diff --git a/packages/guardrails/profile/agents/cloud-architect.md b/packages/guardrails/profile/agents/cloud-architect.md
index 5186d4c5fbe9..170b9f0e0594 100644
--- a/packages/guardrails/profile/agents/cloud-architect.md
+++ b/packages/guardrails/profile/agents/cloud-architect.md
@@ -6,9 +6,15 @@ permission:
     "*": allow
     "*.env*": deny
     "*credentials*": deny
+    "*.pem": deny
+    "*.key": deny
+    "*secret*": deny
   grep:
     "*": allow
     "*.env*": deny
+    "*.pem": deny
+    "*.key": deny
+    "*secret*": deny
   glob: allow
   edit:
     "*": deny
diff --git a/packages/guardrails/profile/agents/deployment-engineer.md b/packages/guardrails/profile/agents/deployment-engineer.md
index 5251fedaa2ec..e817e80156b7 100644
--- a/packages/guardrails/profile/agents/deployment-engineer.md
+++ b/packages/guardrails/profile/agents/deployment-engineer.md
@@ -6,9 +6,15 @@ permission:
     "*": allow
     "*.env*": deny
     "*credentials*": deny
+    "*.pem": deny
+    "*.key": deny
+    "*secret*": deny
   grep:
     "*": allow
     "*.env*": deny
+    "*.pem": deny
+    "*.key": deny
+    "*secret*": deny
   glob: allow
   edit:
     "*": allow
@@ -18,13 +24,18 @@ permission:
     "*": deny
     "docker build*": allow
     "docker compose*": allow
+    "docker compose push*": deny
+    "docker push*": deny
     "docker ps*": allow
     "docker images*": allow
     "docker logs*": allow
     "kubectl get*": allow
     "kubectl describe*": allow
     "kubectl logs*": allow
-    "kubectl rollout*": allow
+    "kubectl rollout status*": allow
+    "kubectl rollout history*": allow
+    "kubectl rollout restart*": ask
+    "kubectl rollout undo*": ask
     "git diff*": allow
     "git status*": allow
     "git log*": allow
diff --git a/packages/guardrails/profile/agents/terraform-engineer.md b/packages/guardrails/profile/agents/terraform-engineer.md
index 3e98639ea557..fdb47fc3eb3c 100644
--- a/packages/guardrails/profile/agents/terraform-engineer.md
+++ b/packages/guardrails/profile/agents/terraform-engineer.md
@@ -7,10 +7,16 @@ permission:
     "*.env*": deny
     "*credentials*": deny
     "*.tfvars": deny
+    "*.pem": deny
+    "*.key": deny
+    "*secret*": deny
   grep:
     "*": allow
     "*.env*": deny
     "*.tfvars": deny
+    "*.pem": deny
+    "*.key": deny
+    "*secret*": deny
   glob: allow
   edit:
     "*": allow