{"id":12863,"date":"2026-03-10T10:07:15","date_gmt":"2026-03-10T14:07:15","guid":{"rendered":"https:\/\/www.daillac.com\/?p=12863"},"modified":"2026-03-10T14:10:46","modified_gmt":"2026-03-10T18:10:46","slug":"ai-agent-security","status":"publish","type":"post","link":"https:\/\/www.daillac.com\/en\/blogue\/ai-agent-security\/","title":{"rendered":"AI Agent Security: Framework, Risks, and Controls for Deploying Enterprise Agents"},"content":{"rendered":"\t\t<div data-elementor-type=\"wp-post\" data-elementor-id=\"12863\" class=\"elementor elementor-12863 elementor-12835\" data-elementor-post-type=\"post\">\n\t\t\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-85ecee3 elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"85ecee3\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-04b702b\" data-id=\"04b702b\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-09f6dbc elementor-widget elementor-widget-html\" data-id=\"09f6dbc\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"html.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<article class=\"dlx-article\" itemscope itemtype=\"https:\/\/schema.org\/BlogPosting\">\r\n  <header class=\"dlx-article__hero\">\r\n    <p class=\"dlx-article__eyebrow\">AI Governance \u00b7 Agentic Security<\/p>\r\n\r\n    <h1 itemprop=\"headline\">AI Agent Security: The Operating Framework for Deploying Agents Without Creating a New Attack Surface<\/h1>\r\n\r\n    <p class=\"dlx-article__lead\" itemprop=\"description\">\r\n      AI agent security is not just an extension of traditional application security. It is the discipline of governing autonomy, permissions, tools, memory, and observability at the intersection of architecture, cybersecurity, and business control.\r\n    <\/p>\r\n\r\n    <div class=\"dlx-meta\" aria-label=\"Article information\">\r\n      <span>\r\n        <strong>Author:<\/strong>\r\n        <span itemprop=\"author\" itemscope itemtype=\"https:\/\/schema.org\/Organization\">\r\n          <span itemprop=\"name\">DAILLAC<\/span>\r\n        <\/span>\r\n      <\/span>\r\n      <span><strong>Reading time:<\/strong> 11 min<\/span>\r\n      <span><strong>Audience:<\/strong> CEO, CISO, CTO, IT buyer<\/span>\r\n    <\/div>\r\n  <\/header>\r\n\r\n  <nav class=\"dlx-toc\" aria-label=\"Table of contents\">\r\n    <div class=\"dlx-toc__title\">In this article<\/div>\r\n    <ul>\r\n      <li><a href=\"#executive-summary\">Executive summary<\/a><\/li>\r\n      <li><a href=\"#definition\">Definition<\/a><\/li>\r\n      <li><a href=\"#why-now\">Why this matters now<\/a><\/li>\r\n      <li><a href=\"#llm-vs-agent\">LLM app vs AI agent<\/a><\/li>\r\n      <li><a href=\"#seven-layers\">The 7 layers to secure<\/a><\/li>\r\n      <li><a href=\"#control-map\">Risk control map<\/a><\/li>\r\n      <li><a href=\"#decision-framework\">Control level by agent type<\/a><\/li>\r\n      <li><a href=\"#rollout-strategy\">The right rollout path<\/a><\/li>\r\n      <li><a href=\"#checklist\">Operational checklist<\/a><\/li>\r\n      <li><a href=\"#common-mistakes\">Common mistakes<\/a><\/li>\r\n      <li><a href=\"#role-impact\">What this changes for CEOs, CISOs, and CTOs<\/a><\/li>\r\n      <li><a href=\"#reference-diagram\">Reference diagram<\/a><\/li>\r\n      <li><a href=\"#faq\">FAQ<\/a><\/li>\r\n      <li><a href=\"#conclusion\">Conclusion<\/a><\/li>\r\n      <li><a href=\"#sources\">Sources<\/a><\/li>\r\n    <\/ul>\r\n  <\/nav>\r\n\r\n  <section id=\"executive-summary\" class=\"dlx-section dlx-reveal\" data-dlx=\"reveal\" itemprop=\"articleBody\">\r\n    <h2>Executive summary<\/h2>\r\n\r\n    <div class=\"dlx-callout\">\r\n      <div class=\"dlx-callout__title\">What matters most<\/div>\r\n      <p>AI agent security is about explicitly controlling what an agent can see, decide, and execute. The real risk shift comes less from the model itself than from its operational reach: permissions, tools, memory, connectors, delegation, and multi-step execution.<\/p>\r\n    <\/div>\r\n\r\n    <ul>\r\n      <li><strong>A secure agent<\/strong> is not simply an agent that produces good answers. It is an agent that stays within scope, requests approval when appropriate, and leaves an auditable trail.<\/li>\r\n      <li><strong>The right instinct<\/strong> is not \u201cmore prompting,\u201d but \u201cstronger boundaries\u201d: identity, authorization, validation, logging, approval, and segmentation.<\/li>\r\n      <li><strong>The right security posture<\/strong> depends on the type of agent involved: read-only, internal assistant, action-taking business agent, or multi-agent orchestration layer.<\/li>\r\n      <li><strong>The most resilient rollout path<\/strong> typically starts with tightly governed workflows before expanding into higher autonomy.<\/li>\r\n    <\/ul>\r\n  <\/section>\r\n\r\n  <section id=\"definition\" class=\"dlx-section dlx-reveal\" data-dlx=\"reveal\">\r\n    <h2>Definition: what is AI agent security?<\/h2>\r\n\r\n    <p>AI agent security is the discipline of ensuring that an agent accesses only the data it truly needs, uses only explicitly approved tools, does not execute sensitive actions without appropriate safeguards, does not carry memory or context in an uncontrolled way, and leaves an auditable record of its decisions, tool calls, and downstream effects.<\/p>\r\n\r\n    <div class=\"dlx-note\">\r\n      <div class=\"dlx-note__title\">Operational definition<\/div>\r\n      <p><strong>An agent is secure when it remains aligned with human intent, operates within a clearly bounded scope of authority, and can be audited or interrupted without ambiguity.<\/strong><\/p>\r\n    <\/div>\r\n\r\n    <p>In practice, once an agent can read, write, call APIs, browse documents, navigate interfaces, delegate, or trigger workflows, the right question is no longer just \u201cis the model safe?\u201d The real question becomes: <strong>what can the agent see, what can it do, within what limits, under what approval model, and with what level of traceability?<\/strong><\/p>\r\n  <\/section>\r\n\r\n  <section id=\"why-now\" class=\"dlx-section dlx-reveal\" data-dlx=\"reveal\">\r\n    <h2>Why this matters now<\/h2>\r\n\r\n    <p>The market is no longer focused only on conversational copilots. Modern agents can access external resources, manipulate documents, call connectors, take actions, and coordinate with other agents. That fundamentally changes the risk profile:<\/p>\r\n\r\n    <ul>\r\n      <li>from content to action,<\/li>\r\n      <li>from response generation to execution,<\/li>\r\n      <li>from a single prompt to a decision chain,<\/li>\r\n      <li>from application-level controls to governance of permissions and context.<\/li>\r\n    <\/ul>\r\n\r\n    <div class=\"dlx-callout\">\r\n      <div class=\"dlx-callout__title\">What has actually changed<\/div>\r\n      <p>A security failure no longer means only a poor answer. It can now mean an unauthorized search, a data leak, a record change, an outbound email, a bad handoff to a sub-agent, or an irreversible action in production.<\/p>\r\n    <\/div>\r\n  <\/section>\r\n\r\n  <section id=\"llm-vs-agent\" class=\"dlx-section dlx-reveal\" data-dlx=\"reveal\">\r\n    <h2>AI agent security is not the same thing as LLM app security<\/h2>\r\n\r\n    <p>Treating an agent like a standard LLM application almost always leads to underestimating the attack surface. The right comparison model is <strong>operational power<\/strong>, not just generated text.<\/p>\r\n\r\n    <figure\r\n      id=\"agent-security-comparison\"\r\n      class=\"dlx-share-snippet\"\r\n      data-share-title=\"Comparison: LLM app vs AI agent vs multi-agent system\"\r\n      data-share-text=\"The real risk jump is not only in the text output. It accelerates with permissions, tools, memory, and autonomous execution.