Why agents break your existing security model
Traditional controls assume a human approves each sensitive action. Agents eliminate that pause — a single injected prompt can exfiltrate data, create credentials, or modify production systems in under two seconds. Every assumption your DLP and SIEM were built around no longer holds.
The four attack surfaces unique to agents
System prompts are injectable via document retrieval. Tool permissions are almost always over-privileged at build time. The reasoning loop is vulnerable to indirect injection mid-chain. And the output sink — where results land — is rarely inspected at all. You must cover all four.
Per-tool-call policy enforcement
The most effective control is evaluating every tool call against a policy engine before it executes: does this call match the user's entitlements, the session context, and the data classifications in scope? This catches over-reach mid-chain, before damage occurs.
Standing it up in 30 days
Week 1: inventory every agent and map its tools. Week 2: apply least-privilege permissions and explicit scope grants. Week 3: deploy inline inspection on tool inputs and outputs. Week 4: pipe all agent activity to your SIEM with structured logs and anomaly alerts.
The board question you will face
"Can an agent move money or access patient records without human approval?" You need the answer to be no, and you need evidence. Start building that audit trail now — retrofitting it after an incident is far more expensive.