The next AI milestone – agents that can research, decide, and act without supervision – is also your next major security risk.
AI is moving from “help me write” to “go do the work.” That shift breaks most enterprise security assumptions. It is no longer an employee logging into a SaaS application or querying a database. It is an agent doing those things on the employee’s behalf.
Within the next 12–24 months, most enterprises will have more machine identities than human ones – and most are not prepared to secure them.
When the actor becomes non-human, the old question “Who accessed what?” becomes: Which agent accessed what, using whose authority, under which constraints?
In 2026, the enterprises that win will treat agents as a new class of digital workers with their own identities, credentials, and audit trails. If your organization cannot name its agents, it cannot govern them. And if it cannot govern them, your AI program will scale risk faster than it scales productivity.
Why SASE and Zero Trust can be bypassed by agents
Most security architectures were built for humans — not autonomous systems acting at machine speed. They are optimized for human-to-application traffic: browsers, laptops, VPNs, and the typical north-south flows that SASE brokers and inspects.
But agentic systems often run server-side, call model APIs directly, and then call internal tools through service credentials. If those paths do not traverse your control points, you lose policy enforcement, logging, and consistent data loss prevention.
Put simply: if agents can act and your security team cannot see them, you’ve created a new class of shadow IT — operating at machine speed.
The Minimum Security Model: Secure the Brain and the Hands
Most serious AI-agent failures follow the same pattern: the model is manipulated, and the tools execute. A practical way to reason for agent security is to separate thinking from doing. The model is the brain, where reasoning and responses happen. Tools are the hands, where actions happen inside your environment.
Most real incidents occur when a model is manipulated and then uses tools to exfiltrate data or alter system state. Secure the brain alone, and the hands remain exposed. Enforcement must exist in both planes, not just one.
Five Controls Every Enterprise Needs to Govern AI Agents
1. Give every agent a real identity.
No shared keys. Agents need distinct credentials the same way workloads do. Avoid shared API keys per team or per environment. Identity should tell you which agent, which application, which user triggered it, and what environment it ran in. This is the foundation for investigations and least privilege.
2. Enforce least privilege across three dimensions: model, data, and tools.
Least privilege for agents is not a slogan. It is a design constraint. Agents should have access only to the minimum approved models, the minimum data required, and the minimum tools and actions needed to execute tasks. Without this, agents become accidental data export mechanisms.
3. Put a front door in front of models: the Model Gateway.
Without a centralized control point, every team will call models differently, log differently, and manage keys inconsistently. A Model Gateway becomes the consistent entry point for model traffic, enforcing approved model lists, identity-bound access, quotas, logging, and redaction rules.
4. Inspect prompts, tool outputs, and responses — not just user input.
Prompt injection and data leakage rarely originate only from user input. They often come from untrusted content pulled into context such as documents, ticket histories, or chat logs. Runtime inspection must decide whether to allow, deny, redact, or escalate. Logging without enforcement is just a post-mortem.
5. Put a safety layer in front of tools: the MCP Gateway.
As soon as an agent can use tools, a prompt can become an action. Treat tool access like privileged access management. Approve tools explicitly, enforce least privilege per tool and per agent, constrain high-risk actions, and require approvals for impactful writes. This is the most direct way to prevent a single bad instruction from becoming a production incident.
A Reference Architecture You Can Explain to a Board in 60 Seconds
There are two control points:
North–south (model plane): governs prompts and responses User, application, or agent → LLM inspection layer → Model Gateway (identity, policy, routing, audit) → model provider or private model
East–west (tool plane): governs actions and outputs User, application, or agent → MCP Gateway (allowlist, least privilege, approvals, audit) → tools (SaaS applications, internal APIs, databases)
This is not academic. It is the minimum structure required to prevent agents from becoming uncontrolled leak paths or autonomous risk engines.
A 90-Day Rollout Plan That Will Not Kill Adoption
Days 1–30: Visibility Inventory which models are used, by which applications and agents, and where keys reside. Enable logging with trace IDs for prompts, tool calls, and policy decisions.
Days 31–60: Control Route model traffic through a Model Gateway, enforce approved model lists and identity-bound access, and implement basic redaction for sensitive data.
Days 61–90: Runtime enforcement Enable injection detection and response inspection, place write-enabled tools behind approval workflows, and build incident response playbooks for AI-driven events such as data leaks or unsafe actions.
The Takeaway for Technology and Business Leaders
After 30 years building networking and security infrastructure, I have seen every major shift create a new perimeter to defend. Agentic AI is no different – except it moves faster. This is not a feature upgrade. It is a new operating model.
If you do not issue identities to agents, centralize model access, and govern tool usage with approvals, you will scale a new class of insider risk: tireless, fast, and invisible.
The upside is equally real. Enterprises that treat agents as identity-bound, least-privileged, continuously verified digital workers will adopt faster because they can adopt safely.
The question is no longer whether your enterprise will deploy AI agents. It is whether you will govern them before they begin operating beyond your control.
Click Here For The Original Source.
