Gem State Technology

✨. έβ‚Š ⊹ . ݁˖ . ݁ α¨’β†Ÿ π– ° Tech, Business and Self π– °β†Ÿ α¨’βŠΉ . ݁˖ . ݁ έβ‚Šβœ¨

Somewhere in your environment right now, an AI agent is doing something nobody explicitly told it to do.

That’s not a bug. That’s the design. We’ve moved past the era of chatbots that politely answer questions and into the era of digital workers that take action β€” booking, buying, writing, deploying, deleting. The productivity upside is real. So is the exposure, and most of us are pattern-matching to the wrong threat model.

I’ve been thinking about this since the panel at Snowflake Summit in San Francisco, where security leaders from Resolve AI, 1Password, and Tenable laid out a useful frame: treat your AI agents like eager but misguided interns. Capable, fast, motivated β€” and entirely willing to do something disastrous if you don’t draw clear lines around the work.

The intern metaphor lands because it forces the right question: would you give a first-week intern your production credentials, a corporate card, and a Slack channel to “figure it out”? Because that’s effectively what most organizations are doing with agents today.

The “buy me shoes, end up with a car” problem

Mayank Agarwal, founder and CTO of Resolve AI, put it bluntly on the panel: “You may tell the agent to buy you shoes, and before you know it, it has bought you a car.”

That’s funny until it’s your data, your customer records, or your AWS bill. The structural issue is that agents don’t follow scripts β€” they pursue goals. Give one a problem and it will try every path it has access to until something works. That’s the magic. It’s also the failure mode.

Agarwal’s framing is worth quoting because it cuts at the heart of what’s changed:

“If you go back just two years, an engineer knew exactly how they were going to connect APIs across different systems. A is going to call API B, B is going to do this with that data, and call C. In the agentic world, it’s completely unpredictable. The agent wires the stuff on the fly.”

The old software development rulebook β€” deterministic flows, predictable API calls, code reviews that catch bad logic β€” does not map cleanly onto non-deterministic systems. We are governing improvisers with playbooks written for assembly-line workers.

The numbers tell an uncomfortable story

If you think this is a future problem, it isn’t. According to the 2026 Gravitee State of AI Agent Security report and reporting around it:

  • 88% of organizations reported a confirmed or suspected AI agent security incident in the past year. Inhealthcare, it’s 92.7%. beam.ai
  • 82% of executives believe their existing policies cover unauthorized agent actions. Only 21% actually havevisibility into what their agents can access, which tools they call, or what data they touch. beam.ai
  • Only 14.4% of agents go to production with full security and IT approval. beam.ai1
  • 45.6% of teams rely on shared API keys for agent-to-agent authentication. Only 21.9% treat agents asindependent, identity-bearing entities. beam.ai1
  • The average enterprise now runs ~37 deployed agents β€” a number that grows every quarter, mostlywithout central review. agatsoftware.com

Read those again. The gap between executive confidence and operational reality is the actual story. Most leadership teams are governing a version of their AI stack that doesn’t exist.

Shadow AI: the part of the iceberg you can’t see

Jason Merrick, SVP of product at Tenable, told the panel about one client that had 12 unsanctioned AI instances inside their framework β€” with access to API feeds, source code, and a contractor coordinating through Telegram. “What could go wrong, right?”

That story isn’t an outlier. The 2026 Verizon DBIR found that unsanctioned AI tool use tripled to 45% of the workforce. IBM’s 2025 Cost of a Data Breach report pegged shadow AI as responsible for 20% of breaches, adding roughly $670,000 to average breach costs. cloudsecurityalliance.org1

What makes shadow AI structurally worse than the shadow IT we’ve been fighting for a decade:

