It's a mistake to think of an agent as 'User V2.' Most enterprise and consumer agents (like ChatGPT) are inherently multi-tenant services used by many different people. This architecture introduces all the complexities of SaaS multi-tenancy, compounded by the new challenge of managing agent actions across compute boundaries.
Related Insights
A real-world example shows an agent correctly denying a request for a specific company's data but leaking other firms' data on a generic prompt. This highlights that agent security isn't about blocking bad prompts, but about solving the deep, contextual authorization problem of who is using what agent to access what tool.
For CISOs adopting agentic AI, the most practical first step is to frame it as an insider risk problem. This involves assigning agents persistent identities (like Slack or email accounts) and applying rigorous access control and privilege management, similar to onboarding a human employee.
Current agent frameworks create massive security risks because they can't differentiate between a user and the agent acting on their behalf. This results in agents receiving broad, uncontrolled access to production credentials, creating a far more dangerous version of the 'secret sprawl' problem that plagued early cloud adoption.
Traditional identity models like SAML and OAuth are insufficient for agents. Agent access must be hyper-ephemeral and contextual, granted dynamically based on a specific task. Instead of static roles, agents need temporary permissions to access specific resources only for the duration of an approved task.
A critical hurdle for enterprise AI is managing context and permissions. Just as people silo work friends from personal friends, AI systems must prevent sensitive information from one context (e.g., CEO chats) from leaking into another (e.g., company-wide queries). This complex data siloing is a core, unsolved product problem.
Managing human identities is already complex, but the rise of AI agents communicating with systems will multiply this challenge exponentially. Organizations must prepare for managing thousands of "machine identities" with granular permissions, making robust identity management a critical prerequisite for the AI era.
Organizations must urgently develop policies for AI agents, which take action on a user's behalf. This is not a future problem. Agents are already being integrated into common business tools like ChatGPT, Microsoft Copilot, and Salesforce, creating new risks that existing generative AI policies do not cover.
An AI agent capable of operating across all SaaS platforms holds the keys to the entire company's data. If this "super agent" is hacked, every piece of data could be leaked. The solution is to merge the agent's permissions with the human user's permissions, creating a limited and secure operational scope.
The CEO of WorkOS describes AI agents as 'crazy hyperactive interns' that can access all systems and wreak havoc at machine speed. This makes agent-specific security—focusing on authentication, permissions, and safeguards against prompt injection—a massive and urgent challenge for the industry.
Salesforce's Chief AI Scientist explains that a true enterprise agent comprises four key parts: Memory (RAG), a Brain (reasoning engine), Actuators (API calls), and an Interface. A simple LLM is insufficient for enterprise tasks; the surrounding infrastructure provides the real functionality.
