Key insight

Blast radius is simply everything that could plausibly be affected if one thing turns out to be compromised. A careless person has a human-sized blast radius. An over-permissioned AI agent, or one stolen encryption key in a post-quantum world, can have a radius that spans an entire company — or an entire decade of past traffic. The whole discipline of hardening a system is really just the discipline of making that radius smaller on purpose.

Imagine two very different fires. One starts in a wastebasket and is out before anyone else in the building even smells smoke. The other starts in the same spot but, because every door between every room was left wide open, ends up taking the whole building. The fire itself was the same size. What differed was everything that was reachable from where it started. Security people borrowed a word for exactly that idea from an entirely different field, explosives, and it has become one of the most useful, and most misunderstood, terms in the whole subject: blast radius. This article builds the idea up from nothing, then spends real time on two places where it behaves very differently than most people expect: AI agents, and quantum computing.

1 · The everyday word behind the term

Set computers aside completely for a moment. A blast radius, in its original, literal sense, is simply the distance outward from an explosion within which damage actually happens. A small firework has a blast radius of a few feet. A large explosive has a blast radius that can cover city blocks. Nothing about the word is complicated: it is just a measurement of “how far the damage reaches,” drawn as a circle around the point where something went wrong.

Two explosions can release very different amounts of energy and therefore have very different blast radii, but the word itself never changes meaning. It always means the same thing: the region, measured outward from the center, where whatever went wrong actually did damage. Everything inside that circle was affected. Everything outside it was not.

Two explosions compared: a small blast radius affecting only its immediate surroundings, and a large blast radius affecting a much wider area On the left, a small red center point sits inside a small dashed circle, with only two nearby items inside the circle shaded as affected. On the right, an identical red center point sits inside a much larger dashed circle, with six items inside the larger circle all shaded as affected, illustrating that the size of the radius, not the center point itself, determines how much is affected. Small blast radius 2 things affected Large blast radius 6 things affected
Figure 1. The center point can be identical in size — what changes the outcome is how far the radius reaches, and how much sits inside it.
Plain-language checkpoint

If you remember nothing else from this section: a blast radius is not about how bad the initial event was. It is about how much was reachable from where it happened. A small event with a huge radius still causes huge damage.

2 · Translating “blast radius” into computer systems

Computer security borrows this word directly, and keeps its meaning almost unchanged. In this field, a blast radius is everything that could plausibly be affected if one particular thing — a password, a laptop, a piece of software, a single AI agent — turns out to be compromised. “Compromised” simply means someone who should not have control of it now does, or it started behaving in an unintended way.

Unlike a physical explosion, a computer’s blast radius is not measured in feet. It is measured along three separate reach paths, and something usually only has a large blast radius because more than one of these paths is wide open at once.

One compromised credential radiating outward along three separate reach paths: identity, network, and data lineage A glowing red three-dimensional box labelled Compromised Credential sits at the center. Three amber arrows radiate outward to three groups of boxes labelled Identity Reach, Network Reach, and Data Lineage Reach, each group showing two or three further systems now considered inside the blast radius. Compromised credential Email login Cloud console Identity reach File server Backup host Network reach Sales report Partner export Data lineage reach
Figure 2. A single compromised credential rarely has just one reach path — identity, network, and data lineage usually each contribute their own share of the total blast radius.

3 · A worked example: one shared password, traced outward

Picture an ordinary engineer who, for convenience, reuses the exact same password across their email, a cloud administration console, and a file server, and whose cloud account also happens to have standing access to a backup host. One phishing email later, an attacker has that password. Nothing else about the company changed, yet the blast radius of that single event now includes every one of those systems, plus anything built from data those systems hold, plus anything reachable over the network from the backup host. The password was one small thing. The radius was not small at all.

This is precisely why security guidance treats password reuse, standing administrative access, and unnecessary network reachability as separate risks worth fixing independently — each one is a lever that, on its own, can make an otherwise ordinary compromise reach much further than it needed to.

The uncomfortable part

Blast radius is almost never sized by the attacker. It is sized in advance, by every design decision made long before any attack: which systems share a login, which systems can talk to which, and which pipelines quietly connect one dataset to another. By the time an incident happens, the radius has already been decided.

4 · Why an AI agent can have a far larger blast radius than a person

A careless human employee still has a fundamentally human-sized blast radius: one person, generally doing one task at a time, at human speed, usually noticed reasonably quickly if their behavior changes. An AI agent — software that can decide, on its own, which tools to call and which actions to take in order to complete a task — does not have to work that way at all, and that difference is exactly why agent security deserves its own careful look.

Four specific, well-documented design mistakes are responsible for most of the difference, and each one has already been given a proper name elsewhere in this guide’s anti-patterns catalogue, because each one independently widens an agent’s blast radius:

None of these four mistakes is exotic or rare. Each is a completely ordinary shortcut, taken to make an agent easier to build quickly. The problem is what they do in combination: an agent carrying a standing credential with wildcard tool access, sharing its identity with several other agents, and automatically trusting messages from yet more agents, can end up with a blast radius that spans the whole company — triggered by nothing more dramatic than one bad prompt, one poisoned document, or one compromised upstream service.

