Agentic AI has moved the threat boundary inside the enterprise. Mindgard’s Aaron Portnoy explains why authority, not access, is now the primary vulnerability.
getty
For most of the history of corporate cybersecurity, the central problem was access. Could the attacker get in? The defensive model followed: harden the perimeter, segment the network, control the gates, train the staff to recognize phishing. That logic still applies. It is no longer sufficient.
The more consequential new question is authority. What can the AI agent actually do once it is already inside?
Granting Code Agency
Aaron Portnoy, Chief Product Officer at AI security firm Mindgard, has been making this argument before it reached board agendas. In an earlier interview, he described the structural problem with a directness that most vendor materials avoid: “You are granting code agency.”
That phrase is worth sitting with. An AI agent with enterprise permissions is not a chatbot. It can retrieve documents, query databases, write and execute code, open tickets, draft and send emails, move files, and trigger downstream workflows. It reads business context in natural language and acts on it. That capability is what makes it useful. It is also what makes it exploitable.
“I can coerce an internal asset to produce malicious content from the inside,” Portnoy explained. “I’m not going to try to send that over the network. I’m just going to instruct in natural language to this agent, and it will build it and run it for me.”
The attacker, in this model, does not need to defeat the firewall. He needs to construct a sentence the agent finds plausible.
The Compliance Trap
The boardroom conversation about AI security has so far centered on the wrong problem. Most governance frameworks are built around data leakage: an employee pasting proprietary content into a public model, a vendor training on private data, a model surfacing sensitive information in a response.
Those risks are real. They are also the ones that translate most easily into policy checklists and compliance slides. They are not the structural threat.
The harder problem is model coercion, and it sits outside the scope of most existing frameworks.
Recent analysis of enterprise AI governance drawing on McKinsey data captures the gap. Around 88% of organizations now use AI in at least one business function. But approximately two-thirds of board directors report limited or no AI experience. Fewer than a quarter of companies have board-approved AI policies. Only about 15% of boards receive AI-related metrics.
That describes an organization that has broadly adopted a technology its governance layer does not yet see clearly.
The Asymmetry Problem
Portnoy’s second observation concerns speed. In the contest between attack and defense, the feedback loops are not equal.
“There’s a bit of an asymmetry in the difficulty of using AI effectively for attackers and defenders,” he noted, “mainly because attackers have a tight feedback loop. Right now it sure seems like attackers are adopting AI a lot faster than defenders.”
This matters because of how prompt injection attacks are developed. An attacker can test thousands of variations of a malicious instruction — changing phrasing, disguising intent as routine business context, fragmenting a harmful task into individually benign steps. Each failure informs the next attempt. The iteration cost is low.
Defenders face a structurally harder task. They must protect systems that interact with messy, context-dependent natural language across every business function. A guardrail that blocks one attack may interrupt a legitimate workflow. A defense that holds today may fail tomorrow as context shifts.
Mandiant’s M-Trends 2026 report records that state-sponsored and criminal actors are already using large language models for hyper-personalized social engineering and for malware that queries models mid-execution to evade detection. The baseline pattern of enterprise breaches remains human and systemic failure. The AI layer adds a new attack surface on top of the existing one.
When Language Meets Steel
The risk sharpens considerably when agentic AI is deployed in operational technology environments.
Energy operators, industrial manufacturers, and utilities are under genuine pressure to use AI. The complexity of modern energy systems — more intermittent renewable generation, growing data center load, volatile commodity inputs — creates real demand for AI-assisted dispatch, maintenance prioritization, anomaly detection, and asset monitoring.
An agent embedded in those workflows can add significant value. It can also become part of the control fabric in ways that are harder to govern than traditional enterprise software.
This is where Portnoy’s third observation becomes most important: “You don’t have access to the system or control how it’s thinking. You only have access to the behavior, which is stochastic in nature. You may see it behave one way one day, and the next minute it’s going to behave entirely differently.”
Traditional operational technology runs on deterministic logic. A valve is open or closed. A breaker trips or it does not. Introducing a probabilistic decision layer into that environment is not inherently dangerous — industrial systems already use sophisticated software and optimization algorithms. The governance question is authority. What can the model change? What requires human approval? What happens if the agent’s context is manipulated through a maintenance ticket, a supplier document, or a routine log it was asked to process?
Those are safety engineering questions that also have a cybersecurity answer. At the moment, they are rarely in the same room.
Gartner has forecast that by 2028, a quarter of enterprise breaches will be attributable to AI agent abuse. The direction is consistent with how deployment trajectories are moving.
Three Controls That Actually Matter
The standard enterprise response to AI security risk is to convert it into a governance exercise. Write acceptable-use policies. Approve the vendor. Review the data terms. Commission a training module.
That produces compliance. It does not produce operational security.
Three controls define the real posture for enterprise AI. Privilege determines what the model can actually do: which systems it can read, which it can write, which it can call. Context determines what the model is allowed to read and believe: what data it retrieves, which sources it trusts, what it treats as authoritative instruction. Blast radius determines how far a manipulated output can travel before a person or system intercepts it.
Most companies have thought carefully about the first. Fewer have fully addressed the second. Almost none can confidently answer questions about the third.
The missing operational step is adversarial testing: systematically trying to manipulate enterprise AI systems with the same creative pressure an attacker would apply, before an attacker does. Not annual penetration testing. Continuous, AI-assisted red-teaming of model behavior under adversarial prompting, in the actual environment where it runs, with the actual permissions it holds.
The Control Question
The near-term technical reality is more constrained than the threat picture implies. Enterprise agents today are still relatively narrow. Running them at meaningful scale is expensive. Many serious actions still require human approval.
But the constraints are easing. Costs are falling. Context windows are growing. Tool access is widening. The first generation of enterprise agents summarizes. The second drafts and recommends. The third will act with less supervision than the second.
Security frameworks need to track that progression rather than catch up to it after an incident.
The board question should be specific. Not: “Is our AI compliant?” But: “What can our AI agents do on a bad day — and does anyone in this room know the answer?”
The perimeter is not dead because firewalls failed. It is losing authority because companies are placing AI systems on the trusted side of the wall without fully accounting for what trust, in that context, actually means.
The new perimeter is a privilege model. For most organizations, it has not been designed yet.