Fox
The rapid integration of artificial intelligence into enterprise workflows has moved beyond experimental use cases. As organizations deploy agentic systems that can interact with data and execute tasks, the traditional security model is facing a shift. For leadership, this requires moving away from the mindset of security as an operational function and toward security as a core engineering property.
The following takeaways outline a framework for securing the modern enterprise against the unique risks of AI and automated agents.
Transitioning from Bolt On to Secure by Design
For decades, the standard approach to cybersecurity has been to build a product and then apply security tools afterward. This spray on security model has proven insufficient as the volume of vulnerabilities and the sophistication of attacks continue to rise.
Security as construction. Systems should be designed with security constraints integrated from the start, similar to how civil engineers design bridges to withstand specific physical loads.
Engineering over operations. While operational security remains necessary, the primary goal should be to build systems that are inherently difficult to compromise and easy to understand.
Reliability synergy. Applying rigorous engineering practices to security often results in systems that are more reliable and perform better overall.
Managing Non-Deterministic Risks with Deterministic Boxes
AI models are inherently non-deterministic, meaning they may produce different outputs for the same input depending on specific parameters. This unpredictability creates a challenge for traditional security policies.
The deterministic guardrail. To manage AI agents, organizations should place them inside deterministic boxes. These are traditional software environments with hard-coded limits on what an agent can and cannot do.
Limiting blast radius. These guardrails ensure that even if an agent behaves unexpectedly or is manipulated via prompt injection, it cannot perform high-risk actions such as deleting a database or unauthorized data exfiltration.
Technical parallels. The industry is currently in an arms race similar to the early days of memory exploits. Just as we developed non-executable stacks to separate data from code in traditional computing, we must now find ways to isolate control instructions from user data in AI prompts.
The Identity Lifecycle
The traditional lifecycle for a user or a service account does not fully capture the complexity of an AI agent. Because agents can evolve in their capabilities, their identity management must be more dynamic.
Registration and birth. Every agent must be uniquely registered at its creation. This includes defining its core model, its intended purpose, and its technical parent or owner.
Ownership and accountability. Every agent requires a named human sponsor or organizational owner. Accountability must not drift as the agent is moved between different teams or projects.
Entitlement assignment. Permissions should be assigned with guardrails at birth, meaning agents start with the absolute minimum access required. Broad permissions granted for testing must be programmatically narrowed before production.
Retirement. When an agent is no longer needed, it must be fully de-provisioned. This includes revoking all delegated tokens and archiving its interaction history for audit and compliance requirements.
The Challenge of Assumed Rights
One of the most complex areas of agent security is how they acquire and use permissions. Standard service accounts have fixed rights, but AI agents often assume rights from the users they assist.
Delegation over impersonation. Agents should never use a human user’s actual credentials. Instead, they should use a delegation model where the user grants a limited-scope, short-lived token to the agent.
Scope restriction. Even if an agent is acting on behalf of a senior executive, its assumed rights should be limited to the specific task at hand. For example, an agent summarizing an email does not need the right to delete the user’s entire inbox.
Proof-of-possession or sender-constrained tokens. To prevent token theft, these delegated rights should be cryptographically bound to the specific agent and the specific device or environment where it is running.
From Workload to Employee Extension
We have not yet reached a consensus on whether an AI agent is a piece of software (a workload) or a digital version of an employee. This ambiguity creates a gap in how we govern them.
The workload approach. Treating an agent like a standard workload focuses on API security and machine-to-machine traffic. This works well for simple, task-oriented bots but fails as agents become more autonomous.
The employee extension approach. When agents act as colleagues that can make decisions or interact with customers, they require governance similar to HR policies. This includes background checks on the underlying models and training on corporate ethics.
The transition risk. The most dangerous phase is when an agent moves from being a simple tool to a decision-making extension. Organizations often fail to update the security model during this shift, leaving machine-level permissions in the hands of an entity making human-level choices.
Auditability. For compliance and security forensics, it is no longer enough to see that a human user accessed a file. The logs must show if the action was performed by the human directly or by an agent acting on their behalf.
Unsolved liability. If an agent makes an autonomous decision that results in financial or legal harm, the industry has yet to settle on whether the liability lies with the model creator, the agent owner, or the organization as a whole.
Zero Trust as the AI Foundation
Zero Trust provides a useful foundation for a secure AI strategy. It provides the framework for reasoning about the outer limits of what an AI system is allowed to do.
Foundation for constraints. Zero Trust principles provide the tools needed to create deterministic boxes by focusing on identity and data centric security.
Identity and data fusion. By focusing on who is accessing what data rather than just where they are on the network, organizations can set the outer limits of what is possible for an AI system.
Architectural maturity. Implementing AI effectively often acts as a catalyst for organizations to finally complete their Zero Trust journeys, as the risks of agentic automation make legacy perimeter-based security untenable.
Strategy for the Future
As you evaluate your current technology stack, consider whether your identity and data architectures are flexible enough to handle the complexities of AI. If the current model requires hacking together permissions or results in an inability to audit automated actions, it may be time to re-architect your corporate identity framework.
The goal is to move toward a state where security is a silent, built-in property of the system that enables innovation without increasing the organization’s risk profile to unmanageable levels.