A scoped agent with a small blast radius compared to an over-permissioned agent with a large one On the left, a small teal agent box connects with only two thin arrows to two labelled tools, representing a narrow blast radius. On the right, a glowing red agent box labelled wildcard tools, standing credential, shared identity connects with six arrows to six systems, representing a much larger blast radius from the same starting point. Scoped agent Task agent One document One calendar Over-permissioned agent Wildcard tools standing cred. Email Payroll DB Ticketing Source repo Second agent Cloud console
Figure 3. Same starting point, two very different outcomes. Wildcard tool access, a standing credential, and a shared identity are exactly what turn a single agent into a company-wide blast radius.
Named anti-patterns and their direct effect on an agent’s blast radius.
Design choiceEffect on blast radiusWhy
Wildcard tool exposureGrows itEvery available tool becomes reachable, not just the ones the task needs.
The standing credentialGrows itAccess keeps working long after the task it was issued for is finished.
The shared identity runtimeGrows itOne compromised identity now covers every task hiding behind it.
Implicit agent-to-agent trustGrows itA false instruction can spread from one agent to many, unverified.
Scoped, per-task credentialsShrinks itAccess expires with the task; nothing is left standing afterward.
Segmentation & least privilegeShrinks itWalls off unrelated systems so one compromise cannot spread freely.

5 · A named incident, told in miniature

Here is a short, realistic scenario that ties the four mistakes together. A support-automation agent is given wildcard access to “all internal tools” during a rushed rollout, carries one standing credential that was never rotated, and shares that same identity with two other automation agents built later by a different team. One day, a crafted support ticket contains hidden instructions aimed at the agent rather than at a human reader. Because the agent implicitly trusts content it processes as if it were a direct instruction, it follows them: it uses its wildcard access to export data from a system that has nothing to do with support tickets at all, using a credential that was never meant to still be active, under an identity that two other unrelated agents were also using that same day.

Every part of the resulting mess traces back to a decision made weeks earlier, not to anything unusually clever the attacker did. That is the pattern worth remembering: an AI agent’s blast radius is set by its permissions and its trust wiring long before any incident occurs, exactly the same way the earlier password example showed for a human account — just with far higher stakes, because agents move faster and touch more systems than a person ever could in the same amount of time.

6 · How quantum computing quietly expands blast radius across time

Every example so far has had a blast radius that spreads outward through space — across systems, accounts, and tools. Quantum computing introduces something stranger: a blast radius that spreads outward through time.

Here is the mechanism, known as harvest-now-decrypt-later. Most of today’s encryption, the process that scrambles data so it is unreadable without the right key, relies on math problems that ordinary computers cannot solve in a practical amount of time. A sufficiently capable quantum computer — a fundamentally different kind of computer that works with the strange rules of quantum physics instead of ordinary on/off switches — is expected to eventually solve some of those exact math problems quickly. An attacker does not need to wait for that computer to exist before acting: they can copy and quietly store encrypted traffic today, entirely unreadable right now, and simply wait for a capable quantum computer to arrive later.

The moment that happens, every year of previously harvested, stored traffic that used the now-broken method becomes readable all at once. The blast radius did not grow slowly, one system at a time, the way it does in the earlier examples. It stayed completely invisible for years and then, in a single moment, expanded to cover everything that was ever encrypted the old way and copied by an attacker along the way.

A timeline showing traffic harvested quietly over several years suddenly becoming readable all at once the day a capable quantum computer arrives A horizontal timeline runs from an earlier year to today, with small stacked document icons representing encrypted traffic collected along the way by an attacker, all shown as calm and unreadable. At the far right, a labelled point marks the arrival of a capable quantum computer, and a wide red brace expands backward over the entire stack of previously collected years, now shown glowing red as newly readable all at once. Yr 1 Yr 2 Yr 3 Yr 4 Quantum computer arrives Every harvested year becomes readable in that same instant harvested quietly, unreadable at the time
Figure 4. Harvest-now-decrypt-later turns a slow, invisible collection process into a single sudden event whose blast radius reaches backward across every year that was harvested.

This is exactly why the guide’s post-quantum readiness field guide treats certain categories of data — anything with value that lasts for years, health records, trade secrets, long-lived credentials, government or defense communications — as needing protection today, well before a capable quantum computer exists, rather than waiting until it does. By the time the threat is obvious, the blast radius has already been decided, exactly the same lesson as the shared-password example earlier, just measured in years instead of systems.

7 · Shrinking blast radius on purpose

Every example in this article has one thing in common: the radius was never inevitable. It was the direct, foreseeable result of specific design choices, which means it can be reduced by specific, deliberate counter-choices.

