This is Part 1 of a 2-part series on AI agents and control assurance. Read Part 2: Controlling AI Agents: Why Detection Is Too Late
The cybersecurity industry has spent years investing in visibility. Dashboards have improved, detection tooling has matured, and the volume of telemetry available to security teams has increased significantly. Most organisations can now see more of their environment than at any point in the past.
However, one of the most important emerging risks is not hidden malware or an unknown vulnerability. It is the rapid introduction of AI agents operating across environments that organisations do not fully understand, cannot clearly inventory, and often cannot meaningfully govern.
This is not simply another software category. It represents the introduction of autonomous digital actors interacting with identity systems, APIs, SaaS platforms, cloud environments, and business processes. These agents are not constrained by the same assumptions that underpin traditional control models, and that is where the risk begins to surface.
From Users to Actors
Traditional security models are built around users. Users authenticate, request access, and perform actions within defined boundaries. Even when errors occur, those actions are constrained by identity controls, privilege models, monitoring, and the natural pace of human interaction. There is friction in the system, and that friction is part of how control is maintained.
AI agents remove much of that friction. They are not passive tools assisting users; they are active actors executing tasks. They retrieve data, make decisions, invoke APIs, and trigger workflows across multiple systems in seconds. The shift is subtle but important. The challenge is no longer limited to managing access. It becomes a question of controlling execution.
Execution Without Assurance
Most organisations assume their existing control frameworks still apply in this new model. On paper, they do. In practice, they often do not.
Control frameworks were designed to validate human-driven actions, predictable workflows, relatively static privilege models, and slower operational cycles. They were not designed to validate high-frequency automated decisions, cross-system execution chains, or real-time, context-driven behaviour.
This creates a gap that is easy to overlook. The agent may be authenticating correctly, calling approved APIs, and interacting with authorised systems. From a control perspective, nothing appears to be broken. Yet there is often no mechanism to prove that the actions being executed are appropriate, proportionate, or safe in the context in which they occur.
Where Controls Start to Fail
This is not a theoretical issue. It is a structural one, and it tends to appear in consistent ways across environments.
The first area is identity. AI agents commonly operate using service accounts, shared credentials, or delegated access tokens. While this enables integration and automation, it weakens attribution. In a traditional model, actions can be traced to an individual. In an AI-driven model, activity may be technically valid but operationally ambiguous, making it difficult to establish accountability when something goes wrong.
The second area is privilege. To enable capability, agents are often granted broad access across systems and services. However, least privilege is not simply about limiting access; it is about ensuring that access is used appropriately in context. An agent may be authorised to access a system, but that does not mean every action it performs within that system aligns with business intent or risk tolerance. Most control models validate access rights rather than behavioural appropriateness.
The third area is monitoring. As automation increases, so does logging. However, more data does not necessarily lead to more assurance. When an agent executes hundreds of actions in a short period, logs can quickly become noise, alerts become volume-driven, and meaningful signal is harder to extract. Monitoring shifts from proactive oversight to retrospective analysis.
The final and most important area is control validation. Controls such as access reviews, segregation of duties, and approval workflows may still exist, but they are rarely tested against autonomous, multi-step execution across systems. The result is not a lack of controls, but a lack of confidence that those controls are operating effectively in the way they were intended.
Final Thought
AI agents are not bypassing controls. In most cases, they are operating within them. The issue is that those controls were not designed to validate how work is now being executed.
If control effectiveness cannot be demonstrated against real behaviour, then the presence of controls alone does not provide assurance.
Next in the series:
Controlling AI Agents: Why Detection Is Too Late
No comments:
Post a Comment