\"\r\n      data-share-type=\"table\"\r\n    >\r\n      <div class=\"dlx-table-wrap dlx-shareable-block\">\r\n        <table>\r\n          <thead>\r\n            <tr>\r\n              <th>Dimension<\/th>\r\n              <th>Traditional LLM application<\/th>\r\n              <th>AI agent<\/th>\r\n              <th>Multi-agent system<\/th>\r\n            <\/tr>\r\n          <\/thead>\r\n          <tbody>\r\n            <tr>\r\n              <td>Attack surface<\/td>\r\n              <td>Inputs and outputs<\/td>\r\n              <td>Inputs, outputs, tools, memory, connectors<\/td>\r\n              <td>Agent chains, delegation, coordination, shared state<\/td>\r\n            <\/tr>\r\n            <tr>\r\n              <td>Permissions<\/td>\r\n              <td><span class=\"dlx-level dlx-level--low\">Limited<\/span><\/td>\r\n              <td><span class=\"dlx-level dlx-level--high\">High<\/span><\/td>\r\n              <td><span class=\"dlx-level dlx-level--critical\">Very high<\/span><\/td>\r\n            <\/tr>\r\n            <tr>\r\n              <td>Required observability<\/td>\r\n              <td><span class=\"dlx-level dlx-level--low\">Low to moderate<\/span><\/td>\r\n              <td><span class=\"dlx-level dlx-level--high\">High<\/span><\/td>\r\n              <td><span class=\"dlx-level dlx-level--critical\">Critical<\/span><\/td>\r\n            <\/tr>\r\n            <tr>\r\n              <td>Action risk<\/td>\r\n              <td><span class=\"dlx-level dlx-level--low\">Indirect<\/span><\/td>\r\n              <td><span class=\"dlx-level dlx-level--high\">Direct<\/span><\/td>\r\n              <td><span class=\"dlx-level dlx-level--critical\">Compounded<\/span><\/td>\r\n            <\/tr>\r\n            <tr>\r\n              <td>Data exposure risk<\/td>\r\n              <td><span class=\"dlx-level dlx-level--medium\">Moderate<\/span><\/td>\r\n              <td><span class=\"dlx-level dlx-level--high\">High<\/span><\/td>\r\n              <td><span class=\"dlx-level dlx-level--critical\">Systemic<\/span><\/td>\r\n            <\/tr>\r\n            <tr>\r\n              <td>Typical critical failure<\/td>\r\n              <td>Hallucination or incorrect answer<\/td>\r\n              <td>Unauthorized action<\/td>\r\n              <td>Unsafe delegation or propagation of bad context<\/td>\r\n            <\/tr>\r\n          <\/tbody>\r\n        <\/table>\r\n      <\/div>\r\n\r\n      <figcaption>\r\n        The more an agent can do, the more the surrounding system must become deterministic, authorized, and observable.\r\n      <\/figcaption>\r\n\r\n      <aside class=\"dlx-share dlx-share-card\" aria-label=\"Share this table\">\r\n        <p class=\"dlx-share__title\">Share this block<\/p>\r\n        <p class=\"dlx-share__microcopy\">Ready-to-share comparison of a traditional LLM app, an AI agent, and a multi-agent system.<\/p>\r\n        <ul class=\"dlx-share__list\">\r\n          <li class=\"dlx-share__item\">\r\n            <a class=\"dlx-share__link dlx-share__link--icon\" href=\"#\" data-share=\"linkedin\" aria-label=\"Share on LinkedIn\">\r\n              <span class=\"dlx-share__icon\" aria-hidden=\"true\">\r\n                <svg viewBox=\"0 0 24 24\" aria-hidden=\"true\"><path d=\"M6.94 8.5H3.56V20h3.38V8.5ZM5.25 3A2.03 2.03 0 0 0 3.22 5a2.03 2.03 0 0 0 2.03 2 2.03 2.03 0 0 0 2.03-2A2.03 2.03 0 0 0 5.25 3ZM20.78 13.06c0-3.3-1.76-4.84-4.1-4.84-1.89 0-2.74 1.04-3.21 1.77V8.5h-3.38c.04.99 0 11.5 0 11.5h3.38v-6.42c0-.34.02-.68.13-.92.27-.68.89-1.39 1.93-1.39 1.36 0 1.9 1.04 1.9 2.57V20H20.8v-6.94Z\"\/><\/svg>\r\n              <\/span>\r\n              <span class=\"dlx-sr-only\">LinkedIn<\/span>\r\n            <\/a>\r\n          <\/li>\r\n          <li class=\"dlx-share__item\">\r\n            <a class=\"dlx-share__link dlx-share__link--icon\" href=\"#\" data-share=\"x\" aria-label=\"Share on X\">\r\n              <span class=\"dlx-share__icon\" aria-hidden=\"true\">\r\n                <svg viewBox=\"0 0 24 24\" aria-hidden=\"true\"><path d=\"M18.9 2H22l-6.77 7.74L23.2 22h-6.26l-4.9-6.41L6.43 22H3.32l7.24-8.27L.8 2h6.42l4.43 5.85L18.9 2Zm-1.1 18h1.73L6.28 3.9H4.42L17.8 20Z\"\/><\/svg>\r\n              <\/span>\r\n              <span class=\"dlx-sr-only\">X<\/span>\r\n            <\/a>\r\n          <\/li>\r\n          <li class=\"dlx-share__item\">\r\n            <a class=\"dlx-share__link dlx-share__link--icon\" href=\"#\" data-share=\"facebook\" aria-label=\"Share on Facebook\">\r\n              <span class=\"dlx-share__icon\" aria-hidden=\"true\">\r\n                <svg viewBox=\"0 0 24 24\" aria-hidden=\"true\"><path d=\"M13.5 22v-8h2.7l.4-3h-3.1V9.1c0-.87.24-1.46 1.5-1.46H16.7V4.96c-.3-.04-1.33-.12-2.52-.12-2.5 0-4.2 1.53-4.2 4.33V11H7.2v3h2.78v8h3.52Z\"\/><\/svg>\r\n              <\/span>\r\n              <span class=\"dlx-sr-only\">Facebook<\/span>\r\n            <\/a>\r\n          <\/li>\r\n          <li class=\"dlx-share__item\">\r\n            <a class=\"dlx-share__link dlx-share__link--icon\" href=\"#\" data-share=\"whatsapp\" aria-label=\"Share on WhatsApp\">\r\n              <span class=\"dlx-share__icon\" aria-hidden=\"true\">\r\n                <svg viewBox=\"0 0 24 24\" aria-hidden=\"true\"><path d=\"M20.52 3.48A11.9 11.9 0 0 0 12.04 0C5.5 0 .18 5.31.18 11.86c0 2.09.55 4.14 1.6 5.95L0 24l6.38-1.67a11.8 11.8 0 0 0 5.66 1.44h.01c6.54 0 11.86-5.31 11.86-11.86 0-3.17-1.24-6.15-3.49-8.43ZM12.05 21.7a9.8 9.8 0 0 1-5-1.37l-.36-.21-3.79.99 1.01-3.7-.24-.38a9.77 9.77 0 0 1-1.5-5.17c0-5.43 4.43-9.86 9.88-9.86 2.63 0 5.1 1.03 6.96 2.89a9.8 9.8 0 0 1 2.89 6.97c0 5.44-4.43 9.87-9.85 9.87Zm5.41-7.4c-.3-.15-1.77-.87-2.04-.96-.27-.1-.47-.15-.67.15-.2.3-.77.96-.94 1.16-.17.2-.35.22-.65.07-.3-.15-1.28-.47-2.43-1.49-.9-.8-1.5-1.78-1.68-2.08-.17-.3-.02-.46.13-.6.14-.14.3-.35.45-.52.15-.17.2-.3.3-.5.1-.2.05-.37-.02-.52-.08-.15-.67-1.61-.92-2.2-.24-.58-.49-.5-.67-.5h-.57c-.2 0-.52.08-.8.37-.27.3-1.04 1.01-1.04 2.46 0 1.45 1.06 2.86 1.2 3.06.15.2 2.08 3.18 5.04 4.46.7.3 1.25.48 1.67.61.7.22 1.33.19 1.83.12.56-.08 1.77-.72 2.02-1.41.25-.7.25-1.3.17-1.42-.08-.12-.28-.2-.58-.35Z\"\/><\/svg>\r\n              <\/span>\r\n              <span class=\"dlx-sr-only\">WhatsApp<\/span>\r\n            <\/a>\r\n          <\/li>\r\n          <li class=\"dlx-share__item\">\r\n            <button class=\"dlx-share__link dlx-share__link--icon\" type=\"button\" data-copy-share data-copy-label=\"Copy link\" data-copy-done=\"Link copied\" aria-label=\"Copy block link\">\r\n              <span class=\"dlx-share__icon\" aria-hidden=\"true\">\r\n                <svg viewBox=\"0 0 24 24\" aria-hidden=\"true\"><path d=\"M16 1H6a2 2 0 0 0-2 2v12h2V3h10V1Zm3 4H10a2 2 0 0 0-2 2v14a2 2 0 0 0 2 2h9a2 2 0 0 0 2-2V7a2 2 0 0 0-2-2Zm0 16H10V7h9v14Z\"\/><\/svg>\r\n              <\/span>\r\n              <span class=\"dlx-sr-only\">Copy link<\/span>\r\n            <\/button>\r\n          <\/li>\r\n        <\/ul>\r\n      <\/aside>\r\n    <\/figure>\r\n  <\/section>\r\n\r\n  <section id=\"seven-layers\" class=\"dlx-section dlx-reveal\" data-dlx=\"reveal\">\r\n    <h2>The real risk model: 7 layers to secure<\/h2>\r\n\r\n    <p>Agentic security is not a single safeguard. It is a chain of controls distributed across identity, tools, data, memory, actions, logging, and governance.<\/p>\r\n\r\n    <figure\r\n      id=\"seven-layer-framework\"\r\n      class=\"dlx-share-snippet dlx-chart\"\r\n      data-share-title=\"The 7-layer AI agent security framework\"\r\n      data-share-text=\"Agentic security is a systems problem: identity, permissions, tools, memory, approvals, observability, and incident response.\"\r\n      data-share-type=\"infographic\"\r\n    >\r\n      <div class=\"dlx-shareable-block\">\r\n        <ol class=\"dlx-framework-grid\">\r\n          <li class=\"dlx-framework-card\">\r\n            <strong>1. Identity<\/strong>\r\n            <span>The agent must operate with a clear, verifiable, and distinct identity.<\/span>\r\n          <\/li>\r\n          <li class=\"dlx-framework-card\">\r\n            <strong>2. Permissions<\/strong>\r\n            <span>Least privilege becomes essential as soon as an agent interacts with multiple systems.<\/span>\r\n          <\/li>\r\n          <li class=\"dlx-framework-card\">\r\n            <strong>3. Tools<\/strong>\r\n            <span>Every tool extends the agent\u2019s power. It is never just an implementation detail.<\/span>\r\n          <\/li>\r\n          <li class=\"dlx-framework-card\">\r\n            <strong>4. Memory<\/strong>\r\n            <span>Continuity improves usability, but persistence introduces leakage and contamination risk.<\/span>\r\n          <\/li>\r\n          <li class=\"dlx-framework-card\">\r\n            <strong>5. Approvals<\/strong>\r\n            <span>Sensitive or irreversible actions require explicit validation thresholds.<\/span>\r\n          <\/li>\r\n          <li class=\"dlx-framework-card\">\r\n            <strong>6. Observability<\/strong>\r\n            <span>Without structured logs, the agent remains an operational black box.<\/span>\r\n          <\/li>\r\n          <li class=\"dlx-framework-card\">\r\n            <strong>7. Incident response<\/strong>\r\n            <span>Any mature agent should be capable of being slowed, isolated, disabled, or shifted into degraded mode.<\/span>\r\n          <\/li>\r\n        <\/ol>\r\n      <\/div>\r\n\r\n      <figcaption>\r\n        Core insight: securing an agent means controlling operational power, not just output quality.\r\n      <\/figcaption>\r\n\r\n      <aside class=\"dlx-share dlx-share-card\" aria-label=\"Share this visual summary\">\r\n        <p class=\"dlx-share__title\">Share this block<\/p>\r\n        <p class=\"dlx-share__microcopy\">Visual summary of the 7-layer framework for securing enterprise AI agents.