One open floor plan where a compromise spreads everywhere, compared to a segmented floor plan where the same compromise is contained to one cell On the left, a single large open outline glows entirely red, showing that a compromise anywhere inside it affects the whole space. On the right, the same total space is divided into four separate walled cells; only one cell glows red while the other three remain calm and green, showing that segmentation contained the exact same compromise to a single section. One open zone whole zone now suspect Four segmented cells 3 of 4 cells stay safe
Figure 5. Segmentation does not stop the initial compromise — it stops the compromise from being able to spread, which is exactly what a smaller blast radius means in practice.

8 · A simple test you can run this week

Try this before an incident forces the question

1. Pick one credential, one service account, or one AI agent that matters to you.
2. List everything it can reach today — every system it can log into, every tool it can call, every dataset built from data it touches.
3. Ask whether that full list would still make sense if you had to justify each entry to an auditor the day after an incident.
4. For anything on the list that fails that test, shrink it: narrow the permission, add an expiry, or move it behind a wall.

If the exercise feels uncomfortable, that discomfort is the whole point — it means the radius was larger than anyone had actually decided on purpose.

9 · Treating blast-radius reduction as a design principle

A blast-radius gap discovered during a review can be logged as a finding, something serious enough to be tracked and fixed on a schedule, or as a backlog item, an idea worth doing someday with no real pressure behind it. Backlog items about “maybe narrowing that agent’s permissions eventually” have a well-known habit of waiting forever, right up until the day they turn a routine bad prompt into a company-wide incident.

Treating blast radius as something to be designed down on purpose, at build time, rather than discovered by accident during an incident, is the difference between a security program that reacts and one that actually shrinks its own exposure over time.

10 · Glossary — every short-form term, spelled out

Blast radius
Everything that could plausibly be affected if one particular thing is compromised, borrowed from how far damage reaches outward from an explosion.
Compromised
Someone who should not have control of something now does, or it started behaving in an unintended way.
Identity reach
Every system that trusts the same login or credential as the thing that was compromised.
Network reach
Every system that the compromised thing can actually send traffic to.
Data reach (lineage)
Every report or downstream system built, directly or indirectly, from data the compromised thing touched.
AI agent
Software that can decide, on its own, which tools to call and which actions to take in order to complete a task, without a person approving each individual step.
Wildcard tool exposure
Granting an agent access to every available tool instead of only the ones a given task needs.
Standing credential
A long-lived credential that keeps working long after the task it was issued for is finished, instead of a short-lived one scoped to a single task.
Shared identity runtime
Many unrelated agents or tasks running under one shared identity, so audit logs cannot tell them apart.
Implicit agent-to-agent trust
One agent automatically believing and acting on whatever another agent tells it, with no independent verification.
Harvest-now-decrypt-later
An attack pattern where encrypted traffic is copied and stored today, unreadable at the time, then read all at once once a capable quantum computer can break the encryption method used.
Quantum computer
A fundamentally different kind of computer that works with the rules of quantum physics rather than ordinary on/off switches, expected to eventually solve certain math problems that today's encryption relies on being impractical to solve.
Least privilege
Granting only the access a task genuinely needs, nothing extra "just in case."
Segmentation (cell-based architecture)
Splitting systems into separate walled-off sections so a compromise in one cannot automatically spread into the next.
Zero trust
Verifying every request on its own merits every time, instead of assuming safety just because a request came from inside the network or from a trusted-looking source.
Crypto-agility
Keeping encryption methods swappable, so a broken one can be replaced quickly instead of leaving past records permanently exposed.
Finding versus backlog item
A finding is a problem serious enough that it must be tracked and fixed on a schedule. A backlog item is just an idea that can wait, and often does, forever.
Key takeaways

Blast radius is everything reachable from one compromised thing — measured along identity, network, and data-lineage reach paths.
The radius is set in advance, by design decisions, long before any actual incident happens.
Wildcard tool exposure, standing credentials, shared identities, and implicit agent-to-agent trust are the four mistakes that let a single AI agent's blast radius reach across an entire company.
Quantum computing turns blast radius into something that spreads across time, not just space — harvest-now-decrypt-later can make years of past traffic readable in one sudden moment.
Least privilege, short-lived credentials, segmentation, zero trust, and crypto-agility are the deliberate counter-moves that shrink a blast radius on purpose.
Treating blast-radius gaps as findings, not backlog items, is what actually gets them closed before they are tested for real.

References

  1. NIST Special Publication 800-61, Revision 2, Computer Security Incident Handling Guide — scoping and containment, National Institute of Standards and Technology. csrc.nist.gov
  2. NIST Special Publication 800-207, Zero Trust Architecture, National Institute of Standards and Technology. csrc.nist.gov
  3. NIST Internal Report 8547, Transition to Post-Quantum Cryptography Standards — harvest-now-decrypt-later risk framing, National Institute of Standards and Technology.
  4. This guide’s Anti-Patterns Catalogue — named agent design mistakes including Wildcard Tool Exposure, the Standing Credential, the Shared Identity Runtime, and Implicit Agent-to-Agent Trust.
  5. This guide’s Getting Quantum-Safe field guide — harvest-now-decrypt-later, crypto-agility, and a full post-quantum readiness assessment.