inputs also hold the power to mutate the world. Keep unchecked supply chain updates out of critical paths.

Keep execution somewhere cleaner. Keep logs somewhere the actor cannot edit. Keep recovery somewhere the blast cannot reach.

And when you are about to grant more access because it is convenient, stop and ask the only question that matters:

What can this destroy if it has already been turned?

Do not grant the authority until the risk is understood and accepted.