The paper nails it - we're giving agents capabilities before we have infra to contain them. The answer isn't better prompts. It's treating agent execution like untrusted code: sandboxed VMs, explicit capability grants, network isolation, approval workflows for production actions.