<\/p>\r\n        <ul class=\"dlx-share__list\">\r\n          <li class=\"dlx-share__item\"><a class=\"dlx-share__link dlx-share__link--icon\" href=\"#\" data-share=\"linkedin\" aria-label=\"Share on LinkedIn\"><span class=\"dlx-share__icon\" aria-hidden=\"true\"><svg viewBox=\"0 0 24 24\"><path d=\"M6.94 8.5H3.56V20h3.38V8.5ZM5.25 3A2.03 2.03 0 0 0 3.22 5a2.03 2.03 0 0 0 2.03 2 2.03 2.03 0 0 0 2.03-2A2.03 2.03 0 0 0 5.25 3ZM20.78 13.06c0-3.3-1.76-4.84-4.1-4.84-1.89 0-2.74 1.04-3.21 1.77V8.5h-3.38c.04.99 0 11.5 0 11.5h3.38v-6.42c0-.34.02-.68.13-.92.27-.68.89-1.39 1.93-1.39 1.36 0 1.9 1.04 1.9 2.57V20H20.8v-6.94Z\"\/><\/svg><\/span><span class=\"dlx-sr-only\">LinkedIn<\/span><\/a><\/li>\r\n          <li class=\"dlx-share__item\"><a class=\"dlx-share__link dlx-share__link--icon\" href=\"#\" data-share=\"x\" aria-label=\"Share on X\"><span class=\"dlx-share__icon\" aria-hidden=\"true\"><svg viewBox=\"0 0 24 24\"><path d=\"M18.9 2H22l-6.77 7.74L23.2 22h-6.26l-4.9-6.41L6.43 22H3.32l7.24-8.27L.8 2h6.42l4.43 5.85L18.9 2Zm-1.1 18h1.73L6.28 3.9H4.42L17.8 20Z\"\/><\/svg><\/span><span class=\"dlx-sr-only\">X<\/span><\/a><\/li>\r\n          <li class=\"dlx-share__item\"><a class=\"dlx-share__link dlx-share__link--icon\" href=\"#\" data-share=\"facebook\" aria-label=\"Share on Facebook\"><span class=\"dlx-share__icon\" aria-hidden=\"true\"><svg viewBox=\"0 0 24 24\"><path d=\"M13.5 22v-8h2.7l.4-3h-3.1V9.1c0-.87.24-1.46 1.5-1.46H16.7V4.96c-.3-.04-1.33-.12-2.52-.12-2.5 0-4.2 1.53-4.2 4.33V11H7.2v3h2.78v8h3.52Z\"\/><\/svg><\/span><span class=\"dlx-sr-only\">Facebook<\/span><\/a><\/li>\r\n          <li class=\"dlx-share__item\"><a class=\"dlx-share__link dlx-share__link--icon\" href=\"#\" data-share=\"whatsapp\" aria-label=\"Share on WhatsApp\"><span class=\"dlx-share__icon\" aria-hidden=\"true\"><svg viewBox=\"0 0 24 24\"><path d=\"M20.52 3.48A11.9 11.9 0 0 0 12.04 0C5.5 0 .18 5.31.18 11.86c0 2.09.55 4.14 1.6 5.95L0 24l6.38-1.67a11.8 11.8 0 0 0 5.66 1.44h.01c6.54 0 11.86-5.31 11.86-11.86 0-3.17-1.24-6.15-3.49-8.43ZM12.05 21.7a9.8 9.8 0 0 1-5-1.37l-.36-.21-3.79.99 1.01-3.7-.24-.38a9.77 9.77 0 0 1-1.5-5.17c0-5.43 4.43-9.86 9.88-9.86 2.63 0 5.1 1.03 6.96 2.89a9.8 9.8 0 0 1 2.89 6.97c0 5.44-4.43 9.87-9.85 9.87Zm5.41-7.4c-.3-.15-1.77-.87-2.04-.96-.27-.1-.47-.15-.67.15-.2.3-.77.96-.94 1.16-.17.2-.35.22-.65.07-.3-.15-1.28-.47-2.43-1.49-.9-.8-1.5-1.78-1.68-2.08-.17-.3-.02-.46.13-.6.14-.14.3-.35.45-.52.15-.17.2-.3.3-.5.1-.2.05-.37-.02-.52-.08-.15-.67-1.61-.92-2.2-.24-.58-.49-.5-.67-.5h-.57c-.2 0-.52.08-.8.37-.27.3-1.04 1.01-1.04 2.46 0 1.45 1.06 2.86 1.2 3.06.15.2 2.08 3.18 5.04 4.46.7.3 1.25.48 1.67.61.7.22 1.33.19 1.83.12.56-.08 1.77-.72 2.02-1.41.25-.7.25-1.3.17-1.42-.08-.12-.28-.2-.58-.35Z\"\/><\/svg><\/span><span class=\"dlx-sr-only\">WhatsApp<\/span><\/a><\/li>\r\n          <li class=\"dlx-share__item\"><button class=\"dlx-share__link dlx-share__link--icon\" type=\"button\" data-copy-share data-copy-label=\"Copy link\" data-copy-done=\"Link copied\" aria-label=\"Copy block link\"><span class=\"dlx-share__icon\" aria-hidden=\"true\"><svg viewBox=\"0 0 24 24\"><path d=\"M16 1H6a2 2 0 0 0-2 2v12h2V3h10V1Zm3 4H10a2 2 0 0 0-2 2v14a2 2 0 0 0 2 2h9a2 2 0 0 0 2-2V7a2 2 0 0 0-2-2Zm0 16H10V7h9v14Z\"\/><\/svg><\/span><span class=\"dlx-sr-only\">Copy link<\/span><\/button><\/li>\r\n        <\/ul>\r\n      <\/aside>\r\n    <\/figure>\r\n\r\n    <h3>1. Identity and permissions<\/h3>\r\n    <p>An agent should never receive broader access than necessary. If it acts on behalf of a user, it should inherit permissions aligned with that user. If it acts as a service, its rights should be tightly bounded by role, scope, duration, and environment.<\/p>\r\n\r\n    <h3>2. Tools and connectors<\/h3>\r\n    <p>Reading a document, writing into a CRM, sending a message, running a SQL query, or calling an MCP server are not implementation details. They are extensions of power. A poorly defined or weakly validated tool becomes a direct abuse path.<\/p>\r\n\r\n    <h3>3. Boundary between trusted instructions and untrusted data<\/h3>\r\n    <p>This is where prompt injection and agent hijacking become critical. All external content \u2014 emails, web pages, files, notes, search results, metadata \u2014 should be treated as untrusted by default.<\/p>\r\n\r\n    <h3>4. Memory and confidentiality<\/h3>\r\n    <p>Memory supports continuity, but it also creates risk through persistence of sensitive data, contamination across tasks, and reuse of context outside its intended boundary.<\/p>\r\n\r\n    <h3>5. Output and action validation<\/h3>\r\n    <p>An agent should not send everything it decides directly into production. Sensitive outputs must be validated, filtered, or submitted for human review depending on the level of risk involved.<\/p>\r\n\r\n    <h3>6. Observability and auditability<\/h3>\r\n    <p>You need visibility into inputs, key decisions, tool calls, authorizations, refusals, human escalations, and the actual effects produced in downstream systems.<\/p>\r\n\r\n    <h3>7. Governance and emergency stop<\/h3>\r\n    <p>A strategy without a kill switch or incident response plan is not a mature deployment. An enterprise agent must be capable of being slowed down, isolated, disabled, or moved into a degraded operating mode.<\/p>\r\n  <\/section>\r\n\r\n  <section id=\"control-map\" class=\"dlx-section dlx-reveal\" data-dlx=\"reveal\">\r\n    <h2>Risk control map<\/h2>\r\n\r\n    <p>Prompt injection is not solved only through better defensive prompting. The real controls are distributed across untrusted-data separation, tool validation, identity, memory, and logging.<\/p>\r\n\r\n    <figure\r\n      id=\"agent-risk-control-map\"\r\n      class=\"dlx-share-snippet\"\r\n      data-share-title=\"AI agent security risk control map\"\r\n      data-share-text=\"Prompt injection defenses are not enough without control over tools, permissions, memory, and logs.\"\r\n      data-share-type=\"table\"\r\n    >\r\n      <div class=\"dlx-table-wrap dlx-shareable-block\">\r\n        <table class=\"dlx-heatmap\">\r\n          <thead>\r\n            <tr>\r\n              <th>Control layer<\/th>\r\n              <th>Prompt injection<\/th>\r\n              <th>Excessive agency<\/th>\r\n              <th>Sensitive data leakage<\/th>\r\n              <th>Tool \/ connector abuse<\/th>\r\n              <th>Memory contamination<\/th>\r\n              <th>Low observability<\/th>\r\n            <\/tr>\r\n          <\/thead>\r\n          <tbody>\r\n            <tr>\r\n              <td>Identity and authorization<\/td>\r\n              <td><span class=\"dlx-level dlx-level--medium\">Important<\/span><\/td>\r\n              <td><span class=\"dlx-level dlx-level--critical\">Critical<\/span><\/td>\r\n              <td><span class=\"dlx-level dlx-level--high\">High<\/span><\/td>\r\n              <td><span class=\"dlx-level dlx-level--critical\">Critical<\/span><\/td>\r\n              <td><span class=\"dlx-level dlx-level--medium\">Important<\/span><\/td>\r\n              <td><span class=\"dlx-level dlx-level--medium\">Important<\/span><\/td>\r\n            <\/tr>\r\n            <tr>\r\n              <td>Segregation of untrusted data<\/td>\r\n              <td><span class=\"dlx-level dlx-level--critical\">Critical<\/span><\/td>\r\n              <td><span class=\"dlx-level dlx-level--medium\">Important<\/span><\/td>\r\n              <td><span class=\"dlx-level dlx-level--high\">High<\/span><\/td>\r\n              <td><span class=\"dlx-level dlx-level--medium\">Important<\/span><\/td>\r\n              <td><span class=\"dlx-level dlx-level--medium\">Important<\/span><\/td>\r\n              <td><span class=\"dlx-level dlx-level--low\">Useful<\/span><\/td>\r\n            <\/tr>\r\n            <tr>\r\n              <td>Server-side tool validation<\/td>\r\n              <td><span class=\"dlx-level dlx-level--high\">High<\/span><\/td>\r\n              <td><span class=\"dlx-level dlx-level--critical\">Critical<\/span><\/td>\r\n              <td><span class=\"dlx-level dlx-level--high\">High<\/span><\/td>\r\n              <td><span class=\"dlx-level dlx-level--critical\">Critical<\/span><\/td>\r\n              <td><span class=\"dlx-level dlx-level--medium\">Important<\/span><\/td>\r\n              <td><span class=\"dlx-level dlx-level--medium\">Important<\/span><\/td>\r\n            <\/tr>\r\n            <tr>\r\n              <td>Memory policy and retention<\/td>\r\n              <td><span class=\"dlx-level dlx-level--medium\">Important<\/span><\/td>\r\n              <td><span class=\"dlx-level dlx-level--medium\">Important<\/span><\/td>\r\n              <td><span class=\"dlx-level dlx-level--critical\">Critical<\/span><\/td>\r\n              <td><span class=\"dlx-level dlx-level--medium\">Important<\/span><\/td>\r\n              <td><span class=\"dlx-level dlx-level--critical\">Critical<\/span><\/td>\r\n              <td><span class=\"dlx-level dlx-level--medium\">Important<\/span><\/td>\r\n            <\/tr>\r\n            <tr>\r\n              <td>Human approval<\/td>\r\n              <td><span class=\"dlx-level dlx-level--high\">High<\/span><\/td>\r\n              <td><span class=\"dlx-level dlx-level--critical\">Critical<\/span><\/td>\r\n              <td><span class=\"dlx-level dlx-level--high\">High<\/span><\/td>\r\n              <td><span class=\"dlx-level dlx-level--critical\">Critical<\/span><\/td>\r\n              <td><span class=\"dlx-level dlx-level--medium\">Important<\/span><\/td>\r\n              <td><span class=\"dlx-level dlx-level--medium\">Important<\/span><\/td>\r\n            <\/tr>\r\n            <tr>\r\n              <td>Structured logs and replayable traces<\/td>\r\n              <td><span class=\"dlx-level dlx-level--high\">High<\/span><\/td>\r\n              <td><span class=\"dlx-level dlx-level--high\">High<\/span><\/td>\r\n              <td><span class=\"dlx-level dlx-level--high\">High<\/span><\/td>\r\n              <td><span class=\"dlx-level dlx-level--high\">High<\/span><\/td>\r\n              <td><span class=\"dlx-level dlx-level--high\">High<\/span><\/td>\r\n              <td><span class=\"dlx-level dlx-level--critical\">Critical<\/span><\/td>\r\n            <\/tr>\r\n          <\/tbody>\r\n        <\/table>\r\n      <\/div>\r\n\r\n      <figcaption>\r\n        This matrix shows why purely text-level defenses are insufficient without execution and permission controls.