AI agents demand tighter enterprise guardrails, experts warn

AI agents are crossing from assistance into action

AI agents are no longer being discussed as simple chat interfaces that answer questions and draft text. According to experts speaking at Snowflake Summit, they are increasingly being positioned as digital workers that can take actions across applications and data environments. That shift changes the risk profile dramatically. Once a system can retrieve information, make decisions, and execute steps on a user’s behalf, the core question is no longer whether the model is useful. It becomes whether the organization has defined the limits of its authority clearly enough to keep it from causing damage.

That was the central theme in comments highlighted by ZDNET, where security and identity specialists argued that companies need to approach agent deployment with much more discipline than many early pilots suggest. The strongest warning came in plain language: treat agents like eager but misguided interns. The analogy is useful because it captures both the promise and the problem. Interns can be productive, but only when their scope is well defined, their permissions are constrained, and a responsible manager is accountable for the outcome. AI agents, the panelists suggested, need the same structure.

Permissions are becoming the real battleground

Mayank Agarwal, founder and CTO of Resolve AI, warned that giving an agent a broad goal without strong restraints can quickly produce unwanted results. His point was not that agents are inherently reckless, but that they operate in ways that are much less predictable than traditional software. Older automation pipelines were explicit: a system called one API, passed a known payload, and triggered a known follow-on action. Agentic systems can assemble paths dynamically while trying to satisfy a goal. That flexibility is exactly what makes them attractive, and exactly what makes them harder to govern.

In practice, that means enterprise teams cannot stop at feature-level testing. They need to model what an agent is allowed to read, what it is allowed to write, whose authority it operates under, and what systems it is never permitted to touch without escalation. Nancy Wang, CTO of 1Password, emphasized that context and intent matter alongside capability. Knowing what an agent was built to do is not enough; organizations also need to understand the authority it is using and the implications of the data it can access.

This is a familiar governance problem in a new wrapper. Companies have long managed privileged human users, service accounts, and integration credentials. AI agents combine aspects of all three. They can appear conversational and low risk, but under the hood they may be wired to sensitive systems, internal knowledge bases, procurement tools, or customer records. That makes least-privilege design, audit trails, and approval workflows more important, not less.

Why the old software playbook is under pressure

One of the more important ideas in the discussion is that conventional development assumptions do not map cleanly onto agentic software. In deterministic systems, teams can often reason through failure modes in advance because the logic chain is deliberately built. Agentic systems introduce more open-ended behavior. A developer may define the goal and the toolset, but not every intermediate step the system will choose. That does not mean the system is uncontrollable. It means control has to be designed differently.

For enterprise buyers, that likely translates into a new checklist. Before deployment, teams will need to define role boundaries, escalation thresholds, logging requirements, and human review points. During deployment, they will need monitoring that can catch unusual tool use, excessive retries, and attempts to access information outside normal patterns. After deployment, they will need governance that answers a basic operational question: if the agent makes a costly or harmful decision, who owns the incident?

That accountability question is easy to overlook during early experimentation because many pilots are framed as productivity gains. But the productivity story changes once agents are allowed to act independently. Then they stop being only software features and start becoming operational actors inside the business.

The next phase of adoption will be about control

The significance of the Snowflake Summit discussion is not simply that experts are urging caution. It is that the debate has moved beyond model quality and into enterprise control architecture. Companies appear increasingly willing to test agents in real workflows, but the guardrails around those agents are still uneven. That creates a gap between technical capability and organizational readiness.

For firms moving quickly, the temptation will be to expand access first and write policy later. The warnings in this discussion point the other way. If an agent can touch business systems, it should have a sharply bounded remit, a clear chain of authority, and continuous oversight. Otherwise the same autonomy that makes it useful can make it expensive, noncompliant, or unsafe.

In that sense, the intern metaphor may stick because it captures the operational reality better than the marketing language does. AI agents may be capable, fast, and increasingly independent. But without structure, context, and supervision, they are still not ready to be left alone with the keys.

This article is based on reporting by ZDNET. Read the original article.