An agent inside a mid-market enterprise gets asked to "pull together anything relevant on the Q3 acquisition pipeline." It fans out across SharePoint, a connected CRM, and a few Teams channels. It returns a clean three-paragraph summary that includes deal terms from a site the requesting user was added to by mistake six months ago and never opened.
The DLP stack saw nothing, because no file moved. The CASB saw a sanctioned application doing sanctioned things. The DSPM dashboard showed every site correctly classified. The identity logs showed a normal authentication.
This is the gap. Securing AI agents in the enterprise is not a missing rule in DLP or a coverage hole in CASB. It is a paradigm shift. Agents do not sit on a network perimeter. They reason across connected data wherever it lives, borrow authority from the user who invoked them, call tools, and produce outputs. The data security and identity stack most enterprises run was built around assumptions (data moves, sessions are observable, identities are human) that agents systematically violate. The signal that would catch the incident above is not in any of those tools. It is in the behavior of the agent itself.
DLP, CASB, DSPMs, and gen1 AI security products were designed around an attacker and an architecture that looks nothing like the agent surface. They assume a perimeter, a session, and a movement event. They alert when data crosses a boundary, when a user does something anomalous, when a sensitive label hits a policy.
Agents break each of these assumptions in a structural way.
There is no perimeter. An agent invocation reaches into whatever the invoking user can technically reach, which in a real Microsoft Copilot, ChatGPT Enterprise, Claude, or Gemini deployment means inherited permissions accumulated over years of reorgs, contractor onboarding, and one-off "share with everyone" grants nobody documented. The agent does not move data across a boundary. It reasons over it in place and returns a summary. The perimeter model has nothing to fire on. This is the exact dynamic Culligan's security team worked through during their Copilot rollout, where the risk was not data leaving the tenant but data being surfaced inside it that no one expected to see.
There is no observable session in the legacy sense. The invoking identity is a human. The acting identity is non-human, operating with the human's effective permissions for the duration of the request, then disappearing. Identity tools see the human authenticate. They do not see the agent's decision tree, its tool calls, or the path it took through the data it touched.
There is no movement event. Sensitive data leaves the agent's reasoning context in the form of an answer. That answer is shaped by what the agent decided was relevant, which is shaped by what it was asked, which is shaped by whatever instructions it ingested along the way, including instructions an attacker may have planted in a document the agent was asked to summarize.
This is why CISOs running mature data security programs are getting blindsided by agent incidents across sanctioned AI, whether the deployment is Copilot, ChatGPT Enterprise, Claude, or a custom agent built on one of them. The control plane that catches the human version of the risk is not wired to catch the agent version, because the agent version does not produce the events the control plane was built to consume.
In December 2025, the OWASP GenAI Security Project's Agentic Security Initiative released the OWASP Top 10 for Agentic Applications (2026), the first peer-reviewed framework dedicated to autonomous AI systems. It introduces a risk-ID convention, ASI01 through ASI10, covering goal hijacking, tool misuse, identity and privilege abuse, supply chain risk, unexpected code execution, memory poisoning, inter-agent communication, cascading failures, human-agent trust exploitation, and rogue agents.
Two IDs sit at the endpoints of the framework and most cleanly expose the legacy-tool gap.
Between the endpoints sit the risks most enterprises are encountering in production. ASI02 (Tool Misuse) covers agents using a legitimately-granted tool in ways the designer did not intend. ASI03 (Identity & Privilege Abuse) is where the inherited-permissions problem in Copilot lives. ASI06 (Memory Poisoning) addresses persistent state, the accumulated context that becomes a target as agents develop longer memories. ASI09 (Human-Agent Trust Exploitation) names the social-engineering surface that opens when users start treating agent output as authoritative.
If a security program references the OWASP LLM Top 10 (2023, updated 2025) as its framework for AI risk, it is working from the wrong document for agents. The LLM Top 10 covered model-level risks like prompt injection, training-data poisoning, and insecure output handling. Agents inherit those and add an entirely new vulnerability class that arises from autonomy, tool integration, and persistent state. ASI reflects that.
The common thread across the ASI Top 10 is that the risk is not visible in any single artifact (a file, a permission, a network event) but in the relationship between the identity invoking the agent, the data the agent reasons over, the tools it calls, and the goal it is pursuing.
A useful operational frame being used by industry analysts in agentic risk conversations is to treat the agent as an identity, and baseline three things about its behavior.