\r\n      <\/figcaption>\r\n\r\n      <aside class=\"dlx-share dlx-share-card\" aria-label=\"Share this control matrix\">\r\n        <p class=\"dlx-share__title\">Share this block<\/p>\r\n        <p class=\"dlx-share__microcopy\">Practical matrix showing which baseline controls matter most for each major agentic risk category.<\/p>\r\n        <ul class=\"dlx-share__list\">\r\n          <li class=\"dlx-share__item\"><a class=\"dlx-share__link dlx-share__link--icon\" href=\"#\" data-share=\"linkedin\" aria-label=\"Share on LinkedIn\"><span class=\"dlx-share__icon\" aria-hidden=\"true\"><svg viewBox=\"0 0 24 24\"><path d=\"M6.94 8.5H3.56V20h3.38V8.5ZM5.25 3A2.03 2.03 0 0 0 3.22 5a2.03 2.03 0 0 0 2.03 2 2.03 2.03 0 0 0 2.03-2A2.03 2.03 0 0 0 5.25 3ZM20.78 13.06c0-3.3-1.76-4.84-4.1-4.84-1.89 0-2.74 1.04-3.21 1.77V8.5h-3.38c.04.99 0 11.5 0 11.5h3.38v-6.42c0-.34.02-.68.13-.92.27-.68.89-1.39 1.93-1.39 1.36 0 1.9 1.04 1.9 2.57V20H20.8v-6.94Z\"\/><\/svg><\/span><span class=\"dlx-sr-only\">LinkedIn<\/span><\/a><\/li>\r\n          <li class=\"dlx-share__item\"><a class=\"dlx-share__link dlx-share__link--icon\" href=\"#\" data-share=\"x\" aria-label=\"Share on X\"><span class=\"dlx-share__icon\" aria-hidden=\"true\"><svg viewBox=\"0 0 24 24\"><path d=\"M18.9 2H22l-6.77 7.74L23.2 22h-6.26l-4.9-6.41L6.43 22H3.32l7.24-8.27L.8 2h6.42l4.43 5.85L18.9 2Zm-1.1 18h1.73L6.28 3.9H4.42L17.8 20Z\"\/><\/svg><\/span><span class=\"dlx-sr-only\">X<\/span><\/a><\/li>\r\n          <li class=\"dlx-share__item\"><a class=\"dlx-share__link dlx-share__link--icon\" href=\"#\" data-share=\"facebook\" aria-label=\"Share on Facebook\"><span class=\"dlx-share__icon\" aria-hidden=\"true\"><svg viewBox=\"0 0 24 24\"><path d=\"M13.5 22v-8h2.7l.4-3h-3.1V9.1c0-.87.24-1.46 1.5-1.46H16.7V4.96c-.3-.04-1.33-.12-2.52-.12-2.5 0-4.2 1.53-4.2 4.33V11H7.2v3h2.78v8h3.52Z\"\/><\/svg><\/span><span class=\"dlx-sr-only\">Facebook<\/span><\/a><\/li>\r\n          <li class=\"dlx-share__item\"><a class=\"dlx-share__link dlx-share__link--icon\" href=\"#\" data-share=\"whatsapp\" aria-label=\"Share on WhatsApp\"><span class=\"dlx-share__icon\" aria-hidden=\"true\"><svg viewBox=\"0 0 24 24\"><path d=\"M20.52 3.48A11.9 11.9 0 0 0 12.04 0C5.5 0 .18 5.31.18 11.86c0 2.09.55 4.14 1.6 5.95L0 24l6.38-1.67a11.8 11.8 0 0 0 5.66 1.44h.01c6.54 0 11.86-5.31 11.86-11.86 0-3.17-1.24-6.15-3.49-8.43ZM12.05 21.7a9.8 9.8 0 0 1-5-1.37l-.36-.21-3.79.99 1.01-3.7-.24-.38a9.77 9.77 0 0 1-1.5-5.17c0-5.43 4.43-9.86 9.88-9.86 2.63 0 5.1 1.03 6.96 2.89a9.8 9.8 0 0 1 2.89 6.97c0 5.44-4.43 9.87-9.85 9.87Zm5.41-7.4c-.3-.15-1.77-.87-2.04-.96-.27-.1-.47-.15-.67.15-.2.3-.77.96-.94 1.16-.17.2-.35.22-.65.07-.3-.15-1.28-.47-2.43-1.49-.9-.8-1.5-1.78-1.68-2.08-.17-.3-.02-.46.13-.6.14-.14.3-.35.45-.52.15-.17.2-.3.3-.5.1-.2.05-.37-.02-.52-.08-.15-.67-1.61-.92-2.2-.24-.58-.49-.5-.67-.5h-.57c-.2 0-.52.08-.8.37-.27.3-1.04 1.01-1.04 2.46 0 1.45 1.06 2.86 1.2 3.06.15.2 2.08 3.18 5.04 4.46.7.3 1.25.48 1.67.61.7.22 1.33.19 1.83.12.56-.08 1.77-.72 2.02-1.41.25-.7.25-1.3.17-1.42-.08-.12-.28-.2-.58-.35Z\"\/><\/svg><\/span><span class=\"dlx-sr-only\">WhatsApp<\/span><\/a><\/li>\r\n          <li class=\"dlx-share__item\"><button class=\"dlx-share__link dlx-share__link--icon\" type=\"button\" data-copy-share data-copy-label=\"Copy link\" data-copy-done=\"Link copied\" aria-label=\"Copy block link\"><span class=\"dlx-share__icon\" aria-hidden=\"true\"><svg viewBox=\"0 0 24 24\"><path d=\"M16 1H6a2 2 0 0 0-2 2v12h2V3h10V1Zm3 4H10a2 2 0 0 0-2 2v14a2 2 0 0 0 2 2h9a2 2 0 0 0 2-2V7a2 2 0 0 0-2-2Zm0 16H10V7h9v14Z\"\/><\/svg><\/span><span class=\"dlx-sr-only\">Copy link<\/span><\/button><\/li>\r\n        <\/ul>\r\n      <\/aside>\r\n    <\/figure>\r\n  <\/section>\r\n\r\n  <section id=\"decision-framework\" class=\"dlx-section dlx-reveal\" data-dlx=\"reveal\">\r\n    <h2>Decision framework: what level of control fits each type of agent?<\/h2>\r\n\r\n    <p>The right strategy is not to apply the same control intensity everywhere. It is to calibrate autonomy to business risk, action type, and the criticality of the systems involved.<\/p>\r\n\r\n    <figure\r\n      id=\"agent-control-framework\"\r\n      class=\"dlx-share-snippet\"\r\n      data-share-title=\"Recommended control level by AI agent type\"\r\n      data-share-text=\"Not all agents require the same autonomy or approval model. The right structure depends on operational risk and execution power.\"\r\n      data-share-type=\"table\"\r\n    >\r\n      <div class=\"dlx-table-wrap dlx-shareable-block\">\r\n        <table>\r\n          <thead>\r\n            <tr>\r\n              <th>Agent type<\/th>\r\n              <th>Recommended autonomy<\/th>\r\n              <th>Minimum controls<\/th>\r\n              <th>Human validation<\/th>\r\n            <\/tr>\r\n          <\/thead>\r\n          <tbody>\r\n            <tr>\r\n              <td>Reading \/ research agent<\/td>\r\n              <td>Low<\/td>\r\n              <td>Read-only access, source segmentation, logging<\/td>\r\n              <td>Low<\/td>\r\n            <\/tr>\r\n            <tr>\r\n              <td>Internal support agent<\/td>\r\n              <td>Low to moderate<\/td>\r\n              <td>RBAC, PII filters, bounded memory, access reviews<\/td>\r\n              <td>For sensitive cases<\/td>\r\n            <\/tr>\r\n            <tr>\r\n              <td>Business action agent<\/td>\r\n              <td>Moderate<\/td>\r\n              <td>Approval for irreversible actions, tool validation, business guardrails<\/td>\r\n              <td>High at first<\/td>\r\n            <\/tr>\r\n            <tr>\r\n              <td>Multi-agent orchestrator<\/td>\r\n              <td>Moderate to high<\/td>\r\n              <td>Inter-agent segmentation, strong identity, full observability, delegation limits<\/td>\r\n              <td>High<\/td>\r\n            <\/tr>\r\n          <\/tbody>\r\n        <\/table>\r\n      <\/div>\r\n\r\n      <figcaption>\r\n        Autonomy should never be defined by technical default. It should be set through explicit governance.\r\n      <\/figcaption>\r\n\r\n      <aside class=\"dlx-share dlx-share-card\" aria-label=\"Share this decision table\">\r\n        <p class=\"dlx-share__title\">Share this block<\/p>\r\n        <p class=\"dlx-share__microcopy\">Decision table to align agent type, autonomy level, and minimum control requirements.<\/p>\r\n        <ul class=\"dlx-share__list\">\r\n          <li class=\"dlx-share__item\"><a class=\"dlx-share__link dlx-share__link--icon\" href=\"#\" data-share=\"linkedin\" aria-label=\"Share on LinkedIn\"><span class=\"dlx-share__icon\" aria-hidden=\"true\"><svg viewBox=\"0 0 24 24\"><path d=\"M6.94 8.5H3.56V20h3.38V8.5ZM5.25 3A2.03 2.03 0 0 0 3.22 5a2.03 2.03 0 0 0 2.03 2 2.03 2.03 0 0 0 2.03-2A2.03 2.03 0 0 0 5.25 3ZM20.78 13.06c0-3.3-1.76-4.84-4.1-4.84-1.89 0-2.74 1.04-3.21 1.77V8.5h-3.38c.04.99 0 11.5 0 11.5h3.38v-6.42c0-.34.02-.68.13-.92.27-.68.89-1.39 1.93-1.39 1.36 0 1.9 1.04 1.9 2.57V20H20.8v-6.94Z\"\/><\/svg><\/span><span class=\"dlx-sr-only\">LinkedIn<\/span><\/a><\/li>\r\n          <li class=\"dlx-share__item\"><a class=\"dlx-share__link dlx-share__link--icon\" href=\"#\" data-share=\"x\" aria-label=\"Share on X\"><span class=\"dlx-share__icon\" aria-hidden=\"true\"><svg viewBox=\"0 0 24 24\"><path d=\"M18.9 2H22l-6.77 7.74L23.2 22h-6.26l-4.9-6.41L6.43 22H3.32l7.24-8.27L.8 2h6.42l4.43 5.85L18.9 2Zm-1.1 18h1.73L6.28 3.9H4.42L17.8 20Z\"\/><\/svg><\/span><span class=\"dlx-sr-only\">X<\/span><\/a><\/li>\r\n          <li class=\"dlx-share__item\"><a class=\"dlx-share__link dlx-share__link--icon\" href=\"#\" data-share=\"facebook\" aria-label=\"Share on Facebook\"><span class=\"dlx-share__icon\" aria-hidden=\"true\"><svg viewBox=\"0 0 24 24\"><path d=\"M13.5 22v-8h2.7l.4-3h-3.1V9.1c0-.87.24-1.46 1.5-1.46H16.7V4.96c-.3-.04-1.33-.12-2.52-.12-2.5 0-4.2 1.53-4.2 4.33V11H7.2v3h2.78v8h3.52Z\"\/><\/svg><\/span><span class=\"dlx-sr-only\">Facebook<\/span><\/a><\/li>\r\n          <li class=\"dlx-share__item\"><a class=\"dlx-share__link dlx-share__link--icon\" href=\"#\" data-share=\"whatsapp\" aria-label=\"Share on WhatsApp\"><span class=\"dlx-share__icon\" aria-hidden=\"true\"><svg viewBox=\"0 