What's between your AI and your production environment?

The incident that sends people here

Sometimes it already happened. Sometimes it hasn't yet and you're trying to make sure it doesn't. Either way the underlying situation is the same: an AI with access to a Unix account, and no hard boundary between what it proposes and what actually runs.

An AI agent accessed files it shouldn't have — credentials, environment variables, configuration that wasn't meant to be read
A local LLM connected to shell tools executed a command that modified or deleted something in production
Claude Code, Cursor, or another AI coding assistant ran a destructive operation — dropped a table, deleted a directory, pushed to the wrong branch
An autonomous pipeline with database access ran a query against live data instead of a test environment
An AI assistant with bash access exposed API keys, credentials, or private configuration while completing a task
An agent running infrastructure maintenance, CI/CD repair, or automated diagnostics went outside its intended scope
A coding assistant connected to a shell executed a command the developer didn't approve and didn't see coming

If it hasn't happened yet: the question is the same. Your AI is operating under a Unix account. That account has permissions. There is nothing between what the AI proposes and what executes except the AI's own behavior — and that behavior is probabilistic. The same model that agreed to be careful will, under the right conditions, do something you did not intend.

You told the AI to be careful. That is not the same thing.

A safety prompt is a request. The AI might honor it. It might not. Probabilistic means sometimes wrong — and when wrong on a system command the consequences are immediate and often irreversible.

The tools people are running when this problem appears:

AI Coding Assistants

Claude Code · Cursor · Windsurf · GitHub Copilot · Cline · Aider

These tools have terminal and shell access by design. They execute commands, modify files, run builds, manage dependencies, and interact with version control. The permission models they ship with are convenience features, not compliance controls. They produce no tamper-evident audit trail.

claude code executed wrong command · cursor agent mode deleted files · ai coding assistant ran rm · copilot shell access safety · cline bash dangerous command

Local LLM Setups

Ollama · LM Studio · llama.cpp · Jan.ai · LocalAI · LiteLLM

Developers running local models and connecting them to shell tools, file systems, or databases through agent frameworks. No built-in safety layer. The model runs under a Unix account. Whatever that account can reach, the model can reach.

ollama agent shell commands · llm tool use safety linux · local llm shell access control · llama shell execute restrict · jan.ai agent dangerous

Autonomous Agents & Pipelines

LangChain · CrewAI · AutoGen · custom pipelines

AI agents performing operational tasks — infrastructure maintenance, CI/CD repair, dependency management, repository triage, automated diagnostics. These agents generate shell commands dynamically based on system state. No human in the loop for every action.

ai agent executed wrong command pipeline · langchain shell safety · crewai command execution control · autonomous agent linux restrict · ai devops agent dangerous

Database Environments

PostgreSQL · MySQL · MongoDB · Redis · Elasticsearch

AI with database access is the highest-stakes scenario. A model that can query can also drop, truncate, update, or expose. The incident that sends most people searching is an AI that accessed production data, ran a destructive query, or exposed database credentials while completing a task.

ai agent dropped table · llm accessed production database · ai query exposed credentials · prevent ai database access · ai assistant modified live data

If someone is about to ask you what controls exist

In regulated environments the question comes from outside — an auditor, a compliance officer, a client security review. The question is not whether the AI behaved well. The question is whether you can prove what it was authorized to do and produce a record of what it actually did.

Healthcare — HIPAA

EHR systems · clinical infrastructure · PHI-adjacent environments

The HIPAA Security Rule requires access controls, audit controls, and integrity controls for systems handling protected health information. When an AI agent operates in a healthcare environment the same controls apply to its actions that apply to any other process. A safety prompt satisfies none of them.

hipaa ai agent audit trail · ai access phi compliance · healthcare llm shell controls · ai ehr access hipaa · hipaa compliant ai agent linux

Financial Services — PCI-DSS · SOC 2 · GLBA

Cardholder data environments · payment systems · financial infrastructure

An AI agent with unrestricted shell access to a system in the cardholder data environment is a control failure by definition. PCI-DSS requires restricted access, full monitoring, and documented authorization. SOC 2 audits evaluate logical access controls and change management evidence. Neither is satisfied by model behavior alone.

pci dss ai agent controls · soc2 ai agent audit · ai shell access financial services · llm cardholder data environment · ai coding assistant banking compliance

Defense — CMMC · CUI

Defense contractors · government systems · controlled unclassified information

CMMC Level 2 requires audit log protection — logs must be protected from modification and unauthorized access. AI tools are being adopted faster than compliance frameworks can formally address them. A deterministic, auditable, dependency-free policy layer maps directly to existing CMMC requirements without waiting for AI-specific guidance.

cmmc ai agent audit log · ai tools cui environment · cmmc compliant ai shell · defense contractor ai controls · ai agent controlled unclassified information

DevOps & Infrastructure

CI/CD pipelines · deployment automation · infrastructure agents

AI-assisted DevOps teams and organizations running autonomous agents for infrastructure work face the same exposure as regulated industries — without the compliance deadline to force action. An AI agent with unrestricted shell access to production infrastructure is a single misconfiguration away from a significant incident.

ai agent ci/cd safety · llm deployment pipeline control · ai infrastructure agent restrict · devops ai shell audit · autonomous agent production linux

What actually solves this

The answer

A policy layer that sits between the AI and the Linux execution environment. Every AI-issued command is evaluated before anything runs. You define what is permitted, what requires human approval, what is denied outright. The boundary is real — the AI account has no path around it.

Every decision is logged before execution. What was proposed, what was decided, why. Not a chat log. A tamper-evident audit trail the kind a compliance auditor can verify.

The moment that changes how you think about it: configure the AI's account so the only binary it can reach is the policy gate. Now the AI cannot execute anything directly. It can only make requests. Every request is evaluated. Every decision is recorded. You have moved from hoping the AI behaves to making unauthorized execution structurally impossible.

Why this is different from a safety prompt A safety prompt operates at the language layer — it asks the AI to want to do the right thing. A policy gate operates at the execution layer — it controls what is physically allowed to run regardless of what the AI wants. These are not two versions of the same approach. They are different layers with different guarantees. One is a request. The other is a wall.

If that fits your situation — aishellgate.com

What's between your AIand your production environment?

The incident that sends people here

You told the AI to be careful. That is not the same thing.

If someone is about to ask you what controls exist

What actually solves this

What's between your AI
and your production environment?