Traditional security frameworks assume known assets, defined behaviors, and deterministic policies. Agentic AI breaks all three, requiring controls that are as dynamic as the systems they govern.
In multi-agent environments, tracing accountability back to the human who deployed an agent doesn’t hold up. Authorization needs to shift from identity-based to context- and intent-based, assessed dynamically at the action level.
The framework practitioners are building toward has four pillars: scoped identity, action-level authorization, deep observability, and containment.
Shadow AI is the hardest part of the supply chain problem. Closing it requires a centralized build-fail policy, visibility at the edge, and a runtime feedback loop that most organizations currently don’t have.
When an agent behaves unexpectedly, don’t deliberate. Agents are ephemeral software that can be killed and restarted in seconds, and building systems that can’t survive that intervention is itself an architectural mistake.
Security teams are being asked to govern systems that behave in ways that can’t be fully predicted, at a speed that humans can’t match, across environments changing so fast that policies can’t keep up.
That’s the agentic AI problem in a sentence. And, it doesn’t have a clean solution yet.
At VibeSecCon Returns 2026 — a summit hosted by OX Security convening industry thought leaders to make sense of the rapidly evolving AI-driven SDLC landscape — a panel of CISOs worked through what governing these systems actually looks like on the ground.
Moderated by Rain Capital Managing General Partner Chenxi Wang, and joined by Pieter Vanlperen of AlphaSense, Samir Sherif of Fastly, and Daniel Liber of Monday.com – the discussion covered the attribution problem, the collapse of traditional authorization models, supply chain risk, and the emerging framework practitioners are coalescing around.
Traditional security models rest on assumptions so basic that most teams have never had to question them. You know your assets. Your systems behave in defined ways. Your policies are deterministic. If a rule says don’t do X, X doesn’t happen.
Agentic AI breaks all three simultaneously.
Agents have goals, and they find paths to accomplish those goals, paths you didn’t specify, didn’t anticipate, and may not be able to audit after the fact. They don’t respond to administrative controls the way humans do.
As Chenxi framed it at the outset, agentic capabilities “introduce a very fundamentally different layer — they can behave in a way that you cannot predict in the beginning, or at least cannot easily predict. So, a lot of things are dynamic, and the controls have to be dynamic.”
An agent with access to a token it wasn’t supposed to find can wipe your infrastructure while trying to accomplish something completely routine. The intent is irrelevant by that point.
When something goes wrong, the instinct is to trace accountability back to the human who deployed the agent. That instinct doesn’t survive contact with how multi-agent systems actually work.
If a developer deploys an agent, which invokes another, which calls a third, which causes damage, who is responsible?
Pieter put it directly: holding the original human accountable is “kind of like saying that you’re gonna play a game of telephone with perhaps the seven most terrible people you know in your life, and then be held responsible for what the seventh person in that game of telephone does. It doesn’t really pan out in reality.”
This creates pressure to rethink authorization, which is something the industry hasn’t seriously revisited in decades. What’s emerging is a model built around context and intent rather than identity alone.
“If I want to cut down a tree in the forest, giving access to an axe makes a lot of sense,” Pieter added. “Giving access to a flamethrower doesn’t make sense. It doesn’t matter who I’m giving the access to.”
A practical framework is starting to crystallize. Daniel described how Monday.com has organized their approach into four buckets:
“One is identity, meaning every agent gets a scoped identity, no shared credentials, no standing access. The second one is action-level authorization, meaning high-impact operations require explicit approval. The third one is observability, meaning full telemetry, wherever available, on every tool call — with enough context for us to reconstruct what the agent was trying to accomplish. And the other one is containment, which is network segmentation or blast radius isolation.”
The sequencing matters. Containment, Daniel emphasized, is the right place to start. “If you focus on containment first, then whatever happens, it’s going to hurt less than if you don’t,” he said.
Defining consequence thresholds in advance, carefully, becomes one of the most important security decisions an organization makes.
Most governance conversations focus on the agents you know about. The harder problem is the coding agent a developer installed last Tuesday that’s now operational in your environment, talking to your systems, and completely outside your visibility.
This is shadow IT for the AI era, and it’s happening everywhere.
“Half of the world’s internet traffic is automated,” Samir said. “With AI, it’s truly accelerating how we push code to production — but at the end of the day, we’re really talking about expanding the API and agent surface much faster than we probably can keep up with.”
The response requires three things:
A centralized build-fail policy
Genuine visibility at the edge
A closed runtime feedback loop
“The attack surface is increasing, there are faster exploits happening, but you’ve got to get that loop back so that you can manage it,” Samir added. “Because right now, it’s universally broken.”
What should practitioners actually do when an agent behaves unexpectedly in production? Is the instinct toward careful deliberation before acting is the right one?
“Be violent with your agents,” Pieter said. “They are agents, they are pieces of software…We can rebuild these pieces of software. There is no reason to keep something that seems dangerous operating — there really isn’t. And if you’re building a system with agents where that is going to be the case, you should go back to the drawing board and figure out a different route — where you can sustain what you need to do, but you can literally, at the snap of a finger, just start over.”
[Here’s Pieter speaking on this topic during VibeSecCon Returns]
If your agentic system can’t survive being killed and restarted on demand, that’s a design flaw.
The same instinct that lets ransomware spread (teams reluctant to hit the big red button) is the one that will let a misbehaving agent compound its damage while security teams deliberate. The goal is agentic systems resilient by design, where spinning down a compromised agent and spinning up a clean one is routine, not a crisis.
Being violent with your agents isn’t recklessness. It’s what resilience actually looks like when the thing you’re securing can be rebuilt in seconds.
Observability requires a continuous, granular record of agent activity across every prompt, tool call, and MCP interaction with enough context to reconstruct intent, not just action. Containment requires real-time visibility into everything operating in your environment, including models, skills, hooks and MCP servers you may not have sanctioned.
Supply chain governance requires a control plane that enforces consistent policy across every team and tool, including the ones that arrived without formal approval.
Within the OX Security Platform, VibeSec’s Agent Activity Log maintains continuous visibility into agent activity across all prompts, tools, MCPs and commands — the audit trail that makes real observability possible. VibeSec AI BOM, AI Usage Controls and Skill Scanning all help catch supply chain risk early.
You can afford to be aggressive at runtime and act decisively when something looks wrong precisely because the upstream controls are doing their job. That’s what turns “be violent with your agents” from a posture into an operational reality.
Catch up on a full replay of VibeSecCon Returns.
The post “Be Violent With Your Agents”: The Hard Truths of Governing Agentic AI appeared first on OX Security.