The Four Core Principles of Controlling the AI Agents You Can’t See

Most enterprises today can tell you exactly which AI agents they are planning to deploy. What they can’t tell you is how many may have been deployed without their knowledge or how many are operating on their network without oversight, policy, or even an assigned identity. That gap is quickly becoming one of the most pressing security challenges for enterprises right now.

I recently had the opportunity to spend five days with customers across Australia, and the same anxiety came up in nearly every conversation. Security leaders know they’ve deployed a handful of AI agents, but what keeps them up at night is that agents are running without visibility or control. One customer shared that they had intentionally deployed only a handful of agents, but suspected hundreds more were operating without policy or oversight. They had no reliable way to find or stop them.

This challenge was further revealed in a recent report: Nearly 8 in 10 organizations (79%) have not yet reached full AI maturity in cybersecurity.

These insights reflect how quickly AI adoption is outpacing existing security controls. Security teams already have the foundation: identity, data security, threat detection and response, and application security. The challenge is applying those principles to a new class of users: AI agents.

See also: AI Agents Need Keys to Your Kingdom

Principle 1: Agents are identities. Treat them that way.

For decades, Identity and Access Management (IAM) has governed how enterprises control access and accountability for human actors. Every employee gets provisioned with an identity, assigned a role, granted least-privilege access, and monitored against expected behavior. When something goes wrong, there’s an accountable identity to trace back to.

Agents require the same structure. An agent without an assigned identity can’t be governed, monitored, or stopped when it acts outside its intended scope. Extending IAM to non-human identities, with the same least-privilege access controls used for employees, is now a baseline requirement. In practice, that means every agent is uniquely identified, authenticated, and limited to a defined set of permissions that can be monitored and enforced before it touches a single piece of data or triggers a single action.

The goal is straightforward: only approved agents should be able to access enterprise data, and they must operate within defined limits. Identity is what makes that enforceable.

See also: Cybersecurity’s Next Evolution: How MCP Is Rewiring Training for the AI Era

Principle 2: Visibility into rogue agents

Security teams today are dealing with a growing number of agents across their environments. They are finding thousands of needles in thousands of haystacks and trying to determine, in real time, whether any of them pose a risk. An identity-first approach cuts through that: any agent operating without a provisioned identity is flagged as unauthorized by definition. From there, threat detection and response capabilities can identify agents based on their behavior, determine whether they are deviating from expected behavior, bring them into policy, or isolate them entirely. When those detections are tied to clearly defined identities, they become actionable.

See also: Bye to the Beta Phase of AI Agents: How to Succeed in 2026

Principle 3: Control over data access

Every customer I spoke with on this trip raised the same concern: agents accessing sensitive data and acting on it, whether by moving it or modifying it. At the core of that concern is control. Many organizations do not feel they have tight enough oversight of sensitive data, especially PII, or what agents can do with it once they have access.

Nobody has fully solved behavioral monitoring for agents acting beyond their scope yet, but the path forward runs through identity. When you know which agents are approved and what data they’re authorized to reach, you can use threat detection to notify analysts the moment a sensitive repository is accessed by any identity outside that approved set. Encryption and PII controls still play a role, but they do not determine who gets access in the first place. Identity does.

See also: Studies Find Scaling Enterprise AI Proves Challenging

Principle 4: Agent actions and permissions

This is one that doesn’t get enough attention: identity-first security extends into AppSec too. The code your agents run, and the actions they’re authorized to take, should be governed by the same identity and least-privilege principles as their data access. An agent that can read a file is a different risk profile than one that can modify a record, trigger a transaction, or call an external API. Tying action authority to identity policy is how you limit the blast radius when something goes wrong, and in multi-agent chains, where one agent triggers another, which triggers another, it’s also how you preserve any meaningful audit trail when accountability is on the line.

The identity gap most organizations still have

When these principles are applied together, three problems that can otherwise feel disconnected start to resolve together: visibility into unauthorized agents, control over data access, and control over what agents are allowed to do. Together, these form a layered security approach where each control reinforces the next. Identity governance sets the policy, data security, and access controls that determine what information agents can access, threat detection and response identify when activity falls outside expected behavior, and application security limits what instructions agents are allowed to perform.

When an enterprise tells me they’ve secured their AI agents, I ask one question first: Have you assigned an identity to every agent on your network, including the ones your own teams deployed without formal approval or governance? The answer is almost always no, not because security leaders aren’t paying attention, but because the scale of agentic proliferation has outrun the frameworks designed to govern it.

Identity is the prerequisite for controlling, monitoring, and holding agents accountable. With most organizations lacking full visibility into the agents operating across their environments, identity must be in place before those agents are granted access to data or the ability to act.

The organizations that get this right will be those that make identity part of agent deployment from the beginning, not after agents are already in motion. The ones that wait are managing a problem that’s already bigger than they know.