.png)
I spent an hour yesterday with Trey Tunnell, CISO at Floor & Decor, and Anatoli Lataria, Chief Information and Digital Officer at MiTek discussing agent security frameworks as well as deconstructing the limitations of existing, systematic enterprise security controls in a dynamic, evolving agentic landscape. Anatoli put it as bluntly: it's like being on a roller coaster, screaming, and unsure whether the screams are joy or fear. This is the honest state of agentic AI for so many security and AI leaders in the enterprise landscape right now. The business wants the force multiplier. Security teams want to enable it. Yet, the control patterns we have all spent fifteen years building — identity, network segmentation, role-based access, deterministic policy — were designed for a world where you could predict what a system would do once authorized.
Agentic AI, meaning AI systems that can plan, take action, and chain tool calls toward a goal without a human approving each step, breaks that assumption. The agent decides how to get from A to B. The path is not knowable in advance and is where the risk lives.
The main through line of the conversation between Trey, Anatoli, and I — Agent Intent — a place where many CISOs I speak to are also focused right now.
The gap between what an agent was built to do and what it actually does in production gives us insight into agent intent. A traditional control assumes a deterministic action:
Agent behavior towards an intended goal is more dynamic:
But the challenge here: two users asking the same question can produce two different action chains. Anatoli used a good analogy. Older media players were built to play video. A vulnerability turned one into a remote shell. The intent was playback, but the behavior was remote control. Agentic systems generalize that problem and multiply it, because the agent is allowed to improvise in order to achieve its goal.
Trey framed the operational consequence. As a developer, he used to automate specific steps toward a known goal. The system did not know the goal, it only knew the steps. Now the goal is the input. The agent figures out the steps. Most of the security benefit of the old model came from the fact that the steps were the contract, but the contract is no longer the same with agents involved.
Three things break at once: identity, agent to agent hop, and the server side blind spot.
Identity: Most agents today inherit the permissions of the user who invoked them which works until it doesn't. The user has access to a SharePoint site they have never opened. The agent will open it, find what is there, and use it. As Trey highlighted, agents are very good at finding data we didn't know we had access to. Inherited permissions plus an agent that crawls aggressively equals data exposure that no one provisioned. This is the same dynamic we see across Copilot deployments, and it's why visibility into data oversharing through enterprise AI has become a first-order security problem rather than a hygiene afterthought.
Agent-to-agent hop: Trey was sharp on this. The more agents you have, the more they will need to call each other. When an HR agent calls a marketing agent that calls a Salesforce action, the original user's identity, intent, and context need to travel with the request. Today, they don't. Each downstream agent essentially acts as itself, with whatever it was given at deployment. That is a chain-of-custody failure for both authorization and auditability. If an auditor asks why an agent did something three hops deep, the honest answer right now is usually some version of "I don't know."
If I'm going from one agent to another, the new agent needs to understand my intent, the original context of my request, and what I should have access to. We do not have a way to solve that right now. - Trey Tunnel, CISO, Floor & Decor
Server-side blind spot: Much of the action in agentic systems happens on the model provider's side or inside a managed agent. The user types a prompt. The agent reasons, calls tools, fetches data, calls another agent, returns an answer. Traditional inline controls, the man-in-the-middle pattern that DLP and CASB rely on, do not sit on that path. You see the prompt and the response but not the loop in the middle.
You can't apply a deterministic control to a non-deterministic system and expect the same coverage. The shift Anatoli and Trey both reached for, independently, was toward intent as a critical input. Not just who is the identity, but what was the user trying to do, what is the agent planning to do, and does the action chain match.
This has practical implications for the programs CISOs are building now:
Capture the plan, not just the prompt and response. The agent's intermediate reasoning, tool calls, and data accesses are the evidence. If you only log the prompt and the final answer, you cannot reconstruct why anything happened. Anatoli called out the value of agents that surface their plan before executing, this is also the surface you want to log.
