Key Takeaways Giving an AI agent kubectl access is an architecture decision, not a permission flag. Per-permission gates fail under prompt injection. OWASP ranks "Excessive Agency" as LLM06 in the 2025 Top 10 for LLM Applications and "Tool Misuse and Exploitation" as ASI02 in the 2026 Top 10 for Agentic Applications . The Kubernetes ecosystem already has an answer : k8s-sigs/agent-sandbox provides a declarative API for isolated agent runtimes using gVisor or Kata Containers. Real precedent exists. EchoLeak (CVE-2025-32711) , CVSS 9.3, was the first publicly documented zero-click prompt-injection data exfiltration in a production LLM system. The kubectl analogue would be cluster-wide. Aurora runs every kubectl command in a pod-isolated process via its terminal_run primitive, with an environment-variable allowlist that strips secrets, signature-matcher and LLM-judge guardrails, and per-invocation cloud credentials.…