COMMENTARY: Enterprise AI has moved into production, and security architecture must evolve with it.Most organizations rely on infrastructure designed for applications whose behavior the team knows before it runs. AI agents don't fit that model. They make decisions, invoke tools, and adapt to changing conditions, creating operational and security challenges that existing cloud infrastructure wasn't designed to secure or govern.[SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Read more Perspectives here.]Traditional application security assumes deterministic code: the same input produces the same output, making behavior predictable and testable. Agents break that assumption. They invoke tools, chain actions, and adapt at runtime, so the attack surface isn't fixed at deployment—it moves.That shift changes the security mode and causes three recurring challenges as agents move from proof of concept to production: over-provisioning, identity, and fault tolerance.Security teams typically do over-provisioning first. Agents get far more tool access than the task requires, because it's faster to grant broad access once than to scope permissions per use case. Every extra integration represents another chance for misconfiguration, and executive pressure to ship agentic features has outrun the operational controls needed to govern them. Security teams end up policing highly privileged autonomous systems with governance built for static applications.Think of identity as the harder version of the same problem. We default by giving an agent the permissions of whatever human or service account launched it, but that’s the wrong model. We need to scope permissions to an agent's purpose and specific actions, not inherit the user’s by default, because users are often vastly overpermissioned. This often happens without even realizing it, but most organizations lack the tooling to enforce that distinction, so broad access becomes the default and the attack surface grows accordingly.Fault tolerance has also become an issue. Production agents are non-deterministic by design. Hallucinations and bad tool calls don't always turn into exploitable vulnerabilities, but they reliably produce operational failures that erode trust in autonomy. Teams handling this well rely on deterministic orchestration, structured evaluation pipelines, and continuous testing.Sandboxing hasn't caught up either. Most shops still lean on allowlists and blocklists, and neither suffices alone. Blocklists let agents touch nearly everything unless explicitly denied, a losing bet against a determined attacker. Allowlists are safer in principle, but are also misused in unintended ways: read access to a file store is "safe" until an agent uses it to exfiltrate data one legitimate read at a time.Container isolation, kernel-level protections, and fully isolated execution environments remain security best practices, but they can't help teams model the blast radius of an agent that’s compromised or behaves unexpectedly. That's determined by its permissions, connected systems, and exposure to untrusted content, not where its process runs. We need to make reducing blast radius, not just hardening the perimeter, the design goal.That's why AI agents require a distinct infrastructure layer. It won't replace MLOps or model lifecycle management. Instead, it offers the operational control plane needed to run autonomous systems safely in production.Every major cloud provider now offers some form of agent platform, while AI-native infrastructure vendors build specifically for autonomous workloads. Treat an agent like just another application or user account, and we inherit risks we didn't need to take. Build infrastructure around what agents actually are, and we prepare for what's next.The security community isn't waiting for the industry to sort this out on its own. Our own Secure AI Lifecycle (SAIL) framework represents one example. It translates the high-level regulatory and governance language of emerging standards into the operational controls security teams actually implement. While we shepherded the project, it was community-driven: CISOs and security leaders from finance, healthcare, and technology helped shape the framework.The challenges surrounding agentic AI are real, but we’ve made some good progress. Standards bodies, vendors, researchers, and practitioners have aligned on the controls and operational practices needed to secure autonomous systems. The security community has moved quickly, sharing lessons, and solving problems together.And that's a reason for cautious optimism.Dan Lisichkin, AI Researcher, Pillar SecuritySC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
You can skip this ad in 5 seconds




