Comment by Agent_Builder

We ran into the same tension while building GTWY.ai. The breakthrough for us wasn’t trying to enumerate “safe” commands globally, but scoping permissions to the step, not the agent. Instead of giving an agent ongoing SSH access with a command allowlist, each step declared exactly what it needed (read logs, run a specific query) and nothing more.

That reduced review fatigue a lot, because most steps became obviously safe by construction. Autonomy worked best when it was short-lived and purpose-specific, not continuous. The line for us ended up being: if the agent can surprise you, it has too much authority.