0 24 24\"><path d=\"M20.52 3.48A11.9 11.9 0 0 0 12.04 0C5.5 0 .18 5.31.18 11.86c0 2.09.55 4.14 1.6 5.95L0 24l6.38-1.67a11.8 11.8 0 0 0 5.66 1.44h.01c6.54 0 11.86-5.31 11.86-11.86 0-3.17-1.24-6.15-3.49-8.43ZM12.05 21.7a9.8 9.8 0 0 1-5-1.37l-.36-.21-3.79.99 1.01-3.7-.24-.38a9.77 9.77 0 0 1-1.5-5.17c0-5.43 4.43-9.86 9.88-9.86 2.63 0 5.1 1.03 6.96 2.89a9.8 9.8 0 0 1 2.89 6.97c0 5.44-4.43 9.87-9.85 9.87Zm5.41-7.4c-.3-.15-1.77-.87-2.04-.96-.27-.1-.47-.15-.67.15-.2.3-.77.96-.94 1.16-.17.2-.35.22-.65.07-.3-.15-1.28-.47-2.43-1.49-.9-.8-1.5-1.78-1.68-2.08-.17-.3-.02-.46.13-.6.14-.14.3-.35.45-.52.15-.17.2-.3.3-.5.1-.2.05-.37-.02-.52-.08-.15-.67-1.61-.92-2.2-.24-.58-.49-.5-.67-.5h-.57c-.2 0-.52.08-.8.37-.27.3-1.04 1.01-1.04 2.46 0 1.45 1.06 2.86 1.2 3.06.15.2 2.08 3.18 5.04 4.46.7.3 1.25.48 1.67.61.7.22 1.33.19 1.83.12.56-.08 1.77-.72 2.02-1.41.25-.7.25-1.3.17-1.42-.08-.12-.28-.2-.58-.35Z\"\/><\/svg><\/span><span class=\"dlx-sr-only\">WhatsApp<\/span><\/a><\/li>\r\n          <li class=\"dlx-share__item\"><button class=\"dlx-share__link dlx-share__link--icon\" type=\"button\" data-copy-share data-copy-label=\"Copy link\" data-copy-done=\"Link copied\" aria-label=\"Copy block link\"><span class=\"dlx-share__icon\" aria-hidden=\"true\"><svg viewBox=\"0 0 24 24\"><path d=\"M16 1H6a2 2 0 0 0-2 2v12h2V3h10V1Zm3 4H10a2 2 0 0 0-2 2v14a2 2 0 0 0 2 2h9a2 2 0 0 0 2-2V7a2 2 0 0 0-2-2Zm0 16H10V7h9v14Z\"\/><\/svg><\/span><span class=\"dlx-sr-only\">Copy link<\/span><\/button><\/li>\r\n        <\/ul>\r\n      <\/aside>\r\n    <\/figure>\r\n  <\/section>\r\n\r\n  <section id=\"rollout-strategy\" class=\"dlx-section dlx-reveal\" data-dlx=\"reveal\">\r\n    <h2>The right strategy: start with workflows, not maximum autonomy<\/h2>\r\n\r\n    <p>A common mistake is trying to deploy a \u201cgeneral-purpose\u201d agent too early, with too many tools and too much freedom. The more resilient path is to prove reliability inside a bounded scope before expanding autonomy.<\/p>\r\n\r\n    <figure\r\n      id=\"safe-rollout-sequence\"\r\n      class=\"dlx-share-snippet dlx-chart\"\r\n      data-share-title=\"Safe rollout sequence for an AI agent\"\r\n      data-share-text=\"Autonomy should increase in stages: bounded workflow, instrumentation, gradual tool introduction, human approvals, and then proven autonomy.\"\r\n      data-share-type=\"timeline\"\r\n    >\r\n      <div class=\"dlx-shareable-block\">\r\n        <ol class=\"dlx-timeline\">\r\n          <li>\r\n            <strong>Step 1 \u2014 Bounded workflow<\/strong>\r\n            <span>Define a narrow business scope, a clear source of truth, and one simple expected action.<\/span>\r\n          <\/li>\r\n          <li>\r\n            <strong>Step 2 \u2014 Instrumentation<\/strong>\r\n            <span>Add evaluations, logging, traces, refusals, and success criteria before increasing capability.<\/span>\r\n          <\/li>\r\n          <li>\r\n            <strong>Step 3 \u2014 Progressive tools<\/strong>\r\n            <span>Introduce connectors one at a time, with server-side validation and explicit authorization.<\/span>\r\n          <\/li>\r\n          <li>\r\n            <strong>Step 4 \u2014 Human approvals<\/strong>\r\n            <span>Apply confirmation thresholds to sensitive, irreversible, or externally impactful actions.<\/span>\r\n          <\/li>\r\n          <li>\r\n            <strong>Step 5 \u2014 Proven autonomy<\/strong>\r\n            <span>Increase autonomy only after reliability, auditability, and reversibility have been demonstrated.<\/span>\r\n          <\/li>\r\n        <\/ol>\r\n      <\/div>\r\n\r\n      <figcaption>\r\n        This progression reduces the risk of \u201ctoo much power, too soon,\u201d one of the most common causes of excessive agency.\r\n      <\/figcaption>\r\n\r\n      <aside class=\"dlx-share dlx-share-card\" aria-label=\"Share this timeline\">\r\n        <p class=\"dlx-share__title\">Share this block<\/p>\r\n        <p class=\"dlx-share__microcopy\">Practical rollout sequence for deploying an AI agent without opening its action surface too early.<\/p>\r\n        <ul class=\"dlx-share__list\">\r\n          <li class=\"dlx-share__item\"><a class=\"dlx-share__link dlx-share__link--icon\" href=\"#\" data-share=\"linkedin\" aria-label=\"Share on LinkedIn\"><span class=\"dlx-share__icon\" aria-hidden=\"true\"><svg viewBox=\"0 0 24 24\"><path d=\"M6.94 8.5H3.56V20h3.38V8.5ZM5.25 3A2.03 2.03 0 0 0 3.22 5a2.03 2.03 0 0 0 2.03 2 2.03 2.03 0 0 0 2.03-2A2.03 2.03 0 0 0 5.25 3ZM20.78 13.06c0-3.3-1.76-4.84-4.1-4.84-1.89 0-2.74 1.04-3.21 1.77V8.5h-3.38c.04.99 0 11.5 0 11.5h3.38v-6.42c0-.34.02-.68.13-.92.27-.68.89-1.39 1.93-1.39 1.36 0 1.9 1.04 1.9 2.57V20H20.8v-6.94Z\"\/><\/svg><\/span><span class=\"dlx-sr-only\">LinkedIn<\/span><\/a><\/li>\r\n          <li class=\"dlx-share__item\"><a class=\"dlx-share__link dlx-share__link--icon\" href=\"#\" data-share=\"x\" aria-label=\"Share on X\"><span class=\"dlx-share__icon\" aria-hidden=\"true\"><svg viewBox=\"0 0 24 24\"><path d=\"M18.9 2H22l-6.77 7.74L23.2 22h-6.26l-4.9-6.41L6.43 22H3.32l7.24-8.27L.8 2h6.42l4.43 5.85L18.9 2Zm-1.1 18h1.73L6.28 3.9H4.42L17.8 20Z\"\/><\/svg><\/span><span class=\"dlx-sr-only\">X<\/span><\/a><\/li>\r\n          <li class=\"dlx-share__item\"><a class=\"dlx-share__link dlx-share__link--icon\" href=\"#\" data-share=\"facebook\" aria-label=\"Share on Facebook\"><span class=\"dlx-share__icon\" aria-hidden=\"true\"><svg viewBox=\"0 0 24 24\"><path d=\"M13.5 22v-8h2.7l.4-3h-3.1V9.1c0-.87.24-1.46 1.5-1.46H16.7V4.96c-.3-.04-1.33-.12-2.52-.12-2.5 0-4.2 1.53-4.2 4.33V11H7.2v3h2.78v8h3.52Z\"\/><\/svg><\/span><span class=\"dlx-sr-only\">Facebook<\/span><\/a><\/li>\r\n          <li class=\"dlx-share__item\"><a class=\"dlx-share__link dlx-share__link--icon\" href=\"#\" data-share=\"whatsapp\" aria-label=\"Share on WhatsApp\"><span class=\"dlx-share__icon\" aria-hidden=\"true\"><svg viewBox=\"0 0 24 24\"><path d=\"M20.52 3.48A11.9 11.9 0 0 0 12.04 0C5.5 0 .18 5.31.18 11.86c0 2.09.55 4.14 1.6 5.95L0 24l6.38-1.67a11.8 11.8 0 0 0 5.66 1.44h.01c6.54 0 11.86-5.31 11.86-11.86 0-3.17-1.24-6.15-3.49-8.43ZM12.05 21.7a9.8 9.8 0 0 1-5-1.37l-.36-.21-3.79.99 1.01-3.7-.24-.38a9.77 9.77 0 0 1-1.5-5.17c0-5.43 4.43-9.86 9.88-9.86 2.63 0 5.1 1.03 6.96 2.89a9.8 9.8 0 0 1 2.89 6.97c0 5.44-4.43 9.87-9.85 9.87Zm5.41-7.4c-.3-.15-1.77-.87-2.04-.96-.27-.1-.47-.15-.67.15-.2.3-.77.96-.94 1.16-.17.2-.35.22-.65.07-.3-.15-1.28-.47-2.43-1.49-.9-.8-1.5-1.78-1.68-2.08-.17-.3-.02-.46.13-.6.14-.14.3-.35.45-.52.15-.17.2-.3.3-.5.1-.2.05-.37-.02-.52-.08-.15-.67-1.61-.92-2.2-.24-.58-.49-.5-.67-.5h-.57c-.2 0-.52.08-.8.37-.27.3-1.04 1.01-1.04 2.46 0 1.45 1.06 2.86 1.2 3.06.15.2 2.08 3.18 5.04 4.46.7.3 1.25.48 1.67.61.7.22 1.33.19 1.83.12.56-.08 1.77-.72 2.02-1.41.25-.7.25-1.3.17-1.42-.08-.12-.28-.2-.58-.35Z\"\/><\/svg><\/span><span class=\"dlx-sr-only\">WhatsApp<\/span><\/a><\/li>\r\n          <li class=\"dlx-share__item\"><button class=\"dlx-share__link dlx-share__link--icon\" type=\"button\" data-copy-share data-copy-label=\"Copy link\" data-copy-done=\"Link copied\" aria-label=\"Copy block link\"><span class=\"dlx-share__icon\" aria-hidden=\"true\"><svg viewBox=\"0 0 24 24\"><path d=\"M16 1H6a2 2 0 0 0-2 2v12h2V3h10V1Zm3 4H10a2 2 0 0 0-2 2v14a2 2 0 0 0 2 2h9a2 2 0 0 0 2-2V7a2 2 0 0 0-2-2Zm0 16H10V7h9v14Z\"\/><\/svg><\/span><span class=\"dlx-sr-only\">Copy link<\/span><\/button><\/li>\r\n        <\/ul>\r\n      <\/aside>\r\n    <\/figure>\r\n\r\n    <p>\r\n      This logic aligns naturally with a\r\n      <a href=\"\/safe-enterprise-ai-adoption-checklist\/\">safe enterprise AI adoption checklist<\/a>\r\n      and a broader\r\n      <a href=\"\/ai-governance-consulting\/\">AI governance<\/a>\r\n      framework.\r\n    <\/p>\r\n  <\/section>\r\n\r\n  <section id=\"checklist\" class=\"dlx-section dlx-reveal\" data-dlx=\"reveal\">\r\n    <h2>Operational AI agent security checklist<\/h2>\r\n\r\n    <aside\r\n      id=\"agent-security-checklist\"\r\n      class=\"dlx-share-snippet dlx-note\"\r\n      data-share-title=\"Operational AI agent security checklist\"\r\n      data-share-text=\"Baseline checklist for framing permissions, tools, memory, action validation, and observability for an AI agent.\"\r\n      data-share-type=\"checklist\"\r\n    >\r\n      <div class=\"dlx-note__title\">Reusable checklist<\/div>\r\n\r\n      <div class=\"dlx-shareable-block\">\r\n        <ul class=\"dlx-checklist\">\r\n          <li>Define the agent\u2019s business scope explicitly.<\/li>\r\n          <li>Choose the minimum acceptable level of autonomy.<\/li>\r\n          <li>Apply least privilege across data, APIs, and connectors.<\/li>\r\n          <li>Separate internal, public, and production environments.<\/li>\r\n          <li>Validate every tool server-side, not only through prompting.<\/li>\r\n          <li>Treat all external content as untrusted.<\/li>\r\n          <li>Limit and classify persistent memory.<\/li>\r\n          <li>Require human confirmation for sensitive or irreversible actions.