Most companies deploying AI agents right now have no idea what those agents can actually access.

I just passed the Proofpoint Certified AI Agent Security Specialist cert. Not posting it to flex — the material was genuinely worth it, and a few things stood out that I think more people building with agents should know.

There's a maturity model for AI agent security. Level 1 is called "Legacy." The description: blind. Shadow AI everywhere — employees connecting Claude Code, Copilot, or any autonomous tool to company systems with nobody tracking it. No inventory, no policies, no audit trails. Most organizations — including ones already paying for enterprise AI licenses — are here. They don't know it.

OWASP published a Top 10 specifically for agentic applications in December 2025 — separate from the LLM list. Supply chain attacks via MCP servers, agents hijacking their own goals through prompt injection, agents inheriting credentials they shouldn't have. Items 7, 8, and 10 don't exist in the standard LLM security list — they only appear in multi-agent systems.

Three questions that cut through everything:

→ What can the agent do?

→ What should it do?

→ What does it actually do?

Most deployments only think about question one. The gap between two and three is where the security problem lives.

RBAC alone isn't enough. Intent-Based Access Control (IBAC) means an agent can only access a resource when the current task actually requires it. Not just "can access" — "should access for this specific purpose." Most enterprise setups don't have this.

My own honest audit: my claude.md files are Agent Manifests — Level 3 governance. My MCP connections are Level 1 security. That's the gap I'm working on.

The space is moving fast. The security thinking hasn't kept up.

→ Where does your company sit on this? Reply — genuinely curious.

→ I write about building with AI agents in The AI Brief — subscribe if this is your world.