- "An agent is equivalent to a newly hired employee. It needs a unique identity, least privilege access, and monitoring to watch what it's doing." ~ Rafay Baloch, CEO, REDSECLABS
- "The attack surface most organizations are unprepared to defend is the one where agents are still making API calls after the developer who built them left the company." ~ Roey Eliyahu, CEO, Salt Security
- "The higher the business impact and the harder it is to reverse an action, the more human oversight should be required." ~ Sherif Koussa, CEO, Software Secured
- "The model is your reasoning layer. The APIs it connects to are your action layer. Most organizations focus on locking down reasoning while leaving the action layer wide open." ~ Michael Callahan, VP of Cyber Strategy, Salt Security
- "Before deploying any agent into production, you need a complete trail showing inputs, outputs, decisions, tool usage, and user approvals." ~ Deepak Shukla, CEO, Pearl Lemon AI
- Most SMBs discover unauthorized AI tool usage after it has already become a liability. LastPass surfaces every AI tool your team is accessing in the browser, without infrastructure changes or a security team.
In 2026, one thing has become painfully clear about AI security.
The recent Microsoft open-source hacks show that attackers can bypass exploiting a vulnerability, if they want to. In June, they compromised several Microsoft open-source GitHub repos to insert password-stealing malware.
It’s a reminder that basics like MFA, credential hygiene, least privilege, and EDR coverage still count. If these controls are weak, attackers won’t have to “win” against a high CVSS bug.
They can just get in through trusted pathways and weak identity security.
The same is true when it comes to agentic AI.
As highlighted in our recent AI security playbook, the real danger isn’t from AI itself, but unmanaged access. It’s the credentials, permissions, and data flows that aren’t being tracked that puts a business at risk.
If you're the person at work who keeps things running, you know what’s at stake.
Below, I cover the 10 controls to validate before deploying AI agents, and if you know anyone who’s starting from zero, send them this checklist.
It cuts through the noise with insights from industry experts, CEOs, and founders.
Why does agentic AI introduce a new class of risk?
AI agents are machine identities that introduce a new class of risk because they can act autonomously. They can send emails, execute code, move money, and even delete files, which means errors don’t just produce bad outputs; they can lead to bad business outcomes that may be irreversible.
Let's say your agent is connected to your finance, CRM, email, and product roadmap tools. This means one prompt injection attack can cascade across all these tools, leading to widespread compromise.
Are machine identities and unmanaged credentials the real risk in agentic AI?
Yes. Just ONE compromised machine credential can:
- Grant system access
- Enable lateral movement
- Expose sensitive data
Each machine identity comes with API keys, likely over-permissioned tokens, and OAuth grants.
Which is why agentic AI risk management is fundamentally about identity and secrets management.
But access is only the first order risk.
When credentials are mismanaged in agentic systems, the consequences don’t just stop at unauthorized entry. Downstream, you get data corruption, broken workflows, and loss of operational history.
That’s where a different kind of risk starts to emerge, according to Chongwei Chen, the CEO of DataNumen, and Nick Scozzaro, the CEO and founder of ShadowHQ.
Chongwei Chen is the CEO of DataNumen, a global leader in data recovery software. DataNumen serves clients in more than 150 countries, including Fortune 500 companies like Toyota, FedEx, HP, Proctor & Gamble, and Dell.
What’s the biggest “We didn’t think about that” moment you’ve seen when it comes to agentic AI deployment?
Agents are efficient at processing data from customers. However, when problems occur, such as the injection of an incorrect prompt or corruption of a model, the company loses all its historical data, something that was impossible two years ago.
What do you think the solution is?
One solution is LastPass, which fortifies the front line while a company like DataNumen handles the safety net.
In other words, use LastPass to secure logins and credentials for all SaaS & AI apps that SMBs (small to mid-sized businesses) rely on. This reduces the possibility of data loss due to breaches.
And if a breach occurs, DataNumen helps in recovering the data. Together, these two tools offer a practical, cost-effective layer of security that was previously available only to big organizations.
Nick Scozzaro is the CEO and founder of ShadowHQ, an out-of-band incident response and crisis management platform
What’s the biggest "we didn't think of that" moment you've seen when it comes to agentic AI deployment?
I would say access scope. Teams give AI agents broad permissions to get things done quickly. Then they realize the agent can read, write, and share far more than it ever needed to. When something goes wrong, the blast radius is massive.
The second one is in incident response. These agentic systems get built into the same tools that go down during an attack. So, what happens when this breaks in the middle of a crisis? Your AI-assisted recovery plan becomes another casualty.
The controls that prevent the scenarios above are also the same ones that protect human identities.
This means unique credentials, least-privilege access, logging, and defined offboarding for machine identities.
