Follow ZDNET: Add us as a favorite resource on Google.
Highlights taken by ZDNET
- Find a balance between AI agent restraint and autonomy.
- Content and purpose must be integrated into the development of the agent.
- Consider the configuration and data that agents access.
AI agents are evolving from simple chatbots to full-fledged digital workers empowered to act on requests and data. And with those skills comes a host of security and management concerns.
Treat your AI agents as eager but misguided interns, who need supervision and guidance like interns, suggested experts on a panel at the recent Snowflake conference in San Francisco. AI agents require specific instructions and careful monitoring by human managers.
Also: How to build better AI agents for your business – without creating trust issues
An agent without boundaries can be very problematic, the panelists, representing AI security providers, agreed. “You can tell an agent to buy you shoes, and before you know it, they’ve bought you a car,” said Mayank Agarwal, founder and CTO of Resolve AI.
Discipline, context, and purpose
“You have to think a lot about what permissions you give the agent. You can’t just expect the agent to be on the straight and narrow. You have to put these ironclad constraints to limit what it can do.”
Along with self-discipline, context and purpose are key words for manipulating and managing agents. “It’s not enough to know what this agent is designed to do. You also need to know things like who it’s working under and what it’s going to do, for example, with the data it accesses,” said Nancy Wang, 1Password’s chief technology officer.
Also: What you will pay for AI agents will be very different and unpredictable
Professionals should throw away the old book of software development, as today’s build and release agents are very different from the latest software practices, Agarwal pointed out.
“If you go back just two years, developers knew exactly how to connect APIs to all the different systems,” he said. “Everything was very predictable: UA will call API B, B will do this with that data, and call C, and do this with that data. In the world of the agent, it’s not completely predictable. The agent is wiring things up on the fly. Give it a goal, to solve this problem, and it goes out and tries every way it can.”
This approach can lead to new types of problems that professionals and managers are not prepared for. The agent “talks to tools that can do things for you, so you don’t know that these tools are extracting data,” Agarwal said. “An agent might learn from a tool and use another tool to write it in a place it shouldn’t be.”
The specter of shadow AI
This concern raises AI’s shadowy reputation, operating without observation. “We had a client that had 12 instances of OpenClaw within its framework, with access to API feeds, source code, and a contractor using Telegram to communicate,” said Jason Merrick, senior vice president of product at Tenable. “What could go wrong, right?”
Also: AI agents of chaos? New research shows how bots talking to bots can go sideways quickly
Because of these issues, understanding what agents are doing behind the scenes can be challenging. Questions will arise, such as “Who exactly took action against this system? Is it a person? Is it a service account? Or is it an agent?” Wang said. “Your team probably doesn’t know, or there’s no 100% certainty in that answer. Because today, agents look like people, but they can also look like a service account, because they have all your permissions.”
Therefore, a balance must be struck between governance and access, as AI is a powerful tool for productivity and innovation that must be able to operate independently. “You don’t want to just block everything or firewall everything,” advises Wang.
That need for balance also explains why deep personal oversight is important. “Look at the user pieces that the staff are creating — with Copilot, Claude Chat, or Gemini,” advises Merrick. “Look at their configuration. Is the AI poorly configured? What kind of data is it accessing? And being able to act on that. Also, look at the instructions themselves. What instructions are you communicating with?”
Bottom line: Direct instructions
This is where guardrails and good traditional ownership practices are important, Wang said. The greatest danger would come from an “overauthorized agent with long-lasting credentials.”
Also: Can a newbie really know how to code a vibe app? I tried Cursor and Replit to find out
The challenge is designing security and governance around such “indeterminate creatures,” Wang continued. “It’s a matter of letting them be creative, but also using traditional instruction sets in the form of SDKs. You want predictable controls, but also, you don’t want to force them so much that they don’t get productivity benefits.”
The key takeaway for experts is that agents, like trainees, need “very specific instructions,” Wang said. “Sometimes they still get off track. Whether you’re thinking about agents in charge or you’re thinking about the full agent pipeline it comes back to complete visibility, alignment, and making sure you’re setting the right intent from the get-go — and that intent has to carry through every step, every action an agent takes.”
