Comment by Genego

I keep having this conversation with clients. If you want to allow an LLM to delete, create or update data; you need to do this with a human in the loop, and explicit hitl gating against execution; where the agent can't even call the tool without triggering an update on the UI that has to be confirmed (then the confirmation issues the actual tool call).