<\/li>\r\n          <li>Test resilience against prompt injection and agent hijacking.<\/li>\r\n          <li>Log plans, tool calls, authorizations, and downstream effects.<\/li>\r\n          <li>Prepare a kill switch and incident response plan.<\/li>\r\n          <li>Regularly review permissions, connectors, datasets, and traces.<\/li>\r\n        <\/ul>\r\n      <\/div>\r\n\r\n      <div class=\"dlx-share dlx-share-card\" aria-label=\"Share this checklist\">\r\n        <p class=\"dlx-share__title\">Share this block<\/p>\r\n        <p class=\"dlx-share__microcopy\">Practical checklist for securing the deployment of an AI agent in an enterprise environment.<\/p>\r\n        <ul class=\"dlx-share__list\">\r\n          <li class=\"dlx-share__item\"><a class=\"dlx-share__link dlx-share__link--icon\" href=\"#\" data-share=\"linkedin\" aria-label=\"Share on LinkedIn\"><span class=\"dlx-share__icon\" aria-hidden=\"true\"><svg viewBox=\"0 0 24 24\"><path d=\"M6.94 8.5H3.56V20h3.38V8.5ZM5.25 3A2.03 2.03 0 0 0 3.22 5a2.03 2.03 0 0 0 2.03 2 2.03 2.03 0 0 0 2.03-2A2.03 2.03 0 0 0 5.25 3ZM20.78 13.06c0-3.3-1.76-4.84-4.1-4.84-1.89 0-2.74 1.04-3.21 1.77V8.5h-3.38c.04.99 0 11.5 0 11.5h3.38v-6.42c0-.34.02-.68.13-.92.27-.68.89-1.39 1.93-1.39 1.36 0 1.9 1.04 1.9 2.57V20H20.8v-6.94Z\"\/><\/svg><\/span><span class=\"dlx-sr-only\">LinkedIn<\/span><\/a><\/li>\r\n          <li class=\"dlx-share__item\"><a class=\"dlx-share__link dlx-share__link--icon\" href=\"#\" data-share=\"x\" aria-label=\"Share on X\"><span class=\"dlx-share__icon\" aria-hidden=\"true\"><svg viewBox=\"0 0 24 24\"><path d=\"M18.9 2H22l-6.77 7.74L23.2 22h-6.26l-4.9-6.41L6.43 22H3.32l7.24-8.27L.8 2h6.42l4.43 5.85L18.9 2Zm-1.1 18h1.73L6.28 3.9H4.42L17.8 20Z\"\/><\/svg><\/span><span class=\"dlx-sr-only\">X<\/span><\/a><\/li>\r\n          <li class=\"dlx-share__item\"><a class=\"dlx-share__link dlx-share__link--icon\" href=\"#\" data-share=\"facebook\" aria-label=\"Share on Facebook\"><span class=\"dlx-share__icon\" aria-hidden=\"true\"><svg viewBox=\"0 0 24 24\"><path d=\"M13.5 22v-8h2.7l.4-3h-3.1V9.1c0-.87.24-1.46 1.5-1.46H16.7V4.96c-.3-.04-1.33-.12-2.52-.12-2.5 0-4.2 1.53-4.2 4.33V11H7.2v3h2.78v8h3.52Z\"\/><\/svg><\/span><span class=\"dlx-sr-only\">Facebook<\/span><\/a><\/li>\r\n          <li class=\"dlx-share__item\"><a class=\"dlx-share__link dlx-share__link--icon\" href=\"#\" data-share=\"whatsapp\" aria-label=\"Share on WhatsApp\"><span class=\"dlx-share__icon\" aria-hidden=\"true\"><svg viewBox=\"0 0 24 24\"><path d=\"M20.52 3.48A11.9 11.9 0 0 0 12.04 0C5.5 0 .18 5.31.18 11.86c0 2.09.55 4.14 1.6 5.95L0 24l6.38-1.67a11.8 11.8 0 0 0 5.66 1.44h.01c6.54 0 11.86-5.31 11.86-11.86 0-3.17-1.24-6.15-3.49-8.43ZM12.05 21.7a9.8 9.8 0 0 1-5-1.37l-.36-.21-3.79.99 1.01-3.7-.24-.38a9.77 9.77 0 0 1-1.5-5.17c0-5.43 4.43-9.86 9.88-9.86 2.63 0 5.1 1.03 6.96 2.89a9.8 9.8 0 0 1 2.89 6.97c0 5.44-4.43 9.87-9.85 9.87Zm5.41-7.4c-.3-.15-1.77-.87-2.04-.96-.27-.1-.47-.15-.67.15-.2.3-.77.96-.94 1.16-.17.2-.35.22-.65.07-.3-.15-1.28-.47-2.43-1.49-.9-.8-1.5-1.78-1.68-2.08-.17-.3-.02-.46.13-.6.14-.14.3-.35.45-.52.15-.17.2-.3.3-.5.1-.2.05-.37-.02-.52-.08-.15-.67-1.61-.92-2.2-.24-.58-.49-.5-.67-.5h-.57c-.2 0-.52.08-.8.37-.27.3-1.04 1.01-1.04 2.46 0 1.45 1.06 2.86 1.2 3.06.15.2 2.08 3.18 5.04 4.46.7.3 1.25.48 1.67.61.7.22 1.33.19 1.83.12.56-.08 1.77-.72 2.02-1.41.25-.7.25-1.3.17-1.42-.08-.12-.28-.2-.58-.35Z\"\/><\/svg><\/span><span class=\"dlx-sr-only\">WhatsApp<\/span><\/a><\/li>\r\n          <li class=\"dlx-share__item\"><button class=\"dlx-share__link dlx-share__link--icon\" type=\"button\" data-copy-share data-copy-label=\"Copy link\" data-copy-done=\"Link copied\" aria-label=\"Copy block link\"><span class=\"dlx-share__icon\" aria-hidden=\"true\"><svg viewBox=\"0 0 24 24\"><path d=\"M16 1H6a2 2 0 0 0-2 2v12h2V3h10V1Zm3 4H10a2 2 0 0 0-2 2v14a2 2 0 0 0 2 2h9a2 2 0 0 0 2-2V7a2 2 0 0 0-2-2Zm0 16H10V7h9v14Z\"\/><\/svg><\/span><span class=\"dlx-sr-only\">Copy link<\/span><\/button><\/li>\r\n        <\/ul>\r\n      <\/div>\r\n    <\/aside>\r\n  <\/section>\r\n\r\n  <section id=\"common-mistakes\" class=\"dlx-section dlx-reveal\" data-dlx=\"reveal\">\r\n    <h2>Common mistakes<\/h2>\r\n    <ul>\r\n      <li><strong>Confusing a strong prompt with a strong control<\/strong>: a prompt is not an authorization mechanism.<\/li>\r\n      <li><strong>Connecting too many tools too early<\/strong>: every connector expands the attack surface.<\/li>\r\n      <li><strong>Granting broad access \u201cfor convenience\u201d<\/strong>: this is often where excessive agency begins.<\/li>\r\n      <li><strong>Ignoring memory<\/strong>: what the agent retains can become just as sensitive as what it executes.<\/li>\r\n      <li><strong>Failing to separate internal and external contexts<\/strong>: a public-facing agent should not inherit broad internal access.<\/li>\r\n      <li><strong>Not planning for failure<\/strong>: without degraded mode or rapid shutdown, exploitation lasts longer.<\/li>\r\n    <\/ul>\r\n  <\/section>\r\n\r\n  <section id=\"role-impact\" class=\"dlx-section dlx-reveal\" data-dlx=\"reveal\">\r\n    <h2>What this changes in practice for CEOs, CISOs, and CTOs<\/h2>\r\n\r\n    <h3>For the CEO<\/h3>\r\n    <p>The question is not \u201cshould we deploy agents?\u201d but \u201cwhat level of autonomy is acceptable given the business risk?\u201d Agentic security is a governance decision, not just a technical one.<\/p>\r\n\r\n    <h3>For the CISO<\/h3>\r\n    <p>Control needs to move beyond model protection toward permissions, integrations, logs, action validation, and incident response designed specifically for agentic systems.<\/p>\r\n\r\n    <h3>For the CTO<\/h3>\r\n    <p>The target architecture should favor simple components, well-defined tools, explicit permissions, constrained memory, and infrastructure-level guardrails. The more the agent can do, the more the surrounding system must become deterministic again.<\/p>\r\n  <\/section>\r\n\r\n  <section id=\"reference-diagram\" class=\"dlx-section dlx-reveal\" data-dlx=\"reveal\">\r\n    <h2>Reference diagram: safe execution path for an AI agent<\/h2>\r\n\r\n    <figure\r\n      id=\"safe-agent-execution-path\"\r\n      class=\"dlx-share-snippet\"\r\n      data-share-title=\"Diagram: safe execution path for an AI agent\"\r\n      data-share-text=\"The critical control points sit before tool execution: risk classification, authorized context, untrusted-data filtering, permission validation, and human approval.\"\r\n      data-share-type=\"mermaid\"\r\n    >\r\n      <div class=\"dlx-shareable-block\">\r\n        <div class=\"dlx-mermaid dlx-mermaid--wide\">\r\n          <div class=\"mermaid\">\r\nflowchart TD\r\n    A[User request] --> B[Risk classification]\r\n    B --> C[Authorized context]\r\n    C --> D[Untrusted data filter]\r\n    D --> E[Agent]\r\n    E --> F{Tool call needed?}\r\n    F -->|No| G[Controlled response]\r\n    F -->|Yes| H[Permission + policy validation]\r\n    H --> I{Sensitive action?}\r\n    I -->|Yes| J[Human approval]\r\n    I -->|No| K[Tool execution]\r\n    J --> K\r\n    K --> L[Full logging]\r\n    L --> M[Result]\r\n          <\/div>\r\n          <pre class=\"dlx-mermaid__fallback\" aria-label=\"Text version of the diagram\"><\/pre>\r\n        <\/div>\r\n      <\/div>\r\n\r\n      <figcaption>\r\n        Agentic security does not rely on a single safeguard. It depends on a chain of bounded, validated, and observable transitions.\r\n      <\/figcaption>\r\n\r\n      <aside class=\"dlx-share dlx-share-card\" aria-label=\"Share this diagram\">\r\n        <p class=\"dlx-share__title\">Share this block<\/p>\r\n        <p class=\"dlx-share__microcopy\">Reference diagram showing how to place controls before tool execution, not only after generation.