Securing AI agents: How to govern your ‘Cyborg Teenagers’

I am constantly hearing from our customers that AI agent adoption is a critical business mandate being pushed from the highest levels of their organizations. To stay competitive and gain efficiencies, they are leaning heavily into the promise of AI agents. Personally, I’m a believer! I have witnessed tools like Cursor, Claude Code, and GitHub Copilot turn the software engineering process on its head and vastly increase productivity.

However, the CISOs of the world are losing sleep at night trying to figure out how to do this safely. In a sense, we have “put the cart before the horse” and dove head-first into agent adoption without thinking about security. This sentiment comes through loud and clear in a recent survey from SailPoint and Dimensional Research, where 96% of technology professionals identified AI agents as a threat.

The rise of the cyborg teenager

AI agents are completely unlike traditional human identities and non-human identities. They can be driven by humans or work autonomously. Sometimes they act on behalf of a user (the human part of the cyborg) and sometimes they use machine accounts to gather data or perform actions (the machine part). Their brain is a large language model (LLM) that can reason and plan. Tools—such as MCP servers—act as their five senses and arms and legs. Pretty amazing, right!?

The problem: An AI agent’s brain is on par with a teenager. Neither of them has a fully developed pre-frontal cortex. One minute you will be amazed with their level of insight and maturity, and the next minute you’ll be shaking your head wondering “what were they thinking?!” Stack on top of that the fact that agents operate at lightning speed and you have a recipe for disaster.

So, how do we embrace these cyborg teenagers confidently?

The Grizzle Seven Tenets of Agent Security

At SailPoint’s Navigate conference, I introduced The Grizzle Seven Tenets of Agent Security to help guide security practitioners in this journey.

• Visibility
• Ownership
• Access Control
• Fine-Grained Data Access
• Observability, Insights, and Control
• Focus where the risk lives
• Task-based Just-in-time Access

Let’s take a look at each tenet.

Visibility

The first step is gaining visibility into all agents running in your enterprise—whether it’s off-the-shelf, home-grown, or a shadow agent. This is achieved through a solution that provides agent discovery and a centralized catalog in an agent directory. If you can’t see it, you can’t secure it.

Ownership

Much like teenagers, agents need a responsible adult to watch over them. These owners need to understand and control who can use the agent, what the agent can do, and monitor behavior to ensure the agent isn’t going off the rails. Additionally, if the responsible adult leaves the company or goes on vacation, you need succession planning so that your agent isn’t left as an orphan.

Access Control

Access control for agents is complex and comes in many different flavors. The easy part is controlling who can access each agent. Treat your agent like an application, requiring authentication and authorization through an identity provider.

The harder part comes into play when an agent calls tools or delegates tasks to other agents. These interactions require access control—either in the form of allowing the agent to act on behalf of the user with their consent and permissions, or by utilizing a machine account that has its own permissions. The latter can be especially dangerous when an agent gives access to data or actions that a user normally wouldn’t have.

Fine-Grained Data Access

Access control does not stop at coarse-grained permissions. Agents are hungry for data and will try to consume anything they can get their hands on. Data must be governed and secured at a fine-grained level to ensure that your agents are operating within their bounds. Compliance policies that apply to humans also apply to humans that are using agents. Data governance and security could take up an entire blog post by themselves, so I will just summarize: Classify and secure all data that is available to agents and apply policy to control access. Maintain a zero-standing privilege posture for highly sensitive data.

Observability, Insights, and Control

Establish observability for your agents by centralizing logging where you can see which agents are being used, how they made their decisions, and any actions that they have performed to fulfill their tasks. Having an audit trail is not only important for compliance but is also necessary for forensics if you need to go back and figure out why things went sideways.

It is easy to get lost in a flood of logs and miss the needle in the haystack. A tool that can perform analytics to provide insights about outliers or anomalous behavior can help to cut through the noise.

While being alerted about potential problems is great, it can be slow to remedy issues if you don’t have a single platform where you can control the agent and make changes. A centralized control plane can help to take swift action when necessary—such as removing a user’s access to an agent or pulling a “kill switch.”

Focus where the risk lives

Not all agents are created equally. As an agent’s number of available tools and permissions to those tools increase, the agent becomes a higher risk. Use the agent directory, access control information, and observability to create a risk profile for each agent in your organization. Using that risk profile, you can prioritize which agents need to be governed and monitored more closely and which ones you can trust more. By focusing on the riskiest areas, you can have a greater impact towards strengthening your security posture.

Task-based Just-in-Time Access

It is very common for an agent to act on behalf of a user by retrieving an access token with that user’s permissions. This is like handing your teenager your credit card, trading account, and car keys and keeping your fingers crossed that everything goes well. Agents use planning and reasoning to execute their mission, and sometimes they hallucinate or take “interesting” paths to get to the goal line.

Instead of handing over the keys to the kingdom, each access grant needs to understand intent and be scoped to the task that the user is requesting of the agent. Additionally, the access must expire quickly so it cannot be used for a different task. While the concept of least-standing privilege is important for human users, it is an absolute must for agents.

Introducing a human-in-the-loop to approve sensitive actions can help, but this will not scale when agents are acting on your behalf all day, every day. Imagine the amount of time you’ll need to spend just reviewing agent approvals. More likely, you will just start ignoring what the agent is asking in the approval and rubber stamp everything. Human-in-the-loop is only effective if used sparingly. Task-based just-in-time access will be required to take us to the next level of efficiency gains securely.

Where to go from here

It is no longer a matter of whether your organization should adopt AI agents; it is a question of when you start using them and how can you do so in a safe way. Agents are a new type of identity—not quite human, not quite machine. They need to be governed and managed in new ways to maintain security and enter this new era with confidence.

Start by establishing a firm foundation for getting visibility to your agents and assigning owners. Understand who can use each agent and what each agent is capable of, including what data they can access. Monitor your agents, focusing on the riskiest ones, with a centralized control plane that can shut them down if they go rogue. Double down on least standing privilege, where access is granted with just the right scope and for just the right amount of time.

At SailPoint, we are hyper focused on working with our customers, keeping up with the latest AI technology trends, and providing solutions that meet at the intersection of agents and security.

For more, watch the Navigate masterclass “Agentic AI World.”