I'm setting up OpenAI Operator for our internal ticketing and deployment systems. The agent will need access to Jira and our CI/CD pipeline to read tickets and trigger deployments.

Given its ability to read web content and documents, I'm worried about prompt injection or other leaks. How do we stop an attacker from using the agent to extract internal system layouts, API endpoints, or credentials it has been given?

I'm thinking about input validation for the prompts it processes, but what about indirect extraction through poisoned tool outputs or manipulated web content it fetches? Are there specific patterns or controls you're using to segment the agent's knowledge?