What are the recommended guardrails for...

Preventing the agent from making changes to any Azure resource?

Companies who have heard stories about hallucinations, etc. believe that the agent is a threat their production systems potentially.

From what I can tell, the agent can be given a managed identity that has limited rights to Azure resources.  Read/list, etc.  

Without guardrails, adoption of this tech will be difficult in some environments.

"But the hallucinations..."

I'm not sure it's a great idea to let an agent make changes to a production system... or even suggest doing it "for" the benefit of the on-call.  It's too easy to screw up.

What is the guidance here?  Managed identity with RBAC?