How to keep the robots useful without giving them the keys to the kingdom

Your access model was built for humans: log in, click things, maybe copy-paste something regrettable into a terminal, then go home. Agentic AI doesn’t do “go home”. It plans, chooses tools, calls APIs, reads and writes data, and completes multi-step tasks across systems.

That’s not a chatbot. That’s an intern with god-mode and zero sense of fear.

And that’s why the traditional access model just snapped.

By 2028, Gartner expects 60% of brands to use agentic AI for streamlined one-to-one interactions. Gartner also predicts 15% of day-to-day work decisions will be made autonomously via agentic AI, and 33% of enterprise software applications will include it. Meanwhile, service leaders are leaning into “digital labor”: Salesforce expects AI to handle half of customer service cases by 2027, up from about 30% today. 

Business is pushing adoption hard: faster support, lower overheads, better availability, fewer humans doing copy/paste in the cloud console at 2 am. Security’s job isn’t to kill this. It’s to prevent it from becoming an always-on privilege-escalation factory.

What Actually Broke?

Agentic AI changes the access question from:

“Which humans should have access?”

to:

“Which workflows can act, with which permissions, using which tools, for how long, with what guardrails, and who is accountable?”

Old models fail because agentic systems create delegation sprawl:

• New identities (agents, bots, service accounts, ephemeral functions) that end up “temporarily” over-permissioned.
• Tool chaining that turns “safe” permissions into dangerous outcomes (export + email + storage + delete).
• Speed mismatch: agents act in seconds; approvals, reviews, and investigations don’t.
• Untrusted inputs are becoming instructions (indirect prompt injection) because agents read emails, tickets, docs, web pages, and then take actions.

OWASP has now formalized this shift with its Top 10 for Agentic Applications (December 2025), including risks like Agent Goal Hijack, Tool Misuse, and Identity & Privilege Abuse. 

“We have zero agentic AI systems that are secure against these attacks… Any AI that is working in an adversarial environment… is vulnerable to prompt injection.”
- Bruce Schneier, cryptographer, computer security professional, privacy specialist, writer.

The Stakes: Breach Metrics Still Start With Access

Agentic AI doesn’t replace classic intrusion paths. It amplifies them.

Verizon’s 2025 DBIR states that compromised credentials were an initial access vector in 22% of breaches reviewed.  If your agents and automation are sitting on long-lived tokens, broad roles, or cached credentials, an attacker doesn’t need a novel AI exploit. They just need our access model to be a messy bag of access sprawl (which it already is).

And when it goes wrong, it’s not an “oops,” it’s an invoice. IBM’s Cost of a Data Breach report puts the average global breach cost at $4.88M (2024). 

Why CISOs Can’t Just Ban It

Because the organization will do it anyway. Often quietly. Often badly.

The World Economic Forum reported 66% of respondents believe AI will affect cybersecurity in the next 12 months, but only 37% had processes in place for safe AI deployment (2025). That gap is your reality: adoption pressure + governance lag.

If you try a blanket “no agents” stance, you’ll get Shadow Agentic IT: teams wiring assistants to Jira, Slack, cloud APIs, and customer data with whatever keys are closest to hand. The access model breaks, and we lose visibility. Congratulations: we’ve created a breach with extra steps.

The Fix: Make Privilege A Rental, Not A Property

If agentic AI is going to act, the access model needs to become time-bound, task-bound, and provable.

Think in four controls that survive the agentic era:

1) Zero Standing Privilege, Everywhere

“Always-on admin” is now a museum exhibit. Replace standing privilege with just-in-time access for a specific task, for a limited time, with automatic expiry.

This is directly aligned with OWASP’s guidance on controlling identity and privilege abuse and on using short-lived credentials. 

2) CIEM-Level Visibility Across Cloud Entitlements

If you can’t answer “who (or what) can do what, right now” across AWS/Azure/GCP, you’re not governing agentic workflows, you’re hoping.

Microsoft explicitly positions CIEM as visibility into who/what has access to which resources. 

3) Workflow-Based Requests And Approvals

High-risk access should be requested, approved, logged, and auto-revoked, ideally where people already work (chat + ticketing), not buried in a portal nobody opens until the auditor arrives.

There’s a platform approach (without naming it) that combines: multi-cloud entitlement discovery, JIT elevation, ZSP workflows, Slack/Teams approvals, time-boxed access that expires cleanly, and unified audit evidence. 

4) Treat Agent Actions Like Production Changes

Agentic actions that touch IAM, data exports, customer comms, or CI/CD should have guardrails: tool allowlists, scoped roles, re-auth on privileged steps, and a complete audit trail.

If we don’t have a clean chain of custody, our incident response write-up will read like: “The agent did something. We don’t know why. We don’t know how. We are now a cautionary tale.” *shrug*

The Practical Way To Sell This Internally

Frame it as enabling, not blocking:

• Faster automation because security stops being a manual gate.
• Lower overheads because standing access reviews and screenshot-collecting become policy + evidence.
• Better customer service because agents can act safely, not “act and pray”.
• Compliance because auditors want to see what agentic AI is up to as standard in 2026.

Agentic AI didn’t break access because it’s “evil.” It broke access because it’s real work, done at machine speed, with real permissions.

Our job now is to build an access model that assumes autonomy, and still keeps the kingdom’s keys on a short, well-labelled leash.

‍