https://connect.mozilla.org/t5/discussions/a-question-about-agent-identity-and-safety-boundaries-in-ai/m-p/114417#M44646 <P>Hi everyone,</P><P>I’ve been following Mozilla’s recent discussions around adding AI-driven features to Firefox, especially the emphasis on user control, privacy, and safety as browsers become more agent-like.</P><P>I’ve been working on autonomous agent workflows outside the browser, and one question keeps coming up that feels very relevant to AI-powered browsing:</P><P><STRONG>Where should the identity and execution boundary for an AI agent live?</STRONG></P><P>In many agent systems today, things become risky not just because of prompt injection or model behavior, but because agents end up operating directly with a user’s real credentials or accounts. Once that happens, the blast radius is hard to reason about, and workarounds like shared inboxes or temporary accounts tend to appear.</P><P>One observation we’ve made is that if agents operate with <STRONG>their own delegated, scoped identities and assets</STRONG>, instead of touching real user credentials, a lot of these risks become easier to contain by design. Even if an agent is manipulated, its actions are limited to what that delegated identity is allowed to do.</P><P>I’m curious how folks thinking about AI features in Firefox view this boundary:</P><UL><LI><P>Should agents in the browser ever act directly as the user?</P></LI><LI><P>Or should they operate with separate, constrained identities that represent delegated intent?</P></LI><LI><P>How does this intersect with prompt injection, account safety, and user trust?</P></LI></UL><P>Not pitching anything here, just genuinely interested in how the Firefox community and Mozilla engineers think about this problem space as AI capabilities in the browser deepen.</P><P>Looking forward to learning from the discussion.</P><P>Thanks,<BR />Sid</P> Wed, 24 Dec 2025 14:14:05 GMT Sidddd 2025-12-24T14:14:05Z https://connect.mozilla.org/t5/discussions/a-question-about-agent-identity-and-safety-boundaries-in-ai/m-p/114417#M44646 <P>Hi everyone,</P><P>I’ve been following Mozilla’s recent discussions around adding AI-driven features to Firefox, especially the emphasis on user control, privacy, and safety as browsers become more agent-like.</P><P>I’ve been working on autonomous agent workflows outside the browser, and one question keeps coming up that feels very relevant to AI-powered browsing:</P><P><STRONG>Where should the identity and execution boundary for an AI agent live?</STRONG></P><P>In many agent systems today, things become risky not just because of prompt injection or model behavior, but because agents end up operating directly with a user’s real credentials or accounts. Once that happens, the blast radius is hard to reason about, and workarounds like shared inboxes or temporary accounts tend to appear.</P><P>One observation we’ve made is that if agents operate with <STRONG>their own delegated, scoped identities and assets</STRONG>, instead of touching real user credentials, a lot of these risks become easier to contain by design. Even if an agent is manipulated, its actions are limited to what that delegated identity is allowed to do.</P><P>I’m curious how folks thinking about AI features in Firefox view this boundary:</P><UL><LI><P>Should agents in the browser ever act directly as the user?</P></LI><LI><P>Or should they operate with separate, constrained identities that represent delegated intent?</P></LI><LI><P>How does this intersect with prompt injection, account safety, and user trust?</P></LI></UL><P>Not pitching anything here, just genuinely interested in how the Firefox community and Mozilla engineers think about this problem space as AI capabilities in the browser deepen.</P><P>Looking forward to learning from the discussion.</P><P>Thanks,<BR />Sid</P> Wed, 24 Dec 2025 14:14:05 GMT https://connect.mozilla.org/t5/discussions/a-question-about-agent-identity-and-safety-boundaries-in-ai/m-p/114417#M44646 Sidddd 2025-12-24T14:14:05Z