<\/p>\r\n        <ul class=\"dlx-share__list\">\r\n          <li class=\"dlx-share__item\"><a class=\"dlx-share__link dlx-share__link--icon\" href=\"#\" data-share=\"linkedin\" aria-label=\"Share on LinkedIn\"><span class=\"dlx-share__icon\" aria-hidden=\"true\"><svg viewBox=\"0 0 24 24\"><path d=\"M6.94 8.5H3.56V20h3.38V8.5ZM5.25 3A2.03 2.03 0 0 0 3.22 5a2.03 2.03 0 0 0 2.03 2 2.03 2.03 0 0 0 2.03-2A2.03 2.03 0 0 0 5.25 3ZM20.78 13.06c0-3.3-1.76-4.84-4.1-4.84-1.89 0-2.74 1.04-3.21 1.77V8.5h-3.38c.04.99 0 11.5 0 11.5h3.38v-6.42c0-.34.02-.68.13-.92.27-.68.89-1.39 1.93-1.39 1.36 0 1.9 1.04 1.9 2.57V20H20.8v-6.94Z\"\/><\/svg><\/span><span class=\"dlx-sr-only\">LinkedIn<\/span><\/a><\/li>\r\n          <li class=\"dlx-share__item\"><a class=\"dlx-share__link dlx-share__link--icon\" href=\"#\" data-share=\"x\" aria-label=\"Share on X\"><span class=\"dlx-share__icon\" aria-hidden=\"true\"><svg viewBox=\"0 0 24 24\"><path d=\"M18.9 2H22l-6.77 7.74L23.2 22h-6.26l-4.9-6.41L6.43 22H3.32l7.24-8.27L.8 2h6.42l4.43 5.85L18.9 2Zm-1.1 18h1.73L6.28 3.9H4.42L17.8 20Z\"\/><\/svg><\/span><span class=\"dlx-sr-only\">X<\/span><\/a><\/li>\r\n          <li class=\"dlx-share__item\"><a class=\"dlx-share__link dlx-share__link--icon\" href=\"#\" data-share=\"facebook\" aria-label=\"Share on Facebook\"><span class=\"dlx-share__icon\" aria-hidden=\"true\"><svg viewBox=\"0 0 24 24\"><path d=\"M13.5 22v-8h2.7l.4-3h-3.1V9.1c0-.87.24-1.46 1.5-1.46H16.7V4.96c-.3-.04-1.33-.12-2.52-.12-2.5 0-4.2 1.53-4.2 4.33V11H7.2v3h2.78v8h3.52Z\"\/><\/svg><\/span><span class=\"dlx-sr-only\">Facebook<\/span><\/a><\/li>\r\n          <li class=\"dlx-share__item\"><a class=\"dlx-share__link dlx-share__link--icon\" href=\"#\" data-share=\"whatsapp\" aria-label=\"Share on WhatsApp\"><span class=\"dlx-share__icon\" aria-hidden=\"true\"><svg viewBox=\"0 0 24 24\"><path d=\"M20.52 3.48A11.9 11.9 0 0 0 12.04 0C5.5 0 .18 5.31.18 11.86c0 2.09.55 4.14 1.6 5.95L0 24l6.38-1.67a11.8 11.8 0 0 0 5.66 1.44h.01c6.54 0 11.86-5.31 11.86-11.86 0-3.17-1.24-6.15-3.49-8.43ZM12.05 21.7a9.8 9.8 0 0 1-5-1.37l-.36-.21-3.79.99 1.01-3.7-.24-.38a9.77 9.77 0 0 1-1.5-5.17c0-5.43 4.43-9.86 9.88-9.86 2.63 0 5.1 1.03 6.96 2.89a9.8 9.8 0 0 1 2.89 6.97c0 5.44-4.43 9.87-9.85 9.87Zm5.41-7.4c-.3-.15-1.77-.87-2.04-.96-.27-.1-.47-.15-.67.15-.2.3-.77.96-.94 1.16-.17.2-.35.22-.65.07-.3-.15-1.28-.47-2.43-1.49-.9-.8-1.5-1.78-1.68-2.08-.17-.3-.02-.46.13-.6.14-.14.3-.35.45-.52.15-.17.2-.3.3-.5.1-.2.05-.37-.02-.52-.08-.15-.67-1.61-.92-2.2-.24-.58-.49-.5-.67-.5h-.57c-.2 0-.52.08-.8.37-.27.3-1.04 1.01-1.04 2.46 0 1.45 1.06 2.86 1.2 3.06.15.2 2.08 3.18 5.04 4.46.7.3 1.25.48 1.67.61.7.22 1.33.19 1.83.12.56-.08 1.77-.72 2.02-1.41.25-.7.25-1.3.17-1.42-.08-.12-.28-.2-.58-.35Z\"\/><\/svg><\/span><span class=\"dlx-sr-only\">WhatsApp<\/span><\/a><\/li>\r\n          <li class=\"dlx-share__item\"><button class=\"dlx-share__link dlx-share__link--icon\" type=\"button\" data-copy-share data-copy-label=\"Copy link\" data-copy-done=\"Link copied\" aria-label=\"Copy block link\"><span class=\"dlx-share__icon\" aria-hidden=\"true\"><svg viewBox=\"0 0 24 24\"><path d=\"M16 1H6a2 2 0 0 0-2 2v12h2V3h10V1Zm3 4H10a2 2 0 0 0-2 2v14a2 2 0 0 0 2 2h9a2 2 0 0 0 2-2V7a2 2 0 0 0-2-2Zm0 16H10V7h9v14Z\"\/><\/svg><\/span><span class=\"dlx-sr-only\">Copy link<\/span><\/button><\/li>\r\n        <\/ul>\r\n      <\/aside>\r\n    <\/figure>\r\n  <\/section>\r\n\r\n  <section id=\"faq\" class=\"dlx-section dlx-reveal\" data-dlx=\"reveal\">\r\n    <h2>Editorial FAQ<\/h2>\r\n\r\n    <div class=\"dlx-faq\">\r\n      <details>\r\n        <summary>Is AI agent security only a prompt injection issue?<\/summary>\r\n        <p>No. Prompt injection is an important risk category, but it does not by itself explain the risks created by excessive agency, tool abuse, persistent memory, data exposure, and weak observability.<\/p>\r\n      <\/details>\r\n\r\n      <details>\r\n        <summary>Should an AI agent always require human approval?<\/summary>\r\n        <p>Not for every action. However, any sensitive, irreversible, external, or high-impact business action should pass through a clearly defined approval threshold.<\/p>\r\n      <\/details>\r\n\r\n      <details>\r\n        <summary>Does MCP change the security discussion?<\/summary>\r\n        <p>Yes. A standard connector protocol makes access to tools and resources easier to integrate. That improves interoperability, but makes authorization, consent, server-side validation, and auditability even more important.<\/p>\r\n      <\/details>\r\n\r\n      <details>\r\n        <summary>Where should enterprises start?<\/summary>\r\n        <p>Start with a bounded workflow, minimal memory, limited tools, explicit permissions, full logging, and human validation for sensitive actions. Only then should autonomy be expanded.<\/p>\r\n      <\/details>\r\n    <\/div>\r\n  <\/section>\r\n\r\n  <section id=\"conclusion\" class=\"dlx-section dlx-reveal\" data-dlx=\"reveal\">\r\n    <h2>Bottom line<\/h2>\r\n    <p><strong>AI agent security<\/strong> is not just about \u201cprompt security.\u201d It is about <strong>controlling operational power<\/strong>. A secure agent is not one that merely \u201canswers well.\u201d It is one that stays within scope, requests approval when appropriate, leaves a trace of its decisions, and can be stopped immediately.<\/p>\r\n    <p>The best approach is therefore not to make the agent freer. It is to make its freedom <strong>explicit, bounded, observable, and reversible<\/strong>.<\/p>\r\n  <\/section>\r\n\r\n  <footer id=\"sources\" class=\"dlx-section dlx-reveal\" data-dlx=\"reveal\">\r\n    <h2>Reference sources<\/h2>\r\n    <p class=\"dlx-muted\">Selection of primary and near-primary sources used to frame this article.<\/p>\r\n\r\n    <ul class=\"dlx-source-list\">\r\n      <li><a href=\"https:\/\/www.nist.gov\/itl\/ai-risk-management-framework\" target=\"_blank\" rel=\"noopener\">NIST AI Risk Management Framework<\/a><\/li>\r\n      <li><a href=\"https:\/\/www.nist.gov\/news-events\/news\/2025\/01\/technical-blog-strengthening-ai-agent-hijacking-evaluations\" target=\"_blank\" rel=\"noopener\">NIST \u2014 Strengthening AI Agent Hijacking Evaluations<\/a><\/li>\r\n      <li><a href=\"https:\/\/genai.owasp.org\/llmrisk\/llm01-prompt-injection\/\" target=\"_blank\" rel=\"noopener\">OWASP \u2014 LLM01: Prompt Injection<\/a><\/li>\r\n      <li><a href=\"https:\/\/genai.owasp.org\/resource\/owasp-top-10-for-agentic-applications-for-2026\/\" target=\"_blank\" rel=\"noopener\">OWASP \u2014 Top 10 for Agentic Applications<\/a><\/li>\r\n      <li><a href=\"https:\/\/research.google\/pubs\/an-introduction-to-googles-approach-for-secure-ai-agents\/\" target=\"_blank\" rel=\"noopener\">Google Research \u2014 Secure AI Agents<\/a><\/li>\r\n      <li><a href=\"https:\/\/security.googleblog.com\/2025\/06\/mitigating-prompt-injection-attacks.html\" target=\"_blank\" rel=\"noopener\">Google Security Blog \u2014 Layered defense against prompt injection<\/a><\/li>\r\n      <li><a href=\"https:\/\/www.anthropic.com\/news\/our-framework-for-developing-safe-and-trustworthy-agents\" target=\"_blank\" rel=\"noopener\">Anthropic \u2014 Safe and trustworthy agents<\/a><\/li>\r\n      <li><a href=\"https:\/\/www.anthropic.com\/research\/building-effective-agents\" target=\"_blank\" rel=\"noopener\">Anthropic \u2014 Building Effective Agents<\/a><\/li>\r\n      <li><a href=\"https:\/\/developers.openai.com\/api\/docs\/guides\/safety-best-practices\/\" target=\"_blank\" rel=\"noopener\">OpenAI \u2014 Safety best practices<\/a><\/li>\r\n      <li><a href=\"https:\/\/openai.com\/business\/guides-and-resources\/a-practical-guide-to-building-ai-agents\/\" target=\"_blank\" rel=\"noopener\">OpenAI \u2014 A practical guide to building AI agents<\/a><\/li>\r\n      <li><a href=\"https:\/\/learn.microsoft.com\/en-us\/azure\/cloud-adoption-framework\/ai-agents\/governance-security-across-organization\" target=\"_blank\" rel=\"noopener\">Microsoft Learn \u2014 Governance and security for AI agents<\/a><\/li>\r\n      <li><a href=\"https:\/\/modelcontextprotocol.io\/specification\/2025-06-18\" target=\"_blank\" rel=\"noopener\">Model Context Protocol \u2014 specification<\/a><\/li>\r\n    <\/ul>\r\n\r\n    <div class=\"dlx-share\" aria-label=\"Share the article\">\r\n      <p class=\"dlx-share__title\">Share the article<\/p>\r\n      <ul class=\"dlx-share__list\">\r\n        <li class=\"dlx-share__item\">\r\n          <a class=\"dlx-share__link dlx-share__link--icon\" href=\"#\" data-share=\"linkedin\" aria-label=\"Share the article on LinkedIn\">\r\n            <span class=\"dlx-share__icon\" aria-hidden=\"true\"><svg viewBox=\"0 0 24 24\"><path d=\"M6.94 8.5H3.56V20h3.38V8.5ZM5.25 3A2.03 2.03 0 0 0 3.22 5a2.03 2.03 0 0 0 2.03 2 2.03 2.03 0 0 0 2.03-2A2.03 2.03 0 0 0 5.25 3ZM20.78 13.06c0-3.3-1.76-4.84-4.1-4.84-1.89 0-2.74 1.04-3.21 1.77V8.5h-3.38c.04.99 0 11.5 0 11.5h3.38v-6.42c0-.34.02-.68.13-.92.27-.68.89-1.39 1.93-1.39 1.36 0 1.9 1.04 1.9 2.57V20H20.8v-6.94Z\"\/><\/svg><\/span>\r\n            <span class=\"dlx-sr-only\">LinkedIn<\/span>\r\n          <\/a>\r\n        <\/li>\r\n        <li class=\"dlx-share__item\">\r\n          <a class=\"dlx-share__link dlx-share__link--icon\" href=\"#\" data-share=\"x\" aria-label=\"Share the article on X\">\r\n            <span class=\"dlx-share__icon\" aria-hidden=\"true\"><svg viewBox=\"0 0 24 24\"><path d=\"M18.9 2H22l-6.77 7.74L23.2 22h-6.26l-4.9-6.41L6.43 22H3.32l7.24-8.27L.8 2h6.42l4.43 5.85L18.9 2Zm-1.1 18h1.73L6.28 3.9H4.42L17.8 20Z\"\/><\/svg><\/span>\r\n            <span class=\"dlx-sr-only\">X<\/span>\r\n          <\/a>\r\n        <\/li>\r\n        <li class=\"dlx-share__item\">\r\n          <a class=\"dlx-share__link dlx-share__link--icon\" href=\"#\" data-share=\"facebook\" aria-label=\"Share the article on Facebook\">\r\n            <span class=\"dlx-share__icon\" aria-hidden=\"true\"><svg viewBox=\"0 0 24 24\"><path d=\"M13.5 22v-8h2.7l.4-3h-3.1V9.1c0-.87.24-1.46 1.5-1.46H16.7V4.96c-.3-.04-1.33-.12-2.52-.12-2.5 0-4.2 1.53-4.2 4.33V11H7.2v3h2.78v8h3.52Z\"\/><\/svg><\/span>\r\n            <span class=\"dlx-sr-only\">Facebook<\/span>\r\n          <\/a>\r\n        <\/li>\r\n        <li class=\"dlx-share__item\">\r\n          <a class=\"dlx-share__link dlx-share__link--icon\" href=\"#\" data-share=\"whatsapp\" aria-label=\"Share the