- Agents are the third kind of AI in your company, after the tools people bring and the tools you approve, and they are the least watched.
- An agent authenticates with a key, runs on its own schedule, and chains actions across systems. It has the reach of an employee and none of the pauses.
- The failure modes are ordinary and expensive: hardcoded keys, runaway spend, prompt injection, and no record afterwards.
- You govern an agent the same way you govern a person: a known identity, a budget, limits on what it can reach, and a log of what it did.
I have a running joke with a few of the security leaders I work with. They spend a year getting their arms around shadow AI, the people quietly pasting things into ChatGPT, and just as they start to feel in control, someone on the engineering team mentions, almost in passing, the agent that has been triaging support tickets every weekend since March. It has an API key. It reads the ticket queue, drafts replies, and updates records on its own. Nobody put it on any inventory, because nobody thinks of it as AI usage. It is just a script that happens to call a model.
That agent is the part of the AI problem almost no one is watching, and it is multiplying. Every team that finds one useful quietly builds three more. So before the number gets away from you, it is worth being precise about what an agent actually is from a security point of view, and why the controls you already trust do not see it.
An agent is shadow AI with credentials
That is the shortest way I know to describe why agents deserve your attention. A person using a chatbot at least sits at a keyboard, reads the answer, and decides what to do with it. An agent does none of that. Three things make it different, and all three should make a security team lean in.
It authenticates
Usually with a long-lived API key or a service account that never sleeps and never rotates on its own.
It persists
It runs on a schedule or a trigger, not when a person opens a browser tab. It is working while you are not.
It chains actions
It reads one system, decides something, and writes to another. One prompt can set off a sequence you did not watch.
Where it goes wrong
None of this is theoretical, and the ways it goes wrong are boringly familiar. A developer hardcodes an API key into a repository to get something working on a Friday, and it is still sitting there six months later. An agent gets caught in a loop one night and burns through a month of model budget before anyone is awake to notice. A prompt-injection payload, buried in a document or an email the agent reads, talks it into doing something it was never meant to do. And when you go looking afterwards for a record of what happened, there is nothing, because the tools that log human activity never saw any of it.
Each of those is mundane on its own. Put them together and you have an identity with broad access, running unattended, that can be manipulated through the content it reads and leaves no trail. That is a combination you would never knowingly grant an employee.
Why your existing controls miss it
Here is the uncomfortable part. The controls you already rely on were built to watch people. Your data-loss tooling and your monitoring look at endpoints, browsers, and email. Your single sign-on governs who logs in. Your sanctioned copilots sit behind an interface you approved and a login you control. An agent fits none of those shapes. It talks to a model directly, over an API, with a key, on a schedule nobody is watching.
From the perspective of the tools built for human users, the agent is simply invisible. The result is a growing population of non-human identities making AI calls on the company's behalf, outside every control you have. Ask your team how many agents, scripts, and service accounts are calling models today, and on what data. In most organizations the honest answer is that no one knows, which is its own answer.
Four questions to ask about every agent
You do not need a platform to start getting a grip on this. You need to be able to answer four questions about every agent and script that calls a model. Where you cannot, you have found your first project.
- Whose identity is it acting as? A named service identity you can trace and revoke, or a shared key that nobody quite owns.
- What is it allowed to spend and do? A budget and a rate limit, or an open tab against your model provider with no ceiling.
- What can it actually reach? The systems and data it can touch, which is almost always more than whoever built it intended.
- Can you show what it did? A durable record of every call it made, or a shrug when an auditor or an incident asks.
What governing agents actually looks like
The good news is that this is not exotic. Governing an agent comes down to putting one control point between your code and the models, so every call passes through a place you own. Once it does, those four questions stop being hard.
In practice that means giving each agent a virtual key bound to its own identity, so you can see who is calling and revoke a single agent in a click without rotating every secret you have. It means a budget and a rate limit on that key, so the loop that runs away overnight hits a ceiling instead of your invoice. It means a guardrail on every request, so a prompt-injection attempt is caught before it reaches the model. And it means a tamper-evident log of every call, so the record you hand to an auditor is evidence rather than a claim. This is the job the Secure AI Gateway is built to do, and it is why the programmatic lane needs its own answer rather than a copilot policy stretched to fit.
Where this leaves you
Agents are not going to slow down. The number of them in your organization a year from now will be larger than you expect, because usefulness spreads faster than governance. The teams that stay in control will not be the ones that banned them, and they will not be the ones that treated the first agent as a clever script to deal with later. They will be the ones who treated it as what it is from day one: an identity, with credentials and reach, that belongs under the same governance as anyone else who can touch the company's data.
Bring your agents under one control point
Unseen gives every app and agent a virtual key bound to identity, with budgets, guardrails, and a record of every call.
See a Demo