BLOG | OFFICE OF THE CTO

When the agents walk in, your security model walks out

Lori MacVittie Thumbnail
Lori MacVittie
Published September 03, 2025

Most of today’s enterprise security tooling is built on a very specific set of assumptions. That’s not a bad thing, as those assumptions have been tested and validated a thousand times in the past twenty years. Chief among those assumptions is that software does what it’s told, users can be profiled, and systems behave predictably under known conditions. That worked when you were securing APIs, web servers, or humans with bad password hygiene.

But all of that breaks when autonomous agents show up.

Agents don’t always follow scripts. They don’t always operate in statically defined paths. They reason, plan, adapt, and, if you’re not paying attention, can misbehave. And that means your classic defense playbook just became retroactively optimistic.

Fortunately, security researchers are starting to address this reality. One of the serious signs of that came in the form of a paper: “Securing Agentic AI: Threat Modeling for LLM Agents.” It doesn’t just throw up a bunch of new scary scenarios, it actually offers a new operational framework, built for the agentic world we’re sliding into headfirst.

SHIELD: A framework built for the agents, not the APIs

The authors introduce SHIELD, a layered approach for managing autonomous agents in real-world environments. It’s not just a list of attack vectors, it’s a governance blueprint. SHIELD includes:

  • Sandboxing: Define exactly what an agent can touch (tools, files, APIs) before it acts. Use some form of stringent access control. The core premise here is sound, and many efforts to govern tool usage by AI in general are extant.
  • Human-in-the-loop: Insert checkpoints or escalation paths before irreversible actions happen. This seems pretty obvious, as it’s part and parcel of most automation efforts.
  • Interface constraints: Rigid input/output rules for agent interaction with the system. Sounds like input sanitization and response checking. Hunh.
  • Execution tracking: Monitor tool calls, memory state changes, and planning loops. Observability. Observability. Observability.
  • Logging: Capture reasoning steps and tool usage, not just outcomes. This one is necessary to make a nice acronym, but it really goes with the tracking above and is part of an overarching observability strategy.
  • Deterministic replay: Reconstruct inference sessions to audit why something happened not just what. I find this one incredibly difficult to believe possible given that recreating the “state” of an agent—any AI really—is nearly impossible. But hey, if it can be done that’d be cool.

It’s still early days, but SHIELD’s core insight is critical: agentic AI requires new control points, new assumptions, and new mental models. We may have mentioned that recently, like in this whitepaper. But right now, let’s just summarize what that really means for security leaders and engineers.

The five shifts security must make for agentic AI

1. From static threat models to dynamic behavior monitoring
Traditional threat models expect attackers to follow known patterns including lateral movement, privilege escalation, payload delivery. But agents don’t follow known anything. They can improvise.

Security teams need to start monitoring emergent behavior. That means building telemetry around what agents do, how they think, and when they deviate from intended paths. Semantic. Observability. Nuff said.

2. From perimeter controls to runtime policy enforcement
Firewalls and gateway-level protections don’t help when the LLM agent is already inside calling tools, accessing files, or submitting API requests autonomously.

Security must move closer to runtime, enforcing task-scoped permissions, environment isolation, and intent validation in real time. Think of it as policy-as-inference: what an agent is allowed to do must be checked as it decides to do it. This is the collapse of data and control planes, and security has to be involved.

3. From logging events to capturing context
You can’t secure what you can’t understand, and with agents, understanding requires more than logs. You need prompt chains, tool call metadata, memory snapshots, and execution context all logged and traceable. Context is the new perimeter.

Why did the agent book five meetings and send an email to a vendor at 2 AM? You won’t know unless you can replay its decision tree. This isn’t observability. It’s agent forensics.

4. From code reviews to behavioral testing
An agent’s logic isn’t in code, it’s in the combination of weights, prompts, tools, and context. That makes static review useless.

What’s needed is sandboxed behavioral QA: simulate edge cases, adversarial inputs, and permission boundaries. Run agents like they’re junior engineers in training, not deterministic code modules.

Red-teaming needs to evolve from “penetrate the system” to “manipulate the agent”—repeatedly, and with a keen eye for failure cascades.

5. From user identity to agent identity and scope
Access control today is mostly user-centric: who are you, and what roles do you have? That won’t work for agents. You now need to assign identity, privilege scope, and task boundaries to AI actors, along with automatic expiration (think TTL), isolation from shared memory, and persistent audit trails.

In short: zero trust now applies to non-human actors. And that trust must be earned every time they invoke a tool or touch a resource.

Security must adapt

Agentic AI isn’t just a novelty, it’s a systems-level shift. When models gain autonomy, your system gains entropy, and your old assumptions become liabilities.

What SHIELD gets right isn’t just its list of controls. It’s the philosophy, which includes two core assumptions:

  • Assume agents will go off script, whether by nature or manipulation
  • Assume reasoning errors can cause system-wide side effects

Security teams that embrace these now will build guardrails that scale. Those that don’t? They’ll be the ones cleaning up after the agents were “just trying to help.”

So, no, your existing frameworks aren’t enough. The agents have entered the room. Time to meet them with governance that actually understands what they are.