Below is your 10-control checklist. Each one maps to a specific layer where agentic AI introduces risk.
If anyone you know is starting from zero, the FAQ section at the end tells them which controls to prioritize first.
Your 2026 Agentic AI Security Checklist
What are the 10 agentic AI security controls to validate before you deploy?
The top 10 agentic AI security controls to validate before you deploy are as follows.
|
|
Agentic AI security control |
What it entails |
|
#1 |
Agent identity & authentication |
Every AI agent has a unique identity and uses short-lived credentials, not shared human logins. |
|
#2 |
Granular permission scopes |
Agent permissions are scoped to the specific task; least privilege is enforced and re-checked at runtime. |
|
#3 |
Human approval for high-risk actions |
Financial transactions, sensitive data access, and system changes require human approval before the agent proceeds. |
|
#4 |
Secrets & credential handling |
API keys and tokens are stored in a centralized vault, never passed through agent prompts, memory, or logs. |
|
#5 |
Tool, API, & outbound network controls |
Agents can only call approved tools and APIs; outbound connections are restricted and logged. |
|
#6 |
Input & prompt security |
All agent inputs are treated as untrusted; instructions are validated before execution. |
|
#7 |
Step-level visibility & logging |
Every tool call, state transition, and data access is logged with identity context and permission scope attached. |
|
#8 |
Visibility before autonomy |
Agents start with limited permissions; autonomy increases only after behavior is validated. |
|
#9 |
Data, memory, & context integrity |
Agent memory is isolated, versioned, and validated; stale or corrupted context is caught before it drives bad decisions. |
|
#10 |
Incident response & audit readiness
|
You can trace every agent action across systems, link it to an identity, and demonstrate data access and movement to an auditor. |
#1Does each agent need its own identity?
Yes, each agent needs a unique identity with its own credentials, the same as for humans. Shared identities make it impossible to track agent behavior and to revoke access cleanly when an agent is deactivated.
- Assign a unique identity per agent, not per team or use case.
- Use short-lived or renewable credentials, not standing API keys.
- Never allow agents to authenticate using a human employee's login.
- Define how the agent will be offboarded before it is onboarded.
In your opinion, are most teams logging enough detail to understand what agents do?
"No, and the gap is bigger than most security leaders realize. Most organizations are logging authentication events. They know an agent connected and used a valid credential.
What they aren’t capturing is what the agent did after that: Which APIs it called, what data it accessed, and what actions it triggered downstream.
That’s the log you need for understanding agent behavior and almost nobody has it yet. Part of the problem is that the tooling built for human-speed access can’t capture machine-speed API activity at the volume agents generate.
Part of it is also that teams don’t yet know what normal looks like for their agents, so they can’t know what abnormal looks like either.
So, treat every agent like a new employee. It needs to be provisioned, tracked, and eventually offboarded. The most dangerous agents in any environment aren't the active ones, but the ones no one remembers deploying."
#2 How should AI agent permissions be scoped and enforced?
Agent permissions should be scoped to the minimum required for each task and enforced at runtime.
- Assign permission scopes per task, not broad access per agent
- Enforce least privilege at the app's permission layer, not just at the infrastructure level
- Recheck authorization continuously, not just at initial login
- Cap agent permissions at the level of the human who owns the agent, i.e., it should never be able to do anything its owner can’t
If you could enforce one security control for AI agent deployments, what would it be?
“Scoped, least-privilege credentials issued per invocation and enforced at the app's permission layer, the same one the human-facing product already uses.
We built exactly this into Productive 5.0: Agents are modeled as first-class users, not a separate principal.
Each has its own identity and a role capped by the permissions of the human who owns it.
This means it can never do anything its owner can’t, and it acts through the same permission layer with short-lived, per-session credential. So, one permission model, applied to humans and agents alike.
#3 Which AI agent actions require human approval?
Any action that’s hard to reverse, touches sensitive data, or moves money must have human approval before the agent proceeds.
- Define which action categories trigger an approval workflow before deploying.
- Require human sign-off for financial transactions, sensitive data access, and production system changes.
- Build escalation rules for edge cases the agent can’t resolve on its own
- Maintain rollback paths for every high-risk action category.
“Organizations should trust AI agents with tasks that are repetitive, well-defined, and easily reversible, such as triaging alerts, summarizing logs, generating code suggestions, or identifying configuration drift. These are areas where AI can dramatically improve speed while humans retain oversight.
They shouldn’t allow AI agents to make autonomous decisions involving production changes, security policy exceptions, privileged access, customer data, or incident response without meaningful human review. AI is excellent at accelerating decisions, but it isn’t yet accountable for the consequences of those decisions.
The principle I recommend is simple: the higher the business impact and the harder it is to reverse an action, the more human oversight should be required. AI should amplify expert judgment, not replace it.”
