Behavior and boundaries: The agentic security shift

Lori Mac VittieDistinguished Engineer and Chief Evangelist | F5

A lot of people aren’t following the implications of agentic AI all the way through. We need to, especially when it comes to security, even if it shakes our foundations.

Spoiler: it will.

For example, the OWASP Agentic Top 10 gets the premise right: agents amplify existing vulnerabilities. Your APIs didn’t suddenly become secure just because you put an LLM in front of them. If anything, they’re more exposed now that something is continuously probing, chaining actions, and exploring paths like a very patient attacker. The list also correctly highlights multi-step execution, tool chaining, and how decisions evolve over time.

But it stops just short of the deeper issue we must confront.

Hits and misses

The OWASP list notes that agents don’t invent entirely new failure modes; they make old ones more dangerous. Tool misuse, privilege inheritance across steps, and goal hijacking are real risks, and they unfold across sequences rather than single prompts or requests. OWASP understands the dynamic nature of agentic systems. This is all true.

But the guidance still operates largely within the traditional request-response model. It assumes the request is the primary unit of control: validate identity, check permissions, inspect, and decide. That model worked when workflows were predefined and bounded by application design.

Agentic systems break that assumption.

They construct flows at runtime in pursuit of a goal. They evaluate results, adapt, iterate, and expand scope. Each individual request may be perfectly valid in that the identity is correct, permissions align, and policy passes, yet the overall behavior can drift far from what was intended.

This is where our sense of lost control comes from. It’s not that identity is failing us. Authentication remains strong. Credential propagation and delegation work as designed. Agents operate with their own identity or delegated credentials, and tokens flow reliably across services.

The problem lies elsewhere. Traditional access control relied on an unspoken foundation: bounded flows. Applications defined the sequences of actions. Even with branching logic, the system itself constrained what could happen. That structure let us evaluate requests in isolation because the available paths were limited. Our policies are built on that understanding, and our enforcement is meant to, well, enforce those boundaries.

But agents replace predefined flows with emergent ones. Behavior unfolds dynamically, often blending discrete API calls with long-lived sessions and streaming interactions. An agent might explore a dataset, build context over time, then issue writes that no one anticipated. Runaway loops, unexpected cost spikes, and surprising cross-system actions aren’t failures of identity or single requests; they’re the result of valid actions composed into unintended sequences.

They’re unbounded by design but constrained by security systems that assume they are still operating under the same constraints as traditional applications.

Directory traversal offers a clear example. We’ve long treated path manipulation as malicious and blocked it. And well we should, because we have a clear set of paths that are expected, and deviation from that set should be suspect.

But for an agent tasked with retrieving documents or assembling context from a file system, navigating structure isn’t suspicious. Rather, it’s necessary. Block it outright and the agent becomes useless. Allow it without bounds and you hand an aggressive explorer the keys to the kingdom.

The real issue isn’t traversal. It’s unbounded traversal. The same pattern appears in tool misuse, goal hijacking, and memory poisoning: risk accumulates across sequences, not in isolation.

The necessary shift: From request validation to behavioral governance

Identity remains necessary for authentication and attribution, but it is not sufficient to govern behavior over time. Role- and scope-based models assume predictable patterns and bounded interactions. In agentic environments where execution spans request-based and session-based models, they provide only coarse control.

We must evolve access control into behavioral governance. This means evaluating requests in full context: what has already occurred, how behavior is evolving, and how actions span protocols. Enforcement must become continuous and protocol-aware, tracking accumulation across discrete calls and persistent sessions.

The solution is constraint-based policy. Instead of prescribing exact paths, define the operating space:

• Resource boundaries (read from these datasets, but never write to production)
• Quantitative limits (caps on actions, cost, or scope expansion)
• Capability constraints (additional approval required before destructive actions)
• Conditional policies that escalate when risk increases

These constraints apply across the entire sequence, whether carried by HTTP requests or WebSocket streams. Shared architectural layers like API gateways, service meshes, and orchestration platforms become critical. They provide the vantage point to observe, correlate, and intervene as behavior unfolds, propagating execution context alongside identity.

Routing itself turns into a control mechanism: redirect to constrained environments, throttle, or terminate sequences that approach defined limits. Enforcement becomes graduated rather than binary, shaping behavior without immediately halting useful work.

App delivery and security must be able to work together to achieve these goals, coordinating and communicating across a shared control plane to ensure behavior is bounded by policy, not predefined workflows.

This shift doesn’t require predicting every possible path. It requires continuously refining constraints based on observed behavior, creating a feedback loop between operations and policy.

The shift we must make

AI doesn’t just introduce new risks. It forces us to rethink how we apply the controls we already have. Without this evolution, we’ll keep oscillating between systems that are technically secure but practically unusable, and systems that are highly capable but quietly out of control.

The unit of security is no longer the request, it’s behavior.

The question is no longer simply whether a request is allowed, it’s whether the behavior that request represents should be allowed to continue.

That’s the agentic security shift we must make.

About the Author

Lori Mac VittieDistinguished Engineer and Chief Evangelist | F5

Lori MacVittie is a Distinguished Engineer and Chief Evangelist in F5’s Office of the CTO with deep expertise in application delivery, automation strategy, and infrastructure. She is known for turning complexity into clarity whether she’s defining guardrails for AI agents, dissecting brittle multicloud architectures, or probing the limits of scalable systems. She brings more than thirty years of industry experience across application development, IT architecture, and network and systems operations. Before joining F5, she served as an award-winning technology editor. MacVittie holds an M.S. in Computer Science and is a prolific author whose publications span security, cloud, and enterprise architecture. She is also an avid tabletop and video gamer with unapologetically strong opinions about cheese.

More blogs by Lori Mac Vittie