AI Agents Are Everywhere — But Who Controls What They Do?

Artificial intelligence agents are no longer a distant promise — they are becoming part of everyday business operations. They schedule meetings, process documents, make automated decisions, and even interact with customers in real time. But the more these agents gain ground within organizations, the more an urgent question takes center stage: who controls what these agents can do and access?

That was exactly the question driving the conversation at Axios Live Expert Voices, a roundtable held in Washington on April 21, moderated by journalist Sam Sabin and sponsored by Okta. Cybersecurity leaders from companies like Mastercard, IBM, Keyfactor, Illumio, and Rook9 sat down to discuss a topic that is keeping a lot of people in the tech industry up at night.

The agenda was straightforward: the identity of AI agents, access control over what they can and cannot do, and the security of organizations that deploy them, as well as the customers who interact with them. The conversation was no-nonsense, and the takeaways made it crystal clear that this is not a discussion for the future — it is urgent right now. 🔐

The Real Problem: AI Agents Are Entities Without a Defined Identity

When an employee joins a company, they go through an authentication process, receive credentials, get assigned permissions, and are held accountable for their actions. With artificial intelligence agents, that process is still murky. They execute tasks, access systems, query databases, and interact with external APIs — but in many cases, without a clear and traceable identity.

This creates a dangerous gap: if the agent makes a wrong decision or accesses something it should not have, who is responsible? The company? The developer? The AI system itself? This lack of clarity was one of the central issues raised at the roundtable.

Ellen Boehm, Senior Vice President of IoT and AI Identity Innovation at Keyfactor, brought a particularly insightful perspective to the conversation. According to her, AI agents should be treated as a new type of workload within the corporate environment. They are entities that receive permissions to perform specific tasks, but they need to be authenticated and limited to certain systems and datasets. In her words, there is no need to reinvent the policies that already exist for the corporate environment — the challenge is scale, because these agents can be spun up and decommissioned rapidly, creating a much larger volume of identities to manage.

The experts at the event pointed out that the rapid growth of agent usage in corporate operations has created a kind of gray zone in access and identity management. Unlike traditional software that executes well-defined tasks within fixed parameters, an AI agent can take unpredictable paths to achieve a goal. It might, for instance, pull information from sources that were not anticipated, share data with other systems, or carry out a chain of actions that span multiple platforms. Without a clear identity and control policy, this becomes a real security risk for any organization.

The analogy some of the participants used was spot-on: treating an AI agent as if it were just another piece of software is the same mistake as treating an industrial robot as if it were a calculator. The complexity is on a completely different level, and security policies need to keep up. That means companies need to start thinking about how to assign a functional identity to these agents, with granular permissions, action traceability, and well-defined boundaries for how far they can go within corporate systems. 🤖

LLMs and Agentic Commerce: The Mastercard Case

One of the most interesting points raised at the event came from Kaushik Gopal, Executive Vice President of Insights and Intelligence at Mastercard. He explained that large language models, the now-famous LLMs, are driving the agentic journey in the payments industry. The company’s clients see these technologies as both a force multiplier and a risk.

That makes total sense when you think about the context: imagine an AI agent executing financial transactions on behalf of a user. In that scenario, three elements are absolutely essential — the intent behind the action, the consent of the user, and the verifiable identity of the agent. As agentic commerce becomes more prevalent, these three pillars need to be rock-solid for the ecosystem to operate reliably.

Gopal stressed that these concerns sit at the very top of the priority list for Mastercard’s clients. And for good reason. When money is involved, any identity failure or unauthorized access can have massive financial and legal consequences. The message was clear: the payments industry has already figured out that AI agents need to operate within strict boundaries, and that the identity infrastructure must evolve to handle this new reality.

People Managers Are Now Bot Managers Too

Another standout moment from the roundtable came from Anne Marie Zettlemoyer, CSO at Rook9, who shared a reflection that catches a lot of people off guard. According to her, every manager’s role now extends beyond managing people — it includes managing AI agents as well. And most managers are completely unprepared for that.

Zettlemoyer explained that the pressure comes from the top. Boards of directors and company leadership are pushing to adopt AI as fast as possible, creating a race to market. But right behind that comes the brakes: how do you make sure the access granted to an agent is not just secure, but also intentional? That tension between speed of adoption and responsibility in configuring permissions is one of the biggest challenges organizations face right now.

It is a significant cultural shift. A team manager now needs to understand not only the competencies of their human team members, but also the capabilities, limitations, and risks of the AI agents operating under their oversight. This demands a new mindset and, most likely, new internal governance processes that are still being figured out. 🧠

Controlled Access: A Frontier Still Under Construction

One of the topics that dominated much of the roundtable discussion was access control. When it comes to humans in a corporate environment, there is already a reasonably well-established framework of role-based access policies, multi-factor authentication, and periodic permission reviews. But when the subject is artificial intelligence agents, that framework either barely exists or is being built from scratch.

Companies like Okta, which sponsored the event, are working in exactly that direction: building layers of identity and access that make sense for non-human entities operating autonomously within critical systems. Harish Peri, Senior Vice President and General Manager of AI Security at Okta, made some pointed observations in his opening remarks. According to him, the rise of AI agents has sparked a true renaissance moment for the digital identity industry.

