Why Do You Trust Your AI Agent?
Find Threat Talks on
Your AI Agents Have Every Privilege You Do
The director of AI Alignment at Meta’s Superintelligence Labs let an agent run unsupervised on her own machine, with her own permissions. It deleted all her emails. The lesson is not that she made a mistake. It is that the agent did exactly what agents do: it took every privilege it was handed and used all of it to reach its goal, with no judgment about whether it should.
Now multiply that across an organization where everyone is becoming a developer. Lieuwe Jan Koning, Co-founder and CTO at ON2IT, sits down with Rob Maas, Field CTO at ON2IT, to work through what Zero Trust looks like when the thing you are securing has no conscience, acts at machine speed, and can spin up copies of itself. The strategy holds. The controls have to move.
What you’ll learn
- “Just in case” privileges become the attack surface. Agents inherit broad human access and use all of it.
- Shadow AI is the next shadow IT. Ungoverned agents go business-critical before anyone decides they should.
- The five Zero Trust pillars still hold, but every control needs rethinking for identities that never wait for approval.
Your cybersecurity experts
Lieuwe Jan Koning
Co-Founder and CTO
ON2IT
Rob Maas
Field CTO ON2IT
Episode details
Rob’s framing for the core risk is the one to take to a leadership meeting. Humans hold “just in case” privileges, the broad access we collect to do our jobs, kept in check by judgment and the knowledge that we can be held accountable. An agent has neither. Give it an intent and it will use every privilege attached to its identity to get there, the way a worm uses access it was never meant to have, except an agent is pursuing a goal rather than running static code you can detect. The fix starts with treating agents as non-human identities: scope their privileges tightly, issue them just in time, keep them short-lived, and rotate them so a token that leaks to a cloud provider cannot be replayed forever.
From there the conversation walks the pillars. On devices, lock down the execution environment the agent runs in, a VM, a container, or serverless, so it cannot touch files it was never meant to see. On the network, identity-based segmentation does the heavy lifting: an agent working with CRM data should have no path to the financial system, and its access to API servers, MCP tooling, and marketplace skills should be denied by default and allowed only where genuinely needed. The recurring theme is that the agent is both the user and the application at once, which is why a strict allow-list of the tools and MCP servers it may call matters more than any single perimeter control.
The hard pillars are applications and data, and Rob is honest that the tooling is not there yet. Building the allow-list is difficult, enforcing it is harder, and there is no AI firewall that solves this generically today. Data is harder still, because everything in AI is data-driven: prompts, retrieval systems, and documents all flow to the model, and prompt injection means even your controls can be subverted. His cautious optimism rests on observability. Unlike a human mind, an agent’s calls can be logged and inspected, so if you capture what agents are doing, you can at least see when one goes off course.
What is missing from the classic frameworks is the agent-specific layer: behavior analytics tuned to machine speed, detection for “intention drift” when an agent strays from its original goal, and above all a human in the loop with a real kill switch for critical decisions. The closing advice is pragmatic. Embrace AI, because the alternative is falling behind, but start by getting a clear overview of every agent and MCP server in use and the access each one holds. For most organizations that visibility is now a CISO responsibility, whether or not it eventually becomes a dedicated AI officer’s job.
Get your Hacker T-shirt
Join the treasure hunt!
Find the code within this episode and receive your own hacker t-shirt for free.
