COMMENTARY: The language has changed. AI systems aren't “assistants” anymore, they're “digital employees,” and the controls haven't kept up.Large organizations like BNY Mellon, which recently disclosed that its internal AI agent has reached near-universal adoption, are already running AI agents that triage alerts, coordinate investigations, summarize incidents, and move work across security tools with little human involvement. In many SOCs, the first responder to an alert is no longer an analyst. It’s an agent deciding what matters and what doesn’t.That shift should make security leaders uncomfortable.[SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts.Read more Perspectives here.]
While we're calling them employees, we're deploying them like plugins — broad access, privileged workflows, no oversight. We call it innovation. In reality, we've created high-authority actors that operate outside the controls we use to manage human risk.We promoted the agents. We forgot to build the management layer.
Optimized for demos, not defense
Most enterprises give AI agents wide permissions for one reason: speed. It’s faster to grant a broad role than to define narrow ones. It is easier to reuse service accounts than to manage identity properly. And it makes the demo work just enough to get the green light.
Unlike employees, they don’t recognize when something is unusual, unsafe, or simply wrong. They don’t understand policy. They don’t understand intent. They execute what they are told, even when those instructions are vague, conflicting, or quietly manipulated.The moment an agent is placed inside privileged workflows without strict boundaries, you have not built a smarter analyst. You have built an extremely fast operator with no situational awareness and no internal brakes.
Fast hands, no brain
This isn't theoretical. It's happening now.When an agent with broad access makes a mistake, it doesn't send one bad email. It cascades across systems, exposing data, breaking compliance rules, misconfiguring controls, before anyone notices.Recent public disclosures involving AI assistants and automation components follow a familiar pattern. They are rarely the result of elite attackers breaking novel defenses. They are systems doing exactly what they were allowed to do, in ways no one fully modeled.The real risk is the growing gap between instruction and intent.Security teams already struggle to reason about complex automated workflows. Agents add another layer, one that can reinterpret, chain, and execute actions dynamically across tools. At scale, small ambiguities become systemic failures.The next wave of high-impact incidents will not look like traditional breaches. They will look like perfectly authorized activity producing catastrophic outcomes.
The next breach will be fully approved
If we’re going to call AI agents “digital employees,” then this stops being an engineering problem and becomes a governance failure.We would never allow a new human hire to walk into the SOC with unrestricted access, no manager, no activity monitoring, and no accountability for the actions they take. Yet that is exactly how many organizations are onboarding agents today.If an agent can access sensitive data or take action in production systems, treat it like a high-access employee. That means clear identity, defined permissions, constant monitoring, and someone who's accountable.This is not optional hygiene. It is table stakes for operating AI safely inside security operations. The industry will either bring agents into identity and governance frameworks now, or it will spend the next several years trying to bolt controls onto systems after the damage is done.
You hired agents without HR
Most organizations still have a narrow window to put real governance in place before AI agents become operational fabric. Start here: if an agent can touch production systems, it needs a real identity and a clearly accountable owner. No shared service accounts. Someone owns that identity, its lifecycle, and its access.Stop giving agents analyst-level access as a shortcut. Define exactly what each agent needs to do, pull logs, run queries, create tickets, and give it only those permissions. If you can't narrow it down, the agent isn't ready for production.The organizations that succeed will make agent activity impossible to ignore. Real-time monitoring, clear attribution for every action, and guardrails that keep agents inside defined bounds. No post-incident log archaeology.
What good governance unlocks
Get this right and you unlock three outcomes. Smaller blast radius when things break. Faster investigations because you can trace what the agent did. The ability to scale AI without scaling risk.The uncomfortable truth is that speed is no longer the differentiator; discipline is. The winners won’t be the first to deploy agents, but the first to govern them like employees before an automated mistake forces the lesson.
An In-Depth Guide to AI
Get essential knowledge and practical strategies to use AI to better your security program.
Rubrik introduced Rubrik AI, an agent-first interface for its Security Cloud and Agent Cloud, allowing customers to define business outcomes that the software executes by reasoning over data, identities, and deployed agents.
XTM One integrates Filigran's OpenCTI threat intelligence platform and OpenAEV exposure validation tool into a unified workflow, addressing the manual processes security teams currently use to manage threat intelligence, attack scenarios, and remediation.
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
