COMMENTARY: The security industry has spent too much time talking about prompt injection.Prompt injection matters, but it’s only one part of a bigger shift: AI agents move data, context, and decisions across systems that were never designed to operate as part of the same security boundary.[SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Read more Perspectives here.]A support agent can read a customer ticket, search internal docs, pull data from a CRM, and issue a refund through a payment gateway. The risk does not exist just at the chat interface, it’s across all of these varying workflows.Traditional controls were built around clear entry points: requests, API routes, login flows or a checkout – because those were the sensitive areas. That’s where most security tools still focus their analysis. Agents stretch that model because the request now spans multiple systems, backends, and tools, most of which we can’t route through a classic firewall or proxy.Security teams look in the wrong placesA customer support agent might search a knowledge base, pull account details from Salesforce, review previous conversations, issue a refund, draft a response, open a ticket, and trigger a follow-up. A finance agent might collect data from several systems, generate a recommendation, update a dashboard, and share the result with a team.None of those workflows live inside a single request. The request that started the process does not matter – it’s everything that happens afterward.The farther an agent moves from the original interaction, the harder it becomes to understand why it made a decision. Security teams can often see that an action occurred, but they struggle to understand what information influenced the action, which systems contributed context, and whether the resulting decision aligned with business rules.Most organizations already know how to authenticate users, inspect requests, and block known threats at the edge. But they don’t know how to consistently enforce policy once the work has moved inside the workflow.A firewall cannot tell whether an agent should have combined two pieces of customer data. An identity system cannot tell whether a tool result should become model context. A gateway can see traffic, but it may not understand the business rule that makes an action safe or unsafe. The work has moved, so the controls have to move with it.Most agent failures look like application failuresThe industry likes dramatic examples: jailbreaks, hostile prompts, and chatbots saying things they shouldn’t. These are interesting to read about, but production failures will look more ordinary. An agent will expose data to the wrong system. It will act on stale or incomplete context. It will make a recommendation without understanding a business constraint. It will take an action that looks reasonable in isolation but it’s wrong inside the broader workflow.The model may behave exactly as expected and the workflow can still fail.That’s why framing agent security as a model problem misses the point. Organizations do not struggle with trust because models generate text, the challenge comes from the misalignment of software, people, permissions, and business processes.Security has to run where decisions are made. Historically that’s an HTTP request, but increasingly it’s a tool call, a background job, a queue worker, or an agent loop. We don’t want to know if the prompt looked safe, but rather: Should we use this data here, by this agent, for this action?Security teams already understand this dynamic. They have spent decades dealing with excessive permissions, broken access controls, poor governance, and systems that expose information to the wrong people. Those problems did not disappear when AI arrived: agents simply accelerated them.A permission mistake that once affected a single employee can now influence an automated workflow touching multiple systems. Information that once stayed inside a single application can now move across tools, databases, and agents that share little understanding of one another. Small mistakes travel farther because agents move faster.The next layer of application security will live inside the workflows agents execute.Authentication still matters. Network controls still matter. Request inspection still matters. But they are no longer enough on their own, because the most important decisions may happen several steps after the original request. Organizations need controls that understand the same context the agent uses: what data it accessed, which tools it called, what action it’s about to take, and which business rules should apply.That’s the shift. Securing agents does not just mean blocking bad prompts: it’s about enforcing policy at the point where data becomes context and context becomes action.Security teams do not have a perimeter problem. They have a visibility and enforcement problem. For years, those issues were close enough for us to treat them as the same challenge. Agents are creating distance between them. The companies that get this right will not treat agent security as a separate AI filter bolted onto the side. They will build it into the workflows where agents actually do the work.We can no longer think of the perimeter as just the front door: it’s every place an agent can make a decision.David Mytton, chief executive officer, ArcjetSC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
You can skip this ad in 5 seconds