Governance in the New AI Agent World
I’ve been reading 7 Seconds to Die, by John Antal, about the short 2020 war between Armenia and Azerbaijan. Underneath, it’s about the moment the rules changed and most of the people fighting didn’t notice.
Antal argues that cheap drones, constant surveillance, and precision strikes turned the battlefield transparent. Armies used to survive by hiding in terrain, at night, or behind camouflage. That stopped working. Once something could be seen, it could be hit. And once it could be hit, the rest became a matter of time.
Finding the target came to matter more than owning the biggest gun. The time to react collapsed, too. A soldier who heard a loitering munition overhead had seconds, not minutes, to react. By the time a request worked its way up to headquarters and back, that soldier would already be dead. The side fighting the old way lost because the world had changed but its playbook hadn’t.
Take the war out of it, and Antal is describing what happens when three things become true at once: everything can be seen, decisions move faster than people can react, and autonomous systems carry those decisions into action. That same pattern is playing out across the enterprise workforce with AI agents, and the old playbook for governance can’t keep up.
Traditional governance ends at autonomous execution
Last week, a security team came to talk to me about their “AI agent identity” and “governance” problems. They used traditional terms, but those terms didn’t seem to fit the problems they were actually facing.
They had agents operating with scoped credentials, doing real work, and various fragments of control across their stack, but still no way to know whether the next autonomous action would be safe or disastrous. In a sense, they too were fighting the old war.
Nonhuman identity and baseline access controls are necessary. But regardless of how tightly scoped they are, they aren’t enough. Agent risk rarely sits inside a single command. It accumulates across a chain of actions, where each step adds context, expands what the agent knows, and can increase what it’s capable of doing next. The risk is progressive and dynamic.
An agent might start by reading a ticket, then inspect a repository, open a shell, query logs, pull credentials from a local file, and propose a change to production. Each step may look reasonable in isolation, but the sequence can quietly turn a normal workflow into an attack path.
So the question was no longer only who had access. It was what the machine was about to do with that access, and whether anyone could stop the wrong action before it was too late.
The actor was step one. The act is the job now.
And those actions are compounding as agents get deployed across enterprise workstations, unleashing a drone army that dispatches autonomous jobs against your enterprise data. Our conversation turned quickly to: how do you safeguard agent thoughts and actions, and how do you keep up?
Extending governance into Agent Assurance
A good friend of mine in security has a saying: “You can’t protect a probabilistic system with deterministic rules alone.” Most people understand that agents don’t follow fixed paths. They reason, adapt, and take actions based on the goals and context they encounter along the way. You cannot decide in advance exactly what every agent may do and box it in completely.
I think of the gap this creates as the agent execution control gap. It’s the space between defining what an agent is allowed to do, which is what traditional systems cover, and being able to understand, judge, and control what it’s actually about to do, in context, before it acts.
To achieve Agent Assurance, we have to see the whole agent story, and go beyond the traditional governance and fractured control model that only covers part of the action surface. Maintaining Agent Assurance requires intent-aware, proactive control over agent actions, and that control has to be continuous and fast.
Nothing in your current stack does this end-to-end
Many of the customers I talk to recognize pieces of this gap, but they define it too narrowly while the risk keeps piling up. Identity and access controls still matter, but they don’t answer the harder question: should this action happen now, in this context, from this agent?
They focus on integrations, MCP servers, gateways, or controls built into a specific agent framework. Most of these are also opt-in. They protect the actions that pass through them, while the agent may still act through other tools, local files, the shell, a browser, or whatever the next new action surface turns out to be.
All of these systems can have a place. But each one sees only a fraction of the agent’s story and workflow. To use Antal’s battlefield analogy, this landscape isn’t transparent yet, and humans aren’t keeping up.
There’s a deeper problem underneath that. The agent shouldn’t grade its own homework. The system doing the work can’t be the only system deciding whether the work is safe. Assurance has to sit outside any single agent and answer to the enterprise, not the agent’s maker.
Intent-aware, proactive controls for agents
Agents require more than governance. They require continuous assurance. It’s the same shift Antal described on the battlefield at the start of this post: everything became visible, the time to react collapsed, and central command could no longer review every decision before it was too late.
Without that shift, organizations end up in one of two places. They lock agents out of anything that matters and lose the productivity they wanted in the first place, or they let agents run while carrying risks they can’t see, control, or explain.
Neither one scales.
At Certiv, we’re focused on protecting the agentic workstation, where agents have the most power and organizations have the least control. Assurance at the endpoint is how you say yes to more access, more autonomy, and more meaningful work. You can see what the agent is doing, understand where the work is heading, control the action before it executes, and prove what happened afterward.
We start where customers start: discovering the shadow agents, tools, and actions already running. Then we provide the level of governance and assurance needed to protect that work and that workstation.
Your developer’s machine already holds access to much of what matters. Anthropic has reported that Claude Code users approve 93% of permission prompts. An autonomous system is acting, and users can’t keep up.
Want to go deeper into agent governance and security? Join the Certiv newsletter for more on protecting agents and the future of autonomous work.
— Jason, Co-founder & CEO, Certiv