EN PT
Talk to us
DRAFT This article is not published on the public site.
Boards

The Agent Problem: Why Your AI Workforce Needs a Different Kind of Oversight

A board-level briefing on agent oversight infrastructure

By Attribit-ID ·

Your company is deploying AI agents. If you’re not yet, your competitors are — and some of your vendors and partners already have. These are not chatbots. They are autonomous software systems that take real actions on your behalf: sending emails, processing transactions, accessing databases, making API calls to external services. They work at machine speed, around the clock, without human review of each individual action.

This creates a governance question that your current risk framework was not built to answer: How do you oversee a workforce that makes thousands of decisions per hour and can’t be supervised one decision at a time?

What Makes Agents Different

A human employee operates within a set of social, professional, and legal constraints that you can’t fully articulate but can reasonably count on. They understand context. They recognize when something feels wrong. They exercise judgment.

An AI agent has none of these properties. It executes instructions. When those instructions are manipulated — by an adversary embedding malicious commands in a document the agent processes, a technique called “prompt injection” — the agent follows the manipulated instructions with the same compliance it brings to legitimate ones. It has no instinct that something feels wrong. It will forward confidential data to an attacker’s server with the same efficiency it uses to send an approved report to a colleague.1

Google’s security researchers have identified this as one of the fastest-growing attack vectors of 2026. Major technology platforms including Microsoft Copilot and GitHub Copilot have had critical vulnerabilities disclosed in the past year specifically exploiting this weakness. This is not theoretical.23

The harder problem is that traditional security tools weren’t built for this. A firewall knows about network addresses and ports. It has no capacity to evaluate whether your AI agent should be doing what it’s currently doing — whether that outbound connection represents legitimate work or a data exfiltration attempt. You cannot solve a judgment problem with a rule that only understands addresses.

The Architectural Response

What companies at the frontier of agentic deployment — including Brex, which built its entire business model around AI agents handling corporate finance — have discovered is that the answer is not a better firewall. The answer is oversight infrastructure that operates at the same semantic level as the agents themselves.

The principle is straightforward: the only oversight technology that works at the speed agents operate is another AI system performing oversight. Pedro Franceschi, CEO of Brex, built exactly this — a mandatory checkpoint that every agent action passes through before it reaches the network. That checkpoint uses a separate AI system to evaluate whether the action is consistent with defined policy. Actions that pass proceed. Actions that fail are blocked before they happen, and every action is logged.4

The critical design choice is that the agent doesn’t know this oversight exists. An agent that can see its own oversight system can potentially reason around it. An agent that cannot perceive the oversight system cannot circumvent it. This is the same principle as internal controls in financial systems: the person making a payment doesn’t approve their own payment.

Three reinforcing properties make this architecture robust:

First: Mandatory routing. The agent’s network traffic is physically separated from human network traffic and can only reach external systems through the oversight checkpoint. There is no path that bypasses it. This is a topological property of the network, not a software rule — it holds even if the agent’s software is compromised.

Second: Specific authorization. Each agent is authorized to do specific things, and only those things. Rather than defining a long list of prohibited actions (which always has gaps), the architecture defines a short list of permitted actions (which blocks everything not explicitly allowed). A recruiting agent can contact an approved job board and send emails through an approved relay. It cannot contact anything else. The authorization is specific to the agent’s function, not generic to the technology.5

Third: Identity and accountability. Each agent instance has a unique identity that it cannot forge or transfer. Every action it takes is logged against that identity. When you review what happened in an incident, you can see not just “an agent did this” but “this specific agent instance, running this specific task, at this specific time, made these specific requests, three of which were blocked for these specific reasons.”

The Board’s Governance Question

The governance question for boards and risk committees is not “are we using AI agents?” It is “do we have oversight infrastructure commensurate with the permissions we’ve granted our agents?”

If your agents have access to financial systems, they need oversight infrastructure capable of evaluating financial actions against policy. If they have access to customer data, they need oversight capable of evaluating data handling against policy. If they can communicate externally on behalf of your organization, they need oversight capable of evaluating those communications against policy. The scope of required oversight scales with the scope of agent permissions.

The absence of this infrastructure is a known, documented, exploitable gap. The OWASP Top 10 for Agentic AI Applications — the primary security reference framework for enterprise AI, released by more than 100 security researchers in December 2025 — identifies agent goal hijacking and identity abuse as the top vulnerabilities in production agentic systems. The EU AI Act’s August 2026 compliance deadlines for high-risk AI systems will require organizations to demonstrate robustness against these attack vectors.26

What Good Oversight Looks Like

A well-governed agent deployment has four properties that boards can ask about and receive specific answers to:

  1. Specific authorization: Each agent role has a defined set of permitted actions. An agent handling recruiting cannot take actions appropriate to an agent handling financial workflows. The authorizations are written down, reviewable, and enforced technically — not just in policy documentation.

  2. Mandatory checkpoint: Agent traffic cannot reach external systems without passing through an oversight layer that evaluates compliance with defined policy. Bypassing this layer is not possible through the agent’s normal operation or through software manipulation.

  3. Identity attribution: Every action taken by every agent is logged against the specific agent instance that took it. In an incident, attribution does not stop at “the AI system did this” — it reaches the specific instance, task, and moment.

  4. Incident containment: If an agent is compromised or behaves anomalously, its access can be revoked immediately and specifically, without disrupting other agents or human employees. The blast radius of a single agent compromise is bounded.

If your organization cannot provide affirmative answers to all four questions, the risk exposure scales with how many permissions your agents have been granted.

The Framing

The right way to think about this is not “AI agents are dangerous, should we deploy them?” The companies that will benefit most from agentic AI are those that deploy it into real workflows, at production scale, with appropriate oversight infrastructure. The companies that will pay the highest cost are those that treat agent deployment as a software problem and agent security as an afterthought.

Pedro Franceschi’s framing at Brex is the right one for boards: this is an engineering problem, not a philosophical impasse. The oversight infrastructure exists. The architecture is understood. The question is whether your organization has built it before, or will build it after, the first incident.

That is a risk decision that belongs at the board level.

Footnotes

  1. How to Deal with the 2026 Agent Wave — Prompt injection is now an RCE-equivalent. When agents have tool access, injecting instructions into processed data executes with the agent’s full permissions.

  2. Prompt Injection: Types, Real-World CVEs, and Enterprise Defenses — Critical CVEs assigned in 2025–2026 including EchoLeak, GitHub Copilot RCE, and Cursor IDE vulnerabilities exploiting AI agents with ambient trust. 2

  3. AI Agent Security 2026: Google’s Forecast and How to Fix the Gaps — Google expects a significant rise in targeted prompt injection attacks against enterprise AI systems throughout 2026.

  4. Redefining Zero Trust in the Age of AI Agents and Agentic Workflows — Cisco’s Semantic Inspection Proxy redefines zero trust with intent-based security for AI-powered threats.

  5. Allowlists vs. Denylists in Multi-Tenant Access Control — Allowlists implement default-deny behavior, while denylists implement default-allow behavior.

  6. OWASP Top 10 for Agentic Applications — ASI01 Agent Goal Hijack, ASI02 Tool Misuse, ASI03 Identity & Privilege Abuse identified as top threats.