#4 How should AI agents handle secrets and credentials?
Secrets should never appear in agent prompts, memory, or logs. Once a credential is exposed, it can be exfiltrated through prompt injection or accessed by anyone with visibility into that memory layer.
- Store all API keys, tokens, and secrets in a centralized vault.
- Enforce access controls so only the right agents can retrieve them.
- Rotate credentials automatically or on a defined schedule.
- Before deploying an agent, ask: Can a secret reach the agent context? If the answer is yes, that’s an immediate risk to remediate.
“As companies connect AI tools to CRMs and other business applications, the real risk becomes uncontrolled access and credentials.
With AI-powered workflows, they need visibility into who can access which systems and how those credentials are protected.
In practice, agentic AI can amplify the impact of a compromised account or an overly permissive workflow just as quickly as it can improve productivity.
That's where solutions like LastPass can complement AI initiatives. As businesses connect more systems to AI agents, having stronger visibility into credentials, authentication, and SaaS access becomes increasingly important.
In my view, the companies that will be most successful with agentic AI are the ones that treat access management as part of the rollout from day one, not something they address after deployment.”
#5 How do you control which systems an AI agent can reach?
Restrict agents to a pre-approved list of tools and APIs and lock down all outbound network connections. An agent with unrestricted outbound access is a data exfiltration path waiting to be exploited, whether through a malicious instruction or misconfigured workflow.
- Maintain an allowlist of approved integrations and APIs.
- Restrict outbound network calls to known, trusted destinations.
- Log all outbound traffic and flag connections to unknown endpoints.
- Review the allowlist regularly as the agent's task scope changes.
Where do you think most organizations misunderstand agentic AI risk?
“The largest misconception I see is that people think the risk resides in the model. Teams fret over things like “Will the AI hallucinate?” and “Is my prompt secure?” Yes, that’s important.
But actual business impact from agentic AI won’t come from what the agent says.
It’ll come from what the agent does.
A model that generates an inaccurate summary is an annoyance.
But a model that calls an incorrect API, changes a production record, or initiates a workflow it shouldn’t have access to is where real problems happen.
The model is your reasoning layer. The APIs it connects to are your action layer. Most organizations have focused on locking down reasoning and left the action layer wide open. You can expect your incidents to come from there.”
#6 How do you prevent AI agents from being manipulated through inputs?
Treat every input an agent receives as untrusted until validated. In agentic systems, inputs can become instructions that redirect an agent's behavior.
- Sanitize all inputs before they reach the agent's execution layer.
- Validate instructions against expected formats and permitted actions.
- Restrict execution paths so the agent can’t be redirected to unapproved workflows.
- Never assume the model will catch a malicious instruction on its own.
What’s the biggest “we didn’t think about that” moment you’ve seen when it comes to agentic AI deployment? And what do you think the solution is?
“I know of several instances when an AI agent deleted files in production. The most recent that comes to mind is one where the agent hallucinated and started issuing destructive operations against a database.
Now, the agent had been given the ability to write and delete in production, and it was assumed the model would be careful enough. The engineers had documented the expected format in a skill and figured that would hold.
It didn’t. The agent sent a malformed operation. And once the database was corrupted, the agent couldn’t go back because the database crashed with each operation.
The fix was to stop trusting the agent. The engineers built a strict validation layer between the agent and database that rejected any operation not matching the expected format.
The lesson was, the damage an agent can do is defined by what its access allows, not by what you expect it to do. Whether the trigger is a hallucination or malicious instruction, the missing layer is the same: Permissions."
#7 What does good AI agent logging actually look like?
Good logging captures what the agent did after it authenticated. Many teams can confirm an agent used valid credentials, right?
But how many can explain which APIs it called, what data it accessed, and what actions it triggered downstream? To avoid a finding on your next audit:
- Log every tool call, state transition, retry, and memory update.
- Attach the agent’s identity and permission scope to every logged action.
- Record which data was accessed and where it went, not just that a session occurred.
- Establish a behavioral baseline for each agent, so deviations are obvious.
Do you think most teams are logging enough detail to understand what AI agents do?
“Most SMBs haven’t prioritized logging for AI agents yet. This is because increased system access makes auditing significantly more complex.
Before deploying any agent into production, I would want a complete trail showing inputs, outputs, decisions, tool usage, and user approvals. Security incidents are expensive, but unexplained incidents are even more expensive.”
#8 Should AI agents have full autonomy from Day One?
I can already see you shaking your head. The answer is definitely no for this one.
An agent given excessive access before its behavior has been evaluated is a risk that’s not easily defensible in an audit.
So, start with limited permissions, confirm agent behavior matches expectations, and then expand autonomy incrementally.
- Start with limited permissions.
