AI agents that can retrieve, decide, and act introduce an entirely new security model. Here's what's different — and what you need to address before agents touch production data.
What makes agentic AI different from prior AI deployments
Enterprise AI deployments of the past two years — copilots, assistants, classification models — are largely passive. A user asks a question; the model answers. The model doesn't act.
Agentic AI is fundamentally different. An agent can be given a goal and autonomously: retrieve data from APIs, read and write files, execute code, send messages, call external services, and make sequential decisions across multi-step workflows. It acts.
This action capability is what makes agentic AI valuable — and what makes it a novel security surface. When an agent can take actions, the consequences of a compromise or misconfiguration extend beyond information disclosure to operational impact: data exfiltration, unauthorized transactions, corrupted records, or cascading actions across connected systems.
The new attack surfaces
Prompt injection. An attacker embeds malicious instructions in content the agent retrieves — a web page, an email, a document — causing the agent to deviate from its intended behavior. Unlike SQL injection, prompt injection is semantic rather than syntactic, making it harder to detect and filter.
Tool misuse. If an agent has access to a database query tool, an email sending tool, and a file write tool, a compromised or confused agent could combine these in ways the developer didn't anticipate. Over-provisioned tool access amplifies blast radius.
Identity confusion. Multi-agent architectures — where one agent orchestrates others — introduce identity delegation challenges. How does a subagent know the request is legitimate? How do you prevent an untrusted orchestrator from impersonating a trusted one?
Excessive autonomy. Agents designed to be helpful will attempt to complete tasks by taking the path of least resistance. Without explicit guardrails, this can include accessing data outside the intended scope, escalating permissions, or taking irreversible actions.
The security principles that apply
Least privilege for agents. Every agent should be provisioned with exactly the access needed for its defined tasks — nothing more. This means scoped API credentials, read-only access where write isn't required, and time-bounded sessions. Service account sprawl is a long-standing enterprise problem; agentic AI makes it critical to solve.
Explicit tool registries. Agents should only have access to tools you've deliberately granted. Maintain a registry of authorized tools per agent role. Tools that can take high-consequence actions — sending external communications, modifying records, executing code — require elevated scrutiny.
Human-in-the-loop for consequential actions. Not every agent action requires human approval, but actions above a defined consequence threshold should. This includes: sending external communications, financial transactions, data deletions, and any action that cannot be reversed. Design approval workflows before deployment, not after.
Audit trails as a first-class requirement. Every agent action should be logged with enough context to reconstruct what happened, why, and on whose authority. This is not only a security requirement — it's increasingly a regulatory one for firms subject to SEC, FINRA, or HIPAA oversight.
What a secure agent architecture looks like
A secure agentic AI architecture starts with identity: each agent has a named, scoped service identity with associated credentials managed in a secrets manager. Credentials are rotated automatically and never hardcoded.
Tool access is governed by a capability manifest — a declarative document specifying which tools the agent can access, under what conditions, and with what parameters. Changes to the manifest require a formal change control process.
All agent actions are logged to a centralized, tamper-evident audit trail. Anomaly detection monitors for behavioral deviation — an agent suddenly accessing data sources it hasn't touched before, or calling tools at unusual frequency.
Production deployments are preceded by adversarial testing: red-team exercises specifically targeting prompt injection, privilege escalation through tool chaining, and behavioral manipulation through environmental input.
Where Bay Area firms are in this journey
Most enterprise organizations we work with in San Francisco, the Peninsula, and the East Bay are in one of two positions: they've deployed AI agents in controlled pilots and are now planning production rollout, or they've had AI capabilities pushed into their environment by SaaS vendors (Microsoft Copilot, Salesforce Einstein, ServiceNow) without a clear security posture.
Both positions require the same foundational work: inventory what agents exist and what they can access, establish an identity and access governance model for agent service accounts, define a tool governance framework, and implement logging sufficient to support investigation.
Intragreat's Agentic AI Security practice helps organizations assess their current agent deployments, design secure architectures for planned deployments, and implement the identity, access, and monitoring controls that give you confidence before agents touch production data.