Cio.com posted about the risk of AI agents HERE. I feel it’s a well wrote reasons why C level members need to allow for AI and agent adoption, but with a security first mindset.
My only pushback is it doesn’t give clear recommendations on what to do about the risk. The article points out a need for maturing your identity management practice. I totally agree with that as well as maturing your data security practice. I call these two areas your foundational plumbing that needs to be in place. For the identity topic, many AI situations will work “on behalf” of your identity permissions. When they don’t, they essentially act like an independent user. This brings into light the debate happening right now about how to treat the risk of agents. This article leans into the API risk, which is real. This does not take into account agents acting autonomously and that is my pushback.
I believe agents need to be treated like users. So the risk is APIs + the same risks of general users, which is your program for movers, joiners, and leavers, but for agents. My argument is simple. No security minded professional would say it’s ok to let anybody have access to your resources. You create a program to onboard someone or something, provision what it can access, and remove that access when it is no longer need. The same concept needs to apply to agents. You can’t just allow agents to run (even if you have API security in place). That would be the same idea of letting anybody come on your environment but block malicious behavior. Good luck with that approach … it wont work.
I see this article as a good read to understand the problem. The recommendations from this article are to improve your identity management program in the sense that agents are treated like people. Plus you need to think about data security (because that is what AI reasons on), API security, host security where data is stored, and other defense in depth capabilities.
Check out the article HERE. Again, good read to understand the problem. I don’t like the API only recommendation. There is more needed