A clean-looking call that is actually malicious shows up here. The authentication is fine. The tool call is within scope. The data accessed is technically permitted. The deviation is in the relationship: the topic of this request does not match the agent's baseline, or the audience for this output is not consistent with the agent's purpose, or the data connection traversed to produce the answer is one the agent has no business reaching for in the context of this task. This is the pattern UiPath's security team operationalized for their ChatGPT Enterprise rollout, classifying agents and their data connections proactively rather than waiting for an incident to surface a misalignment.
This is what Opsin's dynamic contextual layer produces. It connects identity, data, and model behavior into a baseline that makes deviation visible, so a Copilot incident traceable to an over-permissioned SharePoint site can be remediated at the SharePoint permission (the root cause) rather than at the Copilot response (the symptom). Wellstar's Copilot deployment is the canonical version of this in a regulated environment: the remediation that mattered was upstream of the agent, in the data-access layer the agent was inheriting from. Excessive agency, the term OWASP has used since the LLM Top 10 to describe agents granted more capability than their task requires, becomes operational once you can describe, per invocation, what agency was actually exercised against what data on whose behalf.
Two posture questions become answerable for the first time when an agent is treated as an identity with a baselined intent.
Both questions are unanswerable from a data-movement frame. Both are answerable from an agent-intent frame.
Most enterprises do not yet have an agent inventory. They have a list of approved AI applications. The agents running inside those applications, the non-human identities they execute under, the tools they have been granted, and the data connections they can reach are mostly unaccounted for, sometimes even to the business units that built them.
That gap is where the next conversation lives. Discovery, ownership, and accountability for agents proliferating across business units is becoming a board-level question, not because the technology is unfamiliar but because the org design has not caught up. The architecture review most security teams need is not whether their DLP catches AI risk. It does not, by design. The architecture review is whether anything in their stack treats agents as identities, baselines their intent, and produces the deviation signal the OWASP framework now formalizes as the thing that matters.
If a security leader cannot answer "how many agents are connected to my most sensitive data, who owns them, and what are they actually doing" without a quarter-long manual exercise, that is the work in front of the team. Everything downstream of an agent inventory depends on having one.
Interested in seeing how many agents are running in your environment?
An agent inside a mid-market enterprise gets asked to "pull together anything relevant on the Q3 acquisition pipeline." It fans out across SharePoint, a connected CRM, and a few Teams channels. It returns a clean three-paragraph summary that includes deal terms from a site the requesting user was added to by mistake six months ago and never opened.
The DLP stack saw nothing, because no file moved. The CASB saw a sanctioned application doing sanctioned things. The DSPM dashboard showed every site correctly classified. The identity logs showed a normal authentication.
This is the gap. Securing AI agents in the enterprise is not a missing rule in DLP or a coverage hole in CASB. It is a paradigm shift. Agents do not sit on a network perimeter. They reason across connected data wherever it lives, borrow authority from the user who invoked them, call tools, and produce outputs. The data security and identity stack most enterprises run was built around assumptions (data moves, sessions are observable, identities are human) that agents systematically violate. The signal that would catch the incident above is not in any of those tools. It is in the behavior of the agent itself.
DLP, CASB, DSPMs, and gen1 AI security products were designed around an attacker and an architecture that looks nothing like the agent surface. They assume a perimeter, a session, and a movement event. They alert when data crosses a boundary, when a user does something anomalous, when a sensitive label hits a policy.
Agents break each of these assumptions in a structural way.
There is no perimeter. An agent invocation reaches into whatever the invoking user can technically reach, which in a real Microsoft Copilot, ChatGPT Enterprise, Claude, or Gemini deployment means inherited permissions accumulated over years of reorgs, contractor onboarding, and one-off "share with everyone" grants nobody documented. The agent does not move data across a boundary. It reasons over it in place and returns a summary. The perimeter model has nothing to fire on. This is the exact dynamic Culligan's security team worked through during their Copilot rollout, where the risk was not data leaving the tenant but data being surfaced inside it that no one expected to see.
There is no observable session in the legacy sense. The invoking identity is a human. The acting identity is non-human, operating with the human's effective permissions for the duration of the request, then disappearing. Identity tools see the human authenticate. They do not see the agent's decision tree, its tool calls, or the path it took through the data it touched.
