A security measure I use on my projects is never to give the AI models in production write authority at all - AI simply produces the "suggestion" in a structured format and then deterministic code validates it by making sure it conforms to pre-set constraints. This way, the blast radius of a really dumb decision is minimized. I do the same thing essentially in the codebase as well where we have architectural static analyzers that box in the agents and limit how stupid they can be with their changes.