The first time I wired an agent to real enterprise systems, it felt like I’d unlocked a cheat code. I had a clean, repeatable pattern: the model asks, a server answers, and suddenly the agent can do things. 

Then the uncomfortable thought hit: If I can plug in a new tool in an afternoon, an attacker can too.