The real issue isn't just attack surface size - it's that current OS permission models assume a human making deliberate choices. AI agents operate at machine speed with human-level privileges, turning every misconfiguration into a potential cascade failure. We need capability-based security where agents get minimal, revocable permissions by default, not admin rights to legacy file systems.

You effectively get a highly capable operator sitting inside a gigantic backwards-compatible system that was never designed for autonomous reasoning entities.