Malik Haidar has spent his career at the intersection of business strategy and high-stakes cybersecurity, protecting multinational assets from sophisticated actors by bridging the gap between technical intelligence and corporate risk. Today, he focuses on the explosive growth of AI agents—autonomous entities that do more than just answer questions; they plan, chain actions, and act within enterprise systems with minimal human oversight. This conversation explores the shift from static security to dynamic agent governance, focusing on how organizations can maintain visibility and control as they prepare to deploy tens of thousands of agents across cloud environments. We dive into the necessity of distinct agent identities, the critical difference between data permissions and functional capabilities, and the emerging discipline of intent-based enforcement to ensure AI remains an accelerator rather than a liability.
AI agents now execute workflows and call tools with minimal human oversight. How does this autonomy shift the threat landscape compared to traditional software, and what specific failure modes emerge when agents reason and act continuously across enterprise systems?
Traditional software operates within a rigid script, but AI agents use reasoning to solve problems, which introduces a visceral sense of unpredictability for security teams used to static environments. This shift means we are no longer just fighting external hackers but also managing internal logic failures where an agent might “hallucinate” a path to a goal that violates security protocols. For example, a research agent exposed to a malicious web page could ingest poisoned instructions and then pass those instructions to a trusted financial agent, triggering a disastrous and unintended disclosure of sensitive data. It is a chilling scenario where a single logic error in a chain of autonomous actions can cascade into a massive system failure that traditional firewalls simply aren’t built to detect. We must address these AI-native attacks, like prompt injection and memory poisoning, because they allow a workflow to be compromised from the inside out while technically appearing legitimate.
Large organizations are projected to deploy tens of thousands of concurrent agents, many of which may appear as “shadow agents” in cloud environments. What are the practical steps for maintaining a continuous discovery process, and how should teams track agents that evolve or fork over time?
The sheer scale of this transition is staggering, with enterprise leaders expecting to manage tens of thousands of these entities within a narrow window of just 12 to 18 months. Because developers can fork or modify agents in a heartbeat, a static spreadsheet or a manual yearly audit is essentially useless for tracking the true attack surface. To combat the rise of “shadow agents,” security leaders must implement a discovery engine that identifies every agent, who birthed it, and exactly what tools it has the power to invoke in real-time. It feels like a high-speed chase where the landscape changes every minute, necessitating a persistent inventory that updates the moment a new agent communicates with a cloud platform or a developer environment. Without this persistent visibility, you cannot possibly govern access or demonstrate compliance to regulators who are increasingly wary of unmanaged AI sprawl.
Agents often inherit powerful system-level access or operate under human identities by default. Why is a distinct, managed identity necessary for every agent, and what specific lifecycle stages should be used to govern these identities to prevent an unmanaged increase in the attack surface?
Allowing an agent to “borrow” a human identity is a recipe for catastrophe because it erases the audit trail and massively expands the blast radius of any automated error. Every agent must be treated as a first-class citizen with its own unique, managed identity that covers its entire lifecycle from initial deployment to eventual decommissioning. This distinct identity allows security teams to authenticate and authorize specific actions, ensuring that an agent running on an endpoint doesn’t suddenly inherit system-level permissions it has no business using. Without explicit governance, these agents become invisible ghosts in the machine, executing tasks continuously while leaving the organization blind to who—or what—is actually making decisions. By managing these identities with the same rigor we use for employees or service accounts, we create the containment layers necessary to stop a malfunctioning agent before it traverses the entire network.
An agent designed for a specific task might be granted access to general-purpose tools, like scripting environments, that exceed its requirements. How do you distinguish between data permissions and functional capabilities, and what is the step-by-step process for narrowing an agent’s authority without breaking its utility?
In the world of AI, we often confuse what an agent can see with what it can do, but the latter is where the most dangerous risks reside for the modern enterprise. An HR agent might legitimately need to see resume data to fulfill its mission, but if it is granted access to a general-purpose scripting tool, it could use that power to exfiltrate every file it finds or modify system settings. Narrowing authority requires a cold, hard look at capability design; if an agent doesn’t need to execute arbitrary code or traverse networks to do its job, those “excessive agency” tools must be stripped away immediately. The process starts by defining the specific mission of the agent and then building a custom, restricted toolbox that excludes any command or API that isn’t strictly necessary for that single goal. This ensures that even if an agent is manipulated, its potential for harm is strictly limited by the narrow scope of the tools it is allowed to hold.
Agents frequently summarize sensitive content, pass context to other agents, and store information in memory. How can data security policies be extended to monitor these fluid agent-to-agent workflows, and what are the biggest hurdles in auditing these interactions to ensure regulatory compliance?
Traditional data security stops at the edge of the application or the browser, but AI agents create a fluid, tangled web of interactions that renders those old boundaries completely obsolete. Policies must now follow the data as it is summarized, transformed into derivative insights, and passed through various agent-to-agent communication paths across the organization. The challenge is immense because you aren’t just auditing a simple file access; you are auditing the prompts, the responses, and the “memory” that agents persist and build upon over time. To stay compliant and maintain internal trust, we have to enforce classification and monitoring across every tool interaction and API call, ensuring that sensitive context isn’t leaked during a complex reasoning process. This is the only way to prevent oversharing and ensure that agent-generated outputs remain within the safety guardrails defined by the organization.
Security risks often arise when an agent’s behavior drifts from its original purpose, even if its actions are technically permitted. How can organizations implement real-time, intent-based enforcement, and what indicators suggest an agent has been manipulated or is malfunctioning during a live workflow?
Real-time enforcement in the AI era is about looking past whether an action is “allowed” and asking the more important question: was this action “intended”? We define intent through three lenses: the organization’s overarching compliance policies, the developer’s original design for the agent, and the user’s specific request in the moment. When an agent starts accessing data completely unrelated to its current task or attempting to execute system commands that fall outside its defined mission, that drift is a flashing red light for manipulation or malfunction. By implementing systems that can detect and block these unintended actions even when permissions are technically valid, we can keep agents “on mission” at all times. This approach provides a durable defense against sophisticated prompt injections and ensures that logic errors do not turn into full-scale security breaches during a live workflow.
What is your forecast for AI agent security?
I believe we are entering a pivotal era where security will transform from a restrictive gatekeeper into the primary accelerator for AI transformation within the global enterprise. Over the next few years, the organizations that thrive will be those that moved beyond human-centric controls to architect autonomous systems that are visible, accountable, and strictly constrained by design. As we move from small-scale pilot projects to managing tens of thousands of concurrent agents, the focus will shift entirely to intent-based enforcement and identity governance as the new bedrock of digital trust. Ultimately, when security and compliance are embedded into the DNA of these agentic systems from day one, it creates a foundation that allows companies to scale AI with a level of confidence and speed that was previously impossible. The goal isn’t just to stop threats; it’s to build a resilient environment where AI agents can operate at full capacity without compromising the integrity of the business.