- Observe and validate behavior against expected patterns.
- Expand autonomy only after the baseline is established, and anomalies are understood.
- Treat each permission expansion as a new deployment decision, not a default progression.
#9 How do you protect the data and memory an AI agent relies on?
Agents rely on context to function correctly. When that context is corrupted or poisoned, the agent starts making confident decisions based on bad information and those decisions can cascade across every system it has access to.
- Separate system configuration data from user data at the architecture level.
- Enforce isolation between agent memory contexts.
- Version and back up agent memory, so corruption is detectable and reversible.
- Validate context quality on an ongoing basis, not just at initial setup.
What do you think are the biggest gaps you see in how organizations handle agent permissions?
“Most of the problems I see are from companies operating with this assumption: that agents work like smart assistants.
But if your agent can access anything customer-related or sensitive, it needs the same security protocols as any human employee.
This includes having a unique user identity, the least possible number of privileges, and monitoring to watch what the agent is doing.
The first advice I give to any SMB I work with is this: Run agent processes within an isolated environment and limit access of said agent to only the tasks it needs to perform.
This alone closes more security gaps than buying a multi-thousand-dollar piece of software. On top of that, carry out real-time activity monitoring.
I’m most worried about prompt injections and agent memory. People don’t realize agents store context between conversations.
It’s important the memories themselves are protected, versioned, and backed up. If the agent’s memory is corrupted (via memory poisoning or prompt injection) and exploited, it’ll start making confident but bad choices.
Finally, we have Shadow AI, where an employee sets up agents without IT knowledge. People can connect these to their company data with no one the wiser. With Shadow AI, unauthorized agents operate with zero visibility for your business, yet you bear 100% of the risk.
Unless you nail security from the ground up, there’s absolutely nothing to stop the agent from being the point where all hell breaks loose.
So, keep the human decision-makers in the loop, routinely check permissions your AI agents can pull and don’t fall into the trap of having a "security sprint" and considering the job "done."
#10 How do you prove what an AI agent did during an incident?
Unexplained activity is treated as a finding regardless of whether harm occurred. You need to be able to answer three questions for any auditor or client: What data did the agent access, what systems did it interact with, and where did that data go?
- Trace every agent action across systems and link each action to an identity.
- Map every control to a logged artifact: Access records, configuration exports, activity logs
- Demonstrate data access, data movement, and system impact.
- For compliance: Ensure every checklist control has a corresponding evidence artifact before your audit.
“The number one fear I hear from CISOs today isn’t the one they publicly express. In public, they talk about ransomware and nation-state attacks.
But in private, they’re telling me about agents their own developer put into production six months ago that no one’s tracking.
And how when that developer left the company, no one rotated the credentials. Which meant the agent was still active, connected to production systems, and making API calls.
That’s the attack surface most orgs are unprepared to defend because they aren’t aware it’s there.”
How does credential management connect to agentic AI security?
Credential management is the core of agentic AI security. Most agentic AI breaches don't originate from the model itself.
They come from exposed API keys, over-permissioned tokens, or shadow agents running long-lived credentials.
And just ONE compromised credential can grant system access, enable lateral movement, and expose sensitive data.
If you already manage human identities through a centralized vault with enforced least-privilege, you have a good foundation.
The challenge is extending that foundation to cover machine identities.
How does LastPass fit into your agentic AI security strategy?
LastPass addresses the human access foundation, the part of agentic AI security that has to be in place before anything else can work:
- Centralized credentials: The LastPass vault stores passwords, and Secure Notes lets your team store API keys and other secrets in the vault rather than in spreadsheets, docs, or code repos, which removes the most common first point of exposure.*
*Note: If your environment requires automated, programmatic rotation, a dedicated secrets management tool like HashiCorp can help, but it requires custom configuration. With LastPass, you’ll need to rotate API keys and tokens manually, but you get credential security, SaaS visibility, and access controls without standing up additional infrastructure. *
- Enforced least privilege: LastPass lets you set password policies, enforce MFA for vault access, manage shared credentials, and revoke credentials when someone leaves or changes roles.
- Support for audits: LastPass generates access activity logs that answer the first question auditors always ask: Who has access to what, and is it monitored?
- SaaS & AI tool discovery: LastPass surfaces which AI tools your team is accessing, including the ones IT didn't approve. As shadow agents introduce new risks to company data, knowing what tools are running is the first step in AI agent governance.
In agentic environments, the human access foundation has to hold before you can build anything else on top of it. LastPass is where that foundation starts.
It complements agent security platforms like Salt Security that provide visibility into full agent behavior, such as which APIs an agent called, what data it retrieved, and what it did downstream.
See which AI tools are accessing your data without IT oversight. Run a SaaS Monitoring scan now.
