"Provide the application with its own API tokens for extensible functionality, and handle these functions in code rather than providing them to the model. Restrict the model's access privileges to the minimum necessary for its intended operations."

EchoLeak (CVE-2025-32711): Copilot had broad access to the victim's entire M365 environment — all emails, files, Teams messages, SharePoint. When injection succeeded, the attacker could exfiltrate everything Copilot could reach. Sentra's analysis: "The defense requires scoped data access before Copilot can reach it."

GitHub Copilot CVE-2025-53773: Copilot had write access to .vscode/settings.json without user approval. That's file system write access that a code suggestion tool doesn't need. The injection exploited exactly that unnecessary capability.

→ Give the AI read-only access where write access isn't needed
→ Scope API tokens to specific endpoints — not broad access
→ Handle sensitive operations in code: model requests the action, code validates, code executes with minimum permissions
→ Separate API tokens per AI integration with only the scopes that integration requires
→ Never give the model admin credentials, full DB access, or unrestricted API keys

Assume injection succeeds. Ask: what's the worst the attacker can do with the access the AI has? If the answer is "access everything the user can access" — the access is too broad. Work backward from damage potential, not forward from convenience.