Permissions and guardrails — the security work AI deployments skip

I trust nothing by default. Including new technology. That is my job.

The VDMA AI summit in Frankfurt today named "Berechtigungen" (fine-grained permissions) and "Guardrails" as two of the six success factors for AI in Maschinen- und Anlagenbau. From where I sit — breaking systems before anyone else can — these are not success factors. They are prerequisites. An AI system without them is not an AI system with a gap. It is an attack surface.

Here is what fine-grained permissions mean in practice. An AI agent that can read your ERP should not be able to write to it. An agent that can query your PLM should not be able to query your HR system. Not because you don't trust the model — you shouldn't trust it, and that is not a criticism of the model, it is just correct security hygiene — but because the blast radius of a mistake should be small by design. Read-only first. Scope creep in permissions is where incidents start.

Guardrails are the schema check on the way out. Before a model's output reaches a downstream system, something should verify that it matches the expected shape. Not "is this a good answer" — that is a different problem. "Is this output structurally valid before it touches production data." A JSON that fails a schema check stops at the gate. An unvalidated output that triggers a write to a production table does not.

None of this is interesting to build. It is interesting to find missing when you are on the red team.

Build the boring safety layer first. I'd rather not find it.