If an agent is constantly asking you for permissions all the time and you have to constantly watch it, that's also going to break the outcome you're trying to get to. Eventually, teams will find other ways of interacting with that agent. - Anatali Lataria, Chief Information & Digital Officer, MiTek
Re-evaluate identity and authorization at every hop, not only at the boundary; this is what Trey kept coming back to. The new agent in the chain needs to understand the original user's intent, the original context, and what the user should have access to. That is an unsolved engineering problem in most enterprise deployments today. Acknowledging it is the first step. Designing toward it is the second.
Treat the agent identity as its own object, not a delegation of the user. Inherited permissions are convenient and dangerous. An agent should have a scoped identity, a known intent, and a defined set of tools it is allowed to call. Agents will eventually outnumber employees in most enterprises. Permission inheritance does not scale to that ratio. This is the territory Opsin Agent Defense was built to cover, surfacing the agents already operating in the environment and the non-human identities behind them.
Anchor the program to a framework you can actually operate. Trey's team uses NIST AI RMF. OWASP's 2026 GenAI Top 10 lists excessive agency as LLM08 and gives you a vocabulary for the failure modes. MITRE ATLAS gives you the adversarial patterns. Pick the one your organization already speaks and extend it.
For twenty years, the security and IT conversation about shadow IT has been about pulling unauthorized work back into the governed environment. Agentic AI inverts that. If your IT and security organization does not change its operating model, the rest of the business will build agents anyway, and you become the shadow IT. As Anatoli highlighted, the governed path has to be faster than the ungoverned one, or you lose the visibility you need to do your job.
Agent visibility must be a foundational part of your first ninety-day investment. You need an inventory of the agents already deployed in your environment, the data they touch, the tools they can call, and the identities they assume. You cannot govern what you cannot see, and you cannot enable the business if you only find out about new agents during an incident.
This is also where Opsin's contextual layer fits, the connection between identity, data, and model behavior that lets you actually see what a user or an agent is doing across sanctioned AI and act at the root cause rather than the symptom. That is the gap I think the next eighteen months of enterprise AI security will be about closing.
We are inside the tunnel. Trey and Anatoli agreed they do not see light at either end yet. The pace is not slowing. The right question is not when does this settle, it is what context do I need to see clearly while we keep moving forward.
I spent an hour yesterday with Trey Tunnell, CISO at Floor & Decor, and Anatoli Lataria, Chief Information and Digital Officer at MiTek discussing agent security frameworks as well as deconstructing the limitations of existing, systematic enterprise security controls in a dynamic, evolving agentic landscape. Anatoli put it as bluntly: it's like being on a roller coaster, screaming, and unsure whether the screams are joy or fear. This is the honest state of agentic AI for so many security and AI leaders in the enterprise landscape right now. The business wants the force multiplier. Security teams want to enable it. Yet, the control patterns we have all spent fifteen years building — identity, network segmentation, role-based access, deterministic policy — were designed for a world where you could predict what a system would do once authorized.
Agentic AI, meaning AI systems that can plan, take action, and chain tool calls toward a goal without a human approving each step, breaks that assumption. The agent decides how to get from A to B. The path is not knowable in advance and is where the risk lives.
The main through line of the conversation between Trey, Anatoli, and I — Agent Intent — a place where many CISOs I speak to are also focused right now.
The gap between what an agent was built to do and what it actually does in production gives us insight into agent intent. A traditional control assumes a deterministic action:
Agent behavior towards an intended goal is more dynamic:
But the challenge here: two users asking the same question can produce two different action chains. Anatoli used a good analogy. Older media players were built to play video. A vulnerability turned one into a remote shell. The intent was playback, but the behavior was remote control. Agentic systems generalize that problem and multiply it, because the agent is allowed to improvise in order to achieve its goal.
Trey framed the operational consequence. As a developer, he used to automate specific steps toward a known goal. The system did not know the goal, it only knew the steps. Now the goal is the input. The agent figures out the steps. Most of the security benefit of the old model came from the fact that the steps were the contract, but the contract is no longer the same with agents involved.
Three things break at once: identity, agent to agent hop, and the server side blind spot.