There is no movement event. Sensitive data leaves the agent's reasoning context in the form of an answer. That answer is shaped by what the agent decided was relevant, which is shaped by what it was asked, which is shaped by whatever instructions it ingested along the way, including instructions an attacker may have planted in a document the agent was asked to summarize.
This is why CISOs running mature data security programs are getting blindsided by agent incidents across sanctioned AI, whether the deployment is Copilot, ChatGPT Enterprise, Claude, or a custom agent built on one of them. The control plane that catches the human version of the risk is not wired to catch the agent version, because the agent version does not produce the events the control plane was built to consume.
In December 2025, the OWASP GenAI Security Project's Agentic Security Initiative released the OWASP Top 10 for Agentic Applications (2026), the first peer-reviewed framework dedicated to autonomous AI systems. It introduces a risk-ID convention, ASI01 through ASI10, covering goal hijacking, tool misuse, identity and privilege abuse, supply chain risk, unexpected code execution, memory poisoning, inter-agent communication, cascading failures, human-agent trust exploitation, and rogue agents.
Two IDs sit at the endpoints of the framework and most cleanly expose the legacy-tool gap.
Between the endpoints sit the risks most enterprises are encountering in production. ASI02 (Tool Misuse) covers agents using a legitimately-granted tool in ways the designer did not intend. ASI03 (Identity & Privilege Abuse) is where the inherited-permissions problem in Copilot lives. ASI06 (Memory Poisoning) addresses persistent state, the accumulated context that becomes a target as agents develop longer memories. ASI09 (Human-Agent Trust Exploitation) names the social-engineering surface that opens when users start treating agent output as authoritative.
If a security program references the OWASP LLM Top 10 (2023, updated 2025) as its framework for AI risk, it is working from the wrong document for agents. The LLM Top 10 covered model-level risks like prompt injection, training-data poisoning, and insecure output handling. Agents inherit those and add an entirely new vulnerability class that arises from autonomy, tool integration, and persistent state. ASI reflects that.
The common thread across the ASI Top 10 is that the risk is not visible in any single artifact (a file, a permission, a network event) but in the relationship between the identity invoking the agent, the data the agent reasons over, the tools it calls, and the goal it is pursuing.
A useful operational frame being used by industry analysts in agentic risk conversations is to treat the agent as an identity, and baseline three things about its behavior.
A clean-looking call that is actually malicious shows up here. The authentication is fine. The tool call is within scope. The data accessed is technically permitted. The deviation is in the relationship: the topic of this request does not match the agent's baseline, or the audience for this output is not consistent with the agent's purpose, or the data connection traversed to produce the answer is one the agent has no business reaching for in the context of this task. This is the pattern UiPath's security team operationalized for their ChatGPT Enterprise rollout, classifying agents and their data connections proactively rather than waiting for an incident to surface a misalignment.
This is what Opsin's dynamic contextual layer produces. It connects identity, data, and model behavior into a baseline that makes deviation visible, so a Copilot incident traceable to an over-permissioned SharePoint site can be remediated at the SharePoint permission (the root cause) rather than at the Copilot response (the symptom). Wellstar's Copilot deployment is the canonical version of this in a regulated environment: the remediation that mattered was upstream of the agent, in the data-access layer the agent was inheriting from. Excessive agency, the term OWASP has used since the LLM Top 10 to describe agents granted more capability than their task requires, becomes operational once you can describe, per invocation, what agency was actually exercised against what data on whose behalf.
Two posture questions become answerable for the first time when an agent is treated as an identity with a baselined intent.
Both questions are unanswerable from a data-movement frame. Both are answerable from an agent-intent frame.
Most enterprises do not yet have an agent inventory. They have a list of approved AI applications. The agents running inside those applications, the non-human identities they execute under, the tools they have been granted, and the data connections they can reach are mostly unaccounted for, sometimes even to the business units that built them.
That gap is where the next conversation lives. Discovery, ownership, and accountability for agents proliferating across business units is becoming a board-level question, not because the technology is unfamiliar but because the org design has not caught up. The architecture review most security teams need is not whether their DLP catches AI risk. It does not, by design. The architecture review is whether anything in their stack treats agents as identities, baselines their intent, and produces the deviation signal the OWASP framework now formalizes as the thing that matters.
If a security leader cannot answer "how many agents are connected to my most sensitive data, who owns them, and what are they actually doing" without a quarter-long manual exercise, that is the work in front of the team. Everything downstream of an agent inventory depends on having one.
Interested in seeing how many agents are running in your environment?
.webp)
