Agentic AI: The Wild Frontier

There’s a lot of noise right now about AI agents. Everyone is talking about them, everyone is experimenting with them, and they’re starting to permeate every corner of the enterprise. But let’s extricate ourselves from the hype cycle and ground ourselves in the basics.

At the highest level, we need a common taxonomy. Not all agents are created equal, and the risks, controls, and security vary dramatically depending on where the agent lives and what it has access to.

An Agentic AI Taxonomy

Web‑Based Agents

Web‑based agents are the most accessible form of AI. Anyone with a browser can use them, regardless of network, device, or identity controls. They provide quick solutions for ideation, drafting, and problem‑solving, but they operate completely outside the enterprise boundary, which means data can walk out the door just as easily as it goes in. With these systems, security is almost entirely about user education and discipline, because there are minimal security controls available.

Web‑Based Agents: Free Tier

These are the ChatGPTs, Claudes, and other free-tier tools that anyone can access from anywhere. Your network, your identity, or your data boundaries are not factors in security.

The upside is obvious: they’re fast, frictionless, and incredibly capable for general tasks. The downside is equally obvious: data can walk right out the door. Unless a user explicitly opts out, their inputs can be used to train the model. And because these agents aren’t tied to enterprise identity, you can’t enforce meaningful policy. Network controls only work on managed devices or controlled environments, and even then, users can just switch to a personal device.

In this tier, security is almost entirely about education and data discipline. If you don’t want enterprise data leaving enterprise systems, you have to make that clear and enforce it where you can.

Web‑Based Agents: Enterprise Tier Agents (Paid ChatGPT, Claude, etc.)

Paid enterprise agents solve some of the biggest problems of the free tier. Identity, Data and Network boundaries become more enforceable in a managed environment. Additionally, logging and governance become possible and may provide insights