article on WhatsApp\">\r\n            <span class=\"dlx-share__icon\" aria-hidden=\"true\"><svg viewBox=\"0 0 24 24\"><path d=\"M20.52 3.48A11.9 11.9 0 0 0 12.04 0C5.5 0 .18 5.31.18 11.86c0 2.09.55 4.14 1.6 5.95L0 24l6.38-1.67a11.8 11.8 0 0 0 5.66 1.44h.01c6.54 0 11.86-5.31 11.86-11.86 0-3.17-1.24-6.15-3.49-8.43ZM12.05 21.7a9.8 9.8 0 0 1-5-1.37l-.36-.21-3.79.99 1.01-3.7-.24-.38a9.77 9.77 0 0 1-1.5-5.17c0-5.43 4.43-9.86 9.88-9.86 2.63 0 5.1 1.03 6.96 2.89a9.8 9.8 0 0 1 2.89 6.97c0 5.44-4.43 9.87-9.85 9.87Zm5.41-7.4c-.3-.15-1.77-.87-2.04-.96-.27-.1-.47-.15-.67.15-.2.3-.77.96-.94 1.16-.17.2-.35.22-.65.07-.3-.15-1.28-.47-2.43-1.49-.9-.8-1.5-1.78-1.68-2.08-.17-.3-.02-.46.13-.6.14-.14.3-.35.45-.52.15-.17.2-.3.3-.5.1-.2.05-.37-.02-.52-.08-.15-.67-1.61-.92-2.2-.24-.58-.49-.5-.67-.5h-.57c-.2 0-.52.08-.8.37-.27.3-1.04 1.01-1.04 2.46 0 1.45 1.06 2.86 1.2 3.06.15.2 2.08 3.18 5.04 4.46.7.3 1.25.48 1.67.61.7.22 1.33.19 1.83.12.56-.08 1.77-.72 2.02-1.41.25-.7.25-1.3.17-1.42-.08-.12-.28-.2-.58-.35Z\"\/><\/svg><\/span>\r\n            <span class=\"dlx-sr-only\">WhatsApp<\/span>\r\n          <\/a>\r\n        <\/li>\r\n        <li class=\"dlx-share__item\">\r\n          <a class=\"dlx-share__link dlx-share__link--icon\" href=\"#\" data-share=\"email\" aria-label=\"Share the article by email\">\r\n            <span class=\"dlx-share__icon\" aria-hidden=\"true\"><svg viewBox=\"0 0 24 24\"><path d=\"M20 4H4a2 2 0 0 0-2 2v12a2 2 0 0 0 2 2h16a2 2 0 0 0 2-2V6a2 2 0 0 0-2-2Zm0 4.24-8 5-8-5V6l8 5 8-5v2.24Z\"\/><\/svg><\/span>\r\n            <span class=\"dlx-sr-only\">Email<\/span>\r\n          <\/a>\r\n        <\/li>\r\n      <\/ul>\r\n    <\/div>\r\n  <\/footer>\r\n<\/article>\r\n\r\n<script type=\"application\/ld+json\">\r\n{\r\n  \"@context\": \"https:\/\/schema.org\",\r\n  \"@type\": \"BlogPosting\",\r\n  \"headline\": \"AI Agent Security: The Operating Framework for Deploying Agents Without Creating a New Attack Surface\",\r\n  \"description\": \"Strategic and operational guide to securing AI agents: permissions, tools, memory, prompt injection, observability, and governance.\",\r\n  \"inLanguage\": \"en\",\r\n  \"author\": {\r\n    \"@type\": \"Organization\",\r\n    \"name\": \"DAILLAC\"\r\n  },\r\n  \"publisher\": {\r\n    \"@type\": \"Organization\",\r\n    \"name\": \"DAILLAC\",\r\n    \"url\": \"https:\/\/www.daillac.com\"\r\n  },\r\n  \"keywords\": [\r\n    \"AI agent security\",\r\n    \"agentic security\",\r\n    \"AI agent governance\",\r\n    \"prompt injection\",\r\n    \"MCP security\",\r\n    \"AI risk management\",\r\n    \"agent hijacking\"\r\n  ],\r\n  \"articleSection\": [\r\n    \"AI security\",\r\n    \"AI governance\",\r\n    \"Agentic AI\",\r\n    \"Cybersecurity\"\r\n  ]\r\n}\r\n<\/script>\r\n\r\n<script type=\"application\/ld+json\">\r\n{\r\n  \"@context\": \"https:\/\/schema.org\",\r\n  \"@type\": \"FAQPage\",\r\n  \"inLanguage\": \"en\",\r\n  \"mainEntity\": [\r\n    {\r\n      \"@type\": \"Question\",\r\n      \"name\": \"Is AI agent security only a prompt injection issue?\",\r\n      \"acceptedAnswer\": {\r\n        \"@type\": \"Answer\",\r\n        \"text\": \"No. Prompt injection is an important risk category, but it does not by itself explain the risks created by excessive agency, tool abuse, persistent memory, data exposure, and weak observability.\"\r\n      }\r\n    },\r\n    {\r\n      \"@type\": \"Question\",\r\n      \"name\": \"Should an AI agent always require human approval?\",\r\n      \"acceptedAnswer\": {\r\n        \"@type\": \"Answer\",\r\n        \"text\": \"Not for every action. However, any sensitive, irreversible, external, or high-impact business action should pass through a clearly defined approval threshold.\"\r\n      }\r\n    },\r\n    {\r\n      \"@type\": \"Question\",\r\n      \"name\": \"Does MCP change the security discussion?\",\r\n      \"acceptedAnswer\": {\r\n        \"@type\": \"Answer\",\r\n        \"text\": \"Yes. A standard connector protocol makes access to tools and resources easier to integrate. That improves interoperability, but makes authorization, consent, server-side validation, and auditability even more important.\"\r\n      }\r\n    },\r\n    {\r\n      \"@type\": \"Question\",\r\n      \"name\": \"Where should enterprises start?\",\r\n      \"acceptedAnswer\": {\r\n        \"@type\": \"Answer\",\r\n        \"text\": \"Start with a bounded workflow, minimal memory, limited tools, explicit permissions, full logging, and human validation for sensitive actions. Only then should autonomy be expanded.\"\r\n      }\r\n    }\r\n  ]\r\n}\r\n<\/script>\r\n\r\n<style>\r\n.dlx-level{\r\n  display:inline-flex;\r\n  align-items:center;\r\n  justify-content:center;\r\n  padding:4px 10px;\r\n  border-radius:999px;\r\n  font-size:.82rem;\r\n  font-weight:700;\r\n  white-space:nowrap;\r\n  border:1px solid var(--dlx-border);\r\n  background:#fff;\r\n}\r\n\r\n.dlx-level--low{\r\n  background:rgba(15,118,110,.08);\r\n  color:#0f766e;\r\n}\r\n\r\n.dlx-level--medium{\r\n  background:rgba(14,165,233,.10);\r\n  color:#0369a1;\r\n}\r\n\r\n.dlx-level--high{\r\n  background:rgba(245,158,11,.14);\r\n  color:#b45309;\r\n}\r\n\r\n.dlx-level--critical{\r\n  background:rgba(239,68,68,.10);\r\n  color:#b91c1c;\r\n}\r\n\r\n.dlx-framework-grid{\r\n  list-style:none;\r\n  padding:0;\r\n  margin:0;\r\n  display:grid;\r\n  grid-template-columns:repeat(auto-fit,minmax(200px,1fr));\r\n  gap:14px;\r\n}\r\n\r\n.dlx-framework-card{\r\n  padding:18px;\r\n  border:var(--dlx-border);\r\n  border-radius:var(--dlx-radius-sm);\r\n  background:#fff;\r\n  box-shadow:var(--dlx-shadow);\r\n}\r\n\r\n.dlx-framework-card strong{\r\n  display:block;\r\n  margin-bottom:8px;\r\n}\r\n\r\n.dlx-framework-card span{\r\n  display:block;\r\n  color:var(--dlx-text-soft);\r\n  font-size:.96rem;\r\n}\r\n\r\n.dlx-timeline{\r\n  list-style:none;\r\n  padding:0;\r\n  margin:0;\r\n  display:grid;\r\n  gap:14px;\r\n}\r\n\r\n.dlx-timeline li{\r\n  position:relative;\r\n  padding:0 0 0 18px;\r\n  border-left:2px solid rgba(14,165,233,.22);\r\n}\r\n\r\n.dlx-timeline li::before{\r\n  content:\"\";\r\n  position:absolute;\r\n  left:-7px;\r\n  top:6px;\r\n  width:12px;\r\n  height:12px;\r\n  border-radius:50%;\r\n  background:var(--dlx-accent-2);\r\n}\r\n\r\n.dlx-timeline strong{\r\n  display:block;\r\n  margin-bottom:6px;\r\n}\r\n\r\n.dlx-timeline span{\r\n  color:var(--dlx-text-soft);\r\n}\r\n\r\n.dlx-checklist{\r\n  list-style:none;\r\n  padding:0;\r\n  margin:0;\r\n  display:grid;\r\n  gap:10px;\r\n}\r\n\r\n.dlx-checklist li{\r\n  position:relative;\r\n  padding-left:28px;\r\n  margin:0;\r\n}\r\n\r\n.dlx-checklist li::before{\r\n  content:\"\u2713\";\r\n  position:absolute;\r\n  left:0;\r\n  top:0;\r\n  width:20px;\r\n  height:20px;\r\n  display:inline-flex;\r\n  align-items:center;\r\n  justify-content:center;\r\n  border-radius:50%;\r\n  background:rgba(15,118,110,.10);\r\n  color:var(--dlx-accent);\r\n  font-weight:800;\r\n  font-size:.85rem;\r\n}\r\n\r\n.dlx-source-list{\r\n  padding-left:1.1rem;\r\n}\r\n\r\n.dlx-source-list li + li{\r\n  margin-top:6px;\r\n}\r\n\r\n@media (max-width:767px){\r\n  .dlx-framework-grid{\r\n    grid-template-columns:1fr;\r\n  }\r\n}\r\n<\/style>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<\/div>\n\t\t","protected":false},"excerpt":{"rendered":"<p>AI Governance \u00b7 Agentic Security AI Agent Security: The Operating Framework for Deploying Agents Without Creating a New Attack Surface AI agent security is not just an extension of traditional application security. It is the discipline of governing autonomy, permissions, tools, memory, and observability at the intersection of architecture, cybersecurity, and business control. Author: DAILLAC [&hellip;]<\/p>\n","protected":false},"author":4,"featured_media":12837,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[61],"tags":[],"class_list":["post-12863","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-non-classified"],"_links":{"self":[{"href":"https:\/\/www.daillac.com\/en\/wp-json\/wp\/v2\/posts\/12863","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.daillac.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.daillac.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.daillac.com\/en\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/www.daillac.com\/en\/wp-json\/wp\/v2\/comments?post=12863"}],"version-history":[{"count":4,"href":"https:\/\/www.daillac.com\/en\/wp-json\/wp\/v2\/posts\/12863\/revisions"}],"predecessor-version":[{"id":12867,"href":"https:\/\/www.daillac.com\/en\/wp-json\/wp\/v2\/posts\/12863\/revisions\/12867"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.daillac.com\/en\/wp-json\/wp\/v2\/media\/12837"}],"wp:attachment":[{"href":"https:\/\/www.daillac.com\/en\/wp-json\/wp\/v2\/media?parent=12863"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.daillac.com\/en\/wp-json\/wp\/v2\/categories?post=12863"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.daillac.com\/en\/wp-json\/wp\/v2\/tags?post=12863"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}