Cybersecurity in the Agentic Enterprise
In the agentic enterprise, the security question is no longer only who accessed what. It is what an authorized machine actor is allowed to decide and do right now. Security becomes the enforcement layer for delegated authority.
Part of the series The AI-Native Enterprise · Arc III — Cyber Becomes Trust Architecture
By Michael E. Ruiz
The previous essay ended on a clean split: a delegation contract defines what a machine actor may do, and security is what enforces it. This essay takes up the second half of that sentence, because it changes what cybersecurity is for. For most of its history, enterprise security has been organized around a single question: who is allowed access to what. Authenticate the user, authorize the resource, log the event, keep the unauthorized out. That question does not go away in the agentic enterprise. It stops being sufficient.
The reason is that the risk has moved. When the actors inside your systems are people and deterministic applications, the dangerous event is unauthorized access: someone or something getting to a resource it should not reach. When some of the actors are agents with delegated authority, a new and equally dangerous event appears: an authorized system taking a consequential action it should not have taken, in a situation the authorization never really contemplated. The agent had legitimate access. It used that access to decide and act. Nothing was breached in the traditional sense, and yet something happened that the organization would never have approved. Access control has nothing to say about that, because access was not the problem.
Two surfaces, not one
It helps to name the two surfaces the enterprise now has to defend. The first is the familiar attack surface: the ways an adversary can get in, move, and reach something valuable. Agents enlarge it, because each agent is a new identity with credentials, tool access, and network reach, and a compromised agent is a capable insider. That much fits the existing model, even if the scale is new.
The second surface is less familiar and more consequential: the decision surface. It is the full set of consequential choices the enterprise's authorized machine actors can make, and it exists whether or not anyone attacks it. Every decision an agent is empowered to take autonomously, approve a transaction, change a configuration, send a communication, invoke another agent, is a point on the decision surface. It can be exploited by an adversary, but it can also simply go wrong: a correct-looking decision, made by a system acting entirely within its granted authority, that turns out to be one the business would have rejected. Traditional controls were built to defend the attack surface. The decision surface is new territory, and it is where agentic risk actually concentrates.
Security in the agentic enterprise is not only about keeping bad actors out. It is about governing what authorized machine actors are allowed to do.
What the existing controls cannot answer
Lay the enterprise's security stack against the decision surface and the gap is obvious. Identity and access management tells you who an actor is and what it may reach. Data-loss tooling watches whether data is leaving. Monitoring and SIEM tell you what happened, after it happened. Every one of these is valuable, and not one of them answers the question the agentic enterprise most needs answered: what is this authorized agent allowed to decide and do, in this context, right now. The controls govern access and observe history. They do not govern decisions in the moment they are made.
That is the space a delegation contract occupies, and why enforcement of it is a security function rather than a governance memo. Enforcement means the authority is evaluated before the action executes, not reviewed after; that a violation causes the action to be denied and halted rather than logged and shipped; that escalation routes a decision to a human when it exceeds the agent's bounds; and that every consequential decision leaves evidence sufficient to reconstruct it. Cybersecurity becomes the enforcement layer for delegated authority. This is not security acting as a blocker on innovation. It is the mechanism that lets an organization delegate real authority to machines and still sleep at night, which is the opposite of a blocker.
What operational technology already knows
There is a field that has spent decades governing machines that act with consequence in the physical world, and it is worth listening to. Operational technology security, the discipline of protecting the systems that run plants, grids, and pipelines, has never had the luxury of treating security as purely an access problem, because in its world a wrong action does not leak data, it moves a physical process. That constraint produced a set of instincts the agentic enterprise should borrow.
OT teaches that visibility is the precondition for everything: you cannot govern what you cannot see, and I have argued before that continuous monitoring is not the same as continuous awareness. It teaches safe interrogation, the discipline of touching a fragile system without breaking it, which is exactly the posture required when you introduce autonomy into a live enterprise process. It teaches operational constraints as first-class controls, hard limits that hold regardless of what a system decides it wants to do. It teaches fail-closed behavior, the principle that when a system is uncertain or degraded, the safe response is to stop rather than to press on. And it teaches a healthy caution about applying generic IT assumptions to environments where they do not fit. None of these transfer perfectly; an agent is not a controller and an enterprise is not a plant. But the underlying discipline, govern the action, not just the access, is precisely what the agentic enterprise now needs, and OT has been practicing it the whole time.
The turn Arc III takes
Framing security as the enforcement of delegated authority reorganizes the rest of this arc. If security has to govern what authorized machine actors do, then it first has to know, with precision, who those actors are and on whose behalf they act, which is a problem of identity that human-centered IAM does not solve. It has to reckon with what happens as those actors gain autonomy, which is the specific cyber risk of autonomous workflows. And it has to compose all of this into something coherent, a trust architecture, rather than a pile of point controls.
That is the work of the next three essays. The claim that unifies them is the one to carry forward from here. Security in the agentic enterprise is not only about keeping bad actors out. It is about governing what authorized machine actors are allowed to do, and that mandate turns cybersecurity from a defensive perimeter into the load-bearing structure of enterprise trust.
Continue the Conversation
For security leaders whose programs are still built entirely around access and intrusion, the agentic enterprise adds a second mandate: governing what authorized machine actors are permitted to do. That is the posture worth building toward now.
Start a conversation →Related Reading
The Architecture of Trust: Securing AI in Enterprise Environments
Organizations moving AI into production are discovering a security problem that was not salient during experimentation: the question of what the AI system is allowed to access, what it is allowed to do, and how the organization knows those boundaries are being respected.
Why AI Agents Need Contracts, Not Just Prompts
Prompts describe intent. Enterprises need contracts that define authority, boundaries, evidence, escalation, and accountability for delegated machine work. The Agent Delegation Contract is one emerging expression of that need.
Identity Beyond Humans
Enterprise identity was built for humans, applications, and service accounts. Agents introduce ephemeral, delegated, contextual identity, and demand that every machine action tie back to an accountable principal.
The Cyber Risk of Autonomous Workflows
As workflows move from deterministic automation to autonomous action, security must govern intent, provenance, permissions, and behavior. Autonomy is not the problem. Unbounded autonomy is.
These ideas are available as keynote presentations and executive briefings. Explore speaking topics →