Identity: Most agents today inherit the permissions of the user who invoked them which works until it doesn't. The user has access to a SharePoint site they have never opened. The agent will open it, find what is there, and use it. As Trey highlighted, agents are very good at finding data we didn't know we had access to. Inherited permissions plus an agent that crawls aggressively equals data exposure that no one provisioned. This is the same dynamic we see across Copilot deployments, and it's why visibility into data oversharing through enterprise AI has become a first-order security problem rather than a hygiene afterthought.
Agent-to-agent hop: Trey was sharp on this. The more agents you have, the more they will need to call each other. When an HR agent calls a marketing agent that calls a Salesforce action, the original user's identity, intent, and context need to travel with the request. Today, they don't. Each downstream agent essentially acts as itself, with whatever it was given at deployment. That is a chain-of-custody failure for both authorization and auditability. If an auditor asks why an agent did something three hops deep, the honest answer right now is usually some version of "I don't know."
If I'm going from one agent to another, the new agent needs to understand my intent, the original context of my request, and what I should have access to. We do not have a way to solve that right now. - Trey Tunnel, CISO, Floor & Decor
Server-side blind spot: Much of the action in agentic systems happens on the model provider's side or inside a managed agent. The user types a prompt. The agent reasons, calls tools, fetches data, calls another agent, returns an answer. Traditional inline controls, the man-in-the-middle pattern that DLP and CASB rely on, do not sit on that path. You see the prompt and the response but not the loop in the middle.
You can't apply a deterministic control to a non-deterministic system and expect the same coverage. The shift Anatoli and Trey both reached for, independently, was toward intent as a critical input. Not just who is the identity, but what was the user trying to do, what is the agent planning to do, and does the action chain match.
This has practical implications for the programs CISOs are building now:
Capture the plan, not just the prompt and response. The agent's intermediate reasoning, tool calls, and data accesses are the evidence. If you only log the prompt and the final answer, you cannot reconstruct why anything happened. Anatoli called out the value of agents that surface their plan before executing, this is also the surface you want to log.
If an agent is constantly asking you for permissions all the time and you have to constantly watch it, that's also going to break the outcome you're trying to get to. Eventually, teams will find other ways of interacting with that agent. - Anatali Lataria, Chief Information & Digital Officer, MiTek
Re-evaluate identity and authorization at every hop, not only at the boundary; this is what Trey kept coming back to. The new agent in the chain needs to understand the original user's intent, the original context, and what the user should have access to. That is an unsolved engineering problem in most enterprise deployments today. Acknowledging it is the first step. Designing toward it is the second.
Treat the agent identity as its own object, not a delegation of the user. Inherited permissions are convenient and dangerous. An agent should have a scoped identity, a known intent, and a defined set of tools it is allowed to call. Agents will eventually outnumber employees in most enterprises. Permission inheritance does not scale to that ratio. This is the territory Opsin Agent Defense was built to cover, surfacing the agents already operating in the environment and the non-human identities behind them.
Anchor the program to a framework you can actually operate. Trey's team uses NIST AI RMF. OWASP's 2026 GenAI Top 10 lists excessive agency as LLM08 and gives you a vocabulary for the failure modes. MITRE ATLAS gives you the adversarial patterns. Pick the one your organization already speaks and extend it.
For twenty years, the security and IT conversation about shadow IT has been about pulling unauthorized work back into the governed environment. Agentic AI inverts that. If your IT and security organization does not change its operating model, the rest of the business will build agents anyway, and you become the shadow IT. As Anatoli highlighted, the governed path has to be faster than the ungoverned one, or you lose the visibility you need to do your job.
Agent visibility must be a foundational part of your first ninety-day investment. You need an inventory of the agents already deployed in your environment, the data they touch, the tools they can call, and the identities they assume. You cannot govern what you cannot see, and you cannot enable the business if you only find out about new agents during an incident.
This is also where Opsin's contextual layer fits, the connection between identity, data, and model behavior that lets you actually see what a user or an agent is doing across sanctioned AI and act at the root cause rather than the symptom. That is the gap I think the next eighteen months of enterprise AI security will be about closing.
We are inside the tunnel. Trey and Anatoli agreed they do not see light at either end yet. The pace is not slowing. The right question is not when does this settle, it is what context do I need to see clearly while we keep moving forward.
