So far I've been attribution/after the fact heavy, but I have the groundwork for some real controls. I'll kinda break it into chunks:

No Multi-tenancy: Each workspace is a dedicated database to there's no opportunity for crosstalk.

Least-privilege Scopes: Agent access is already provided via agent keys. They are currently scoped to a particular set of collections, but that could be increased down to the operation and field level. This could be hairy to maintain though as schemas evolve.

Rate limiting: Per-key rate limits and bulk caps prevent runaway loops or a compromised agent from crushing 10k records in one go.

Reversibility: DB snapshotting and soft deletion are already happening.

Powerful operation gating: This is probably what you're thinking about the most. Schema changes, bulk deletes, and/or permission changes should optionally have a human approval gate (on by default?).

Thanks for thinking about this, would love to know if you've taken it for a test drive and your thoughts!