AI/ML, Data Security, Identity

Stop trying to ‘lock down’ your AI: Why rigid guardrails are a gift to hackers

Various robots and androids behind bars in a prison cell.

It's only natural for we humans to want to strictly lock down the abilities of AI agents. They're smart, fast, unpredictable and can often get around obstacles you throw in their way. Giving AI agents access to sensitive information, we instinctively assume, is a recipe for disaster.

Yet putting tight restrictions on AI agents defeats the entire purpose of using them and is often just as ineffective as trying to make them comply with traditional security controls, which itself conveys a false sense of security, argues Rubrik CTO and co-founder Arvind Nithrakashyap.

What's needed, he says, is a more flexible approach that, when coupled with continuous oversight and context-aware decision-making, lets AI agents learn from mistakes so that they can do a better job.

"You need more of a dynamic governance model, ideally governed by some kind of policy that you define just as you do for humans," Nithrakashyap says. "You set policies and say, 'Hey, here's the policy, it's how you have to operate.'"

In that way, he explains, AI agents are given the same sort of leeway afforded to human users, but with added identity-based guardrails necessary to compensate for the agents' incredible speed.

"The kinds of system that we have in terms of permissions and identity providers, or even any kind of rules, no longer apply," Nithrakashyap says. "You have to have more of this governance-based model in which you can audit what is happening and then make sure that agents are not doing something that you don't expect."

Why traditional rules and permissions aren't enough to control AI agents

Regular identity and permission models were designed around human users — unpredictable but slow — and non-human identities in the forms of applications, APIs and algorithms, which are fast but predictable.

Because NHIs are so reliable, they need minimal monitoring and can often be left in "set it and forget it" mode. It was humans — sometimes rogue, but generally responsible — that spurred the development of robust identity controls.

"Scoped permissions as they exist today, most of them, were obviously built for human use cases," says Nithrakashyap. "You're trusting the human judgment that once they understand how something operates, that they will do the right thing."

Yet while AI agents may act like humans sometimes, they're not the same.

"You don't know exactly what they'll do," Nithrakashyap adds. "They operate at a speed that's probably 10 to maybe 100x of what humans can do, so they can do like 10x of damage."

Static permissions clearly can't foresee every possible action an agent might take. Plus, they've got no built-in protection against the unique threats that AI agents face, such as prompt-injection attacks or data poisoning.

"We are still in the early stages of truly securing agents," says Nithrakashyap. "Today, the level of protection we have against prompt injections and all of that, if you look across organizations, is still nascent."

Because of this, reliance upon outdated controls is just as much of a risk as giving AI agents free rein.

"These are inherently probabilistic systems that are prone to hallucinations and could be compromised," he adds. "When they have access to [production] systems and records with Jira or some other production system, they could actually go and do something you don't expect, actually take some destructive action."

How over-restrictive guardrails on AI agents may backfire

Restricting AI agents to a narrow set of approved behaviors and access points puts them into a sort of straitjacket, Nithrakashyap argues, and negates any possible benefit you could gain.

"Locking everything down essentially takes away the power of what AI can do," he says. "It's either not able to do what it's supposed to do, or sometimes it also doesn't have access to the right information, and as a result, it hallucinates or gives you wrong answers."

Not only over-restricting AI agents inefficient, but it's costly.

"Once you start running these things at scale, you can be spending a significant amount of money," says Nithrakashyap. "Now you're spending money, but you're not really getting any ROI out of it."

Excessive restrictions upon AI may seem to improve security but often produce the opposite as human employees, frustrated by lack of access to unfettered agents, turn to unauthorized "shadow AI" to boost their own productivity.  

"Shadow AI is there because people feel that the AI systems that's provided them, the right channels that are provided them, are not doing the job," says Nithrakashyap. "These kinds of controls don't work because they take away the value that these agents or AI systems can provide, and so people say, 'Okay, I'll find a different way of doing it.'"

How flexible policies maximize the benefits of AI while maintaining security

Instead of relying on fixed rules to control AI agents, organizations need dynamic governance that evaluates their actions against company policy, context, and the agents' intended behavior, Nithrakashyap says. He uses a human-based analogy to make his point.

"When you think of how you enable a new employee, you give them the lay of the land," he explains. "You don't lock them down. You give them as many permissions as they need to be able to do the job effectively."

"But then you also give them a policy they should follow, 'Don't go and do these kinds of things," he adds. "We have to do the same with agents. Give them the access they need, but at the same time have a mechanism by which we can still have this policy and ensure that the actions that it's taking can be governed."

This means applying least privilege without over-constraining functionality, monitoring agent activity continuously, auditing decisions, and, most importantly, refining governance policies as organizations gain operational experience.

Nithrakashyap stresses that a good AI-agent governance policy depends upon continuous feedback and fine-tuning, which in the long run improves the situation.

"No policy is 100% bulletproof," he says. "There will be always something that you've missed [and] mistakes they will make. But then you use that as an opportunity to go and fix your policy."

Also important is constant, independent examination of the policy — by other AIs.

"You need to have another model of AI that's evaluating this policy, determining the action that is being taken."

In that way, an organization's AI policies will evolve as it identifies risks and refines acceptable behaviors, striving toward increasingly mature governance without sacrificing AI effectiveness.

"Keep iterating over time, and you'll get to a point where your policy is pretty rock-solid in terms of all the different things you want, you care about as an organization, and then the agents are operating within those boundaries," Nithrakashyap says.

The idea is that flexible governance lets organizations realize the productivity gains of AI while maintaining accountability, limiting unnecessary access, and detecting unexpected behavior before something goes terribly wrong.

It's that sort of resilience-based, rather than prevention-based, approach that will prepare you for the potentially massive disruption that AI promises.

"I've been in the industry for 30 years, and I've never seen something change at this scale." Nithrakashyap says. "The pace at which it is happening which is almost unprecedented. People are just trying to keep up. And just as you think you've figured out what is happening, there's a new model that comes and pulls the rug from under your feet."

An In-Depth Guide to AI

Get essential knowledge and practical strategies to use AI to better your security program.
Paul Wagenseil

Paul Wagenseil is a custom content strategist for CyberRisk Alliance, leading creation of content developed from CRA research and aligned to the most critical topics of interest for the cybersecurity community. He previously held editor roles focused on the security market at Tom’s Guide, Laptop Magazine, TechNewsDaily.com and SecurityNewsDaily.com.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds