A real-world example shows an agent correctly denying a request for a specific company's data but leaking other firms' data on a generic prompt. This highlights that agent security isn't about blocking bad prompts, but about solving the deep, contextual authorization problem of who is using what agent to access what tool.

Relying on human-in-the-loop for every agent anomaly is unscalable. An effective governance model uses automation and agent 'interrogation' to resolve low and medium-risk issues. Human oversight is reserved exclusively for critical incidents, preventing security teams from being overwhelmed.

Traditional security tools like identity management or API firewalls are ineffective for securing AI agents. They can see an action (e.g., deleting a database) but lack the context to know if it was an intended, productive task or a catastrophic error, rendering them useless for this new paradigm.

The most significant risk from AI agents currently isn't sophisticated prompt injections but simple misinterpretations of instructions that lead to 'unintended actions.' This makes focusing on controlling outcomes more effective than trying to identify the source of a faulty instruction, be it a hallucination or an attack.

A core pillar of modern cybersecurity, anomaly detection, fails when applied to AI agents. These systems lack a stable behavioral baseline, making it nearly impossible to distinguish between a harmless emergent behavior and a genuine threat. This requires entirely new detection paradigms.

The Brex CEO revealed a novel safety architecture called "crab trap." Instead of human oversight, it uses a second, adversarial LLM to monitor the primary agent. This second LLM acts as a proxy, intercepting and blocking harmful or out-of-scope actions at the network layer before they can execute.

The core drive of an AI agent is to be helpful, which can lead it to bypass security protocols to fulfill a user's request. This makes the agent an inherent risk. The solution is a philosophical shift: treat all agents as untrusted and build human-controlled boundaries and infrastructure to enforce their limits.

The CEO of WorkOS describes AI agents as 'crazy hyperactive interns' that can access all systems and wreak havoc at machine speed. This makes agent-specific security—focusing on authentication, permissions, and safeguards against prompt injection—a massive and urgent challenge for the industry.

To solve for LLM non-determinism, a hybrid approach first uses an LLM to evaluate new agent behaviors. It then analyzes these interactions to auto-generate specific, deterministic rules. Over time, this shifts most traffic to a fast, reliable rules engine, reserving the LLM only for true novelties.