← Back to Blog

The 12-Factor Agent's Missing Factor Is Security

6 min readAtypical Tech
Illustration for The 12-Factor Agent's Missing Factor Is Security

The most widely shared framework for building production-ready AI agents lists twelve things you need to get right. Security isn't one of them.

That's not a knock on humanlayer's 12-factor-agents. It's an observation — and the observation points at something more interesting than a missing checklist item.

The twelve factors don't need to mention security. The reliability controls and the security controls live in the same seams. You just have to learn to read them twice.

Reliability and security aren't competing priorities — they're the same engineering surface viewed from different threat models.


What the playbook actually says

The 12-factor-agents framework is a distillation of hard lessons from teams shipping agents that run in production without constant supervision. It's about predictability, composability, observability. The framing is explicitly capabilities-first: "expand capabilities with oversight rather than restrict."

That framing is right. It just doesn't say the security part out loud.


Factor 3: Own Your Context Window

The spec's intent here is efficiency. Curate what the model sees. Craft the context format, include only what's relevant, avoid bloating the prompt with noise that degrades accuracy.

Read it as a security engineer and you're looking at your data loss prevention boundary.

Your context window is the agent's working memory. Whatever's in it can be extracted — via prompt injection, via a rogue tool response, via a malicious instruction embedded in a document the agent retrieved. If you're not deliberately curating what enters that window, you haven't defined a need-to-know boundary. You're letting data wander into a space where an attacker has leverage.

The context window isn't a performance optimization problem — it's the perimeter.

Owning your context window means deciding what data the agent is permitted to hold at any given moment. That's data minimization. That's need-to-know. Those are security controls, not just prompt hygiene.


Factor 4: Tools Are Just Structured Outputs

This is one of the more counterintuitive factors. The spec demystifies tool calls: they're just structured JSON your deterministic code interprets. Don't let the "tool" framing convince you there's magic involved.

But here's what the spec doesn't say out loud: structured outputs are your authorization enforcement point.

Every tool call the agent generates is a request for capability. The schema defines what that request can look like. If you own the schema — and the spec says you should — you own the boundary between what the agent wants to do and what it's allowed to do. That's authorization, not just parsing.

A tool call schema without constraints is a permission without a policy — it's authorization theater.

The schema isn't just a contract for well-formed output. It's where you express policy: which arguments are permitted, which resource identifiers are in scope, which combinations are rejected. If your tool schema doesn't encode constraints, you've deferred authorization to the model's judgment. That's not a boundary; that's a hope.


Factor 7: Contact Humans with Tool Calls

The spec's framing: treat human interaction as a tool the agent can invoke. You get multi-channel escalation and approval workflows using the same mechanism as everything else. Clean, composable, auditable.

Security reading: this is your approval gate.

Every production AI governance framework eventually asks the same question — when does the agent pause and ask a human? The answer in 12-factor-agents is elegant: make human contact a first-class tool call, so the agent doesn't take a special code path for approvals.

It invokes a tool, the tool blocks, and a human responds before execution continues.

The control-flow interrupt isn't a usability feature — it's the approval gate your compliance team is asking for.

This isn't a UX pattern. It's a control pattern. The interrupt is the security boundary between the agent's intent and the action's execution. Build human-contact-as-tool-call once and you've built the infrastructure for every future approval workflow you'll ever need.


Factor 8: Own Your Control Flow

The spec wants you to stop delegating orchestration to the LLM. Write the loop yourself. Handle the branch yourself. Don't let "chain-of-thought" become "chain-of-untested-conditionals."

That's sound reliability practice. Now read it as a policy enforcement boundary.

Owning your control flow is where you insert constraints. It's where you check permissions before branching to a sensitive path, validate that the next step is within scope before executing it, and apply rate limits or blast-radius caps before the action fires. The LLM proposes; your code disposes — and your code is where the security logic lives.

If the LLM owns the control flow, guardrails are advisory. The model might follow them; it might not. When you own the control flow, guardrails become code. That difference matters more than any model capability you'll ship this year.


The ROBOT mapping

Here's where the framework we use at Atypical Tech — ROBOT — maps cleanly onto the twelve factors you're already building.

Role (who the agent is and what it's for) lives in Factor 10: small, focused agents. A scoped agent has a smaller permission footprint by design. Least privilege emerges from the architecture before you've written a single access policy.

Boundaries (what must never happen) live in Factors 4 and 8: structured outputs as authorization schemas, control flow as policy enforcement. These aren't guards you bolt on after launch — they're core to what 12-factor asks you to build.

Observability (audit trails for every decision) lives in Factor 5: unified execution and business state. A coherent, queryable agent state is an audit trail. Without it, an incident investigation goes nowhere.

Trust (the checkpoints where human judgment gates agent action) lives in Factor 7. The human-as-tool-call pattern is precisely the mechanism a security architect would design for high-risk authorization workflows.


The honest tension

The 12-factor-agents spec describes these factors as capability enablers. The goal is to give agents more reliable scaffolding, more surface area to operate across, more composable integration points. That's a legitimate and important goal.

At Atypical Tech, we read the same seams from the other direction. We don't use Factor 4 to unlock more tools — we use it to constrain which tools are allowed. We don't use Factor 7 to expand what an agent can trigger without supervision — we use it to gate what requires sign-off. We don't use Factor 3 to feed the model richer context — we use it to define what context the model is permitted to see.

Same seams. Different intent.

"Expand capabilities with oversight" — we read that as: the oversight is the point.

An agent that's reliable — truly reliable, not just low-error-rate on a benchmark — is one whose behavior is predictable, auditable, and controllable under conditions the designer didn't anticipate. Those properties don't come from the model. They come from the scaffolding. And the scaffolding the 12-factor spec asks you to build is exactly the scaffolding a security architect would have designed coming from the opposite direction.

You don't need a 13th factor. You need to read the twelve you already have through a second lens.

Related Posts