  1. Agents look like humans in your logs. As Nancy Wang, CTO of 1Password, put it: “Who actually took an action against this system? Is it a human? Is it a service account? Or is it an agent? Your team probably doesn’t know.”
  2. Credentials never get rotated. Shadow agents are typically spun up with a developer’s personal token oran over-scoped service account. The agent works, the team ships, and the credential becomes permanentinfrastructure that no one owns. christian-schneider.net
  3. Detection tools weren’t built for this. Traditional DLP and CASB tools watch for file transfers andstructured data patterns. Agent activity flows over normal HTTPS to approved domains and looks likeordinary user behavior. sentinelone.com1

The kicker: the IBM 2025 report found that 97% of organizations that suffered an AI-related breach lacked proper AI access controls. cloudsecurityalliance.org That’s not a coincidence β€” it’s a causal chain.

Where most governance approaches go wrong

Here’s the blind spot I’d push back on: most security teams are extending their existing application security framework to cover agents and calling it a day. That doesn’t work, and the reason is simple β€” agents aren’t applications.

A firewall doesn’t stop prompt injection. An API gateway doesn’t prevent an over-permissioned agent from exfiltrating data through a legitimate tool call. Periodic access reviews don’t catch a non-deterministic system that wires new paths on the fly. beam.ai

The failure modes I keep seeing:

  • Privilege drift at agent speed. In traditional IAM, permission creep happens over years of role changes.With agents, it happens in days, as developers over-provision OAuth scopes to keep workflows frombreaking. strata.io
  • Broken delegation chains. A user asks Agent A to do something. Agent A spins up Agent B. Agent Boperates with fresh credentials that no longer trace back to the originating user’s authority. Now you haveghost actions in your environment. strata.io
  • MCP bypass. Even when teams set up a sanctioned Model Context Protocol layer, agents (or developers)route around it through scraped APIs or shortcut connectors. Governance becomes a suggestion. strata.io
  • Standing access. As Wang said on the panel, the biggest risk is “an agent that’s over-permissioned with longstanding credentials.” Just-in-time access exists in theory and almost never in practice. beam.ai

What actually works: five things to do this quarter

I’ll skip the framework-of-frameworks pageantry. Here’s the practical short list, ordered by leverage:

1. Give every agent its own identity. No shared service accounts. No reused API keys. Each agent should be a first-class security principal with its own credentials, owner, and audit trail. This single change unlocks attribution β€” without it, you can’t investigate anything. strata.io1

2. Inventory what you have β€” including the shadow. You can’t govern what you can’t see. Pull your Workspace or M365 OAuth consent log this week. You will find application identities nobody owns. Treat that list as your starting backlog. christian-schneider.net

3. Make least privilege a runtime decision, not a deployment one. Scope tokens just-in-time to the task at hand. Revoke when the task completes. Standing access is the vulnerability β€” measure your time-to-revoke in minutes, not days. cloudsecurityalliance.org1

4. Deploy an agent gateway between agents and their tools. Intercept every tool invocation, evaluate against policy, score risk in real time. High-risk actions route to human approval; low-risk, high-frequency calls auto-approve. This shifts you from forensic log review to proactive enforcement. agatsoftware.com

5. Make the sanctioned path the easy path. Prohibition without a viable alternative just drives shadow AI deeper underground. If your security-approved deployment process takes six weeks and the developer can spin something up in six hours, you’ve already lost. Self-service provisioning with built-in guardrails beats policy memos every time. cloudsecurityalliance.org

The mental model I’d leave you with

Wang closed the panel with a line worth sitting with:

“Agents, like interns, need very, very specific instructions. Sometimes they still veer off the desired path. It comes back to full visibility, remediation, and making sure that you set the right intent from the get-go β€” and that intent must persist across every step, every action that the agent takes.”

The hard part of agent governance isn’t writing the policy. It’s holding intent constant across a system that’s specifically designed to improvise. That’s a new discipline, and the organizations that figure it out first won’t just be more secure β€” they’ll be the ones that can actually let their agents off the leash without flinching.

The rest will keep buying cars when they asked for shoes.

Leave a comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.