Peri was emphatic in saying that everything the industry once held true about software has become obsolete. The core problem, he explained, is that the entity on the other side of the interaction is no longer a program built by a human. It is now a program that has, in a sense, a will of its own — capable of making decisions about which tools to access. And in a world like that, the role of identity and authorization has never been more important.

The leaders at the event were unanimous on one point: the principle of least privilege — which states that any entity, whether human or not, should only have access to what it needs to perform its function — must be applied even more rigorously when it comes to AI agents. That is because a misconfigured or compromised agent can cause damage on a far greater scale than an employee with unauthorized access. The speed at which an agent operates, combined with its ability to interact with multiple systems simultaneously, turns a security gap into a potentially devastating attack vector for an entire organization.

Another point raised was the need for continuous auditing mechanisms for agents. It is not enough to set permissions at deployment and forget about them. Permissions need to be reviewed regularly, activity logs need to be monitored, and any behavior outside the norm needs to trigger immediate alerts. This more dynamic and responsive approach to access control is what separates organizations that are truly ready to operate with artificial intelligence agents from those that are just experimenting without thinking about the consequences. 🔎

A Lot of People Think They Understand AI, But They Really Do Not

Gary Barlet, CTO of the Public Sector at Illumio, made an observation that resonated strongly in the room: the biggest challenge is that a lot of people think they understand artificial intelligence, but they do not truly grasp what is happening under the hood. It is a simple observation, but the implications are enormous.

When decision-makers do not understand how AI agents actually operate, they tend to underestimate the risks or overestimate the capabilities of these tools. Barlet noted that, fortunately, people are starting to recognize the need for guardrails to ensure AI only accesses the right resources. But that recognition is still in its early stages, and there is a long road between seeing the need and implementing effective solutions.

Frameworks and Harnesses: How IBM Approaches Agent Governance

Alice Fakir, Senior Partner and Vice President at IBM, shared how the company has been working in practice to contain the risks associated with AI agents. IBM builds what she called harnesses around its agents. These harnesses apply a governance framework that clearly defines what the agent can and cannot do.

A particularly interesting detail from Fakir’s remarks was the mention of agent alter egos — essentially, the possibility of a hidden agent operating inside another agent. It sounds like science fiction, but it is a real concern. Without the right frameworks in place, an agent could be manipulated or exploited to execute actions outside its original scope. The harnesses IBM has built are designed precisely to prevent these hidden layers of behavior from surfacing, strictly limiting the scope of each agent’s operations.

Tools we use daily

Translation

Text Inspection & Clipping

Social Media

Search & Research

Recruitment

Programming

Productivity & Organization

Operations

Marketing & Sales

Finance & Investment

Education

Design & Media

Data & Analytics

Content & Writing

Automation

Security and Trust: What Is at Stake for Companies and Customers

The security discussion around AI agents is not limited to a company’s internal environment. It extends directly to the customers who interact with those agents. When someone chats with a bank’s AI chatbot, for example, they are trusting that the agent only has access to the information needed to help them, and that their data is being handled securely and responsibly.

If the agent has excessive or misconfigured permissions, the exposure of sensitive data becomes a real risk, with consequences ranging from regulatory fines to irreversible damage to the company’s reputation.

Representatives from Mastercard and IBM at the roundtable reinforced that trust is the most valuable asset on the line right now. Building artificial intelligence systems that operate transparently, with traceable identity and well-defined access, is what will determine whether companies can scale the use of agents without creating new vulnerability vectors. IBM, for example, has been developing internal frameworks that treat AI agents as digital citizens with their own identity, subject to the same security policies applied to any other corporate user. It is a significant mindset shift, but a necessary one.

The bottom line of the debate was clear: the companies advancing fastest in adopting artificial intelligence agents are exactly the ones that have already realized identity, access, and security are not secondary technical concerns — they are the foundation on which any corporate AI strategy must be built. Ignoring this is not an option. The cost of remediating a security failure involving an autonomous agent is exponentially higher than the investment required to put a solid policy in place from the start. And the organizations that figure this out sooner will come out ahead — not just in efficiency, but in credibility. 🏆

Key Takeaways From the Roundtable

The event left behind some practical insights that deserve the attention of any professional or company thinking about adopting or expanding the use of AI agents:

• Identity is the top priority: agent identity needs to be treated with the same rigor as the identity of any human user within a corporate system. That includes authentication, traceability, periodic permission reviews, and a clear accountability policy for unexpected behaviors.
• Security from day zero: many companies are still in firefighting mode — they deploy AI agents quickly to stay competitive and only think about security after something goes wrong. That needs to change. Security must be part of the plan from the very beginning, with well-defined access policies aligned with industry best practices.
• Governance needs to be cross-functional: this is not a conversation limited to IT and cybersecurity teams. Business leaders, product managers, and executives need to understand the risks and responsibilities that come with the power of artificial intelligence agents.
• Scale changes everything: corporate identity and access policies may already be in place, but the volume of agents that can be created and decommissioned rapidly changes the equation entirely. Preparing the infrastructure to handle that scale is essential.

The conversation about identity, access, and security in the age of AI needs to happen at every level of an organization, because the consequences of ignoring it affect everyone — from the developer who configures the agent to the customer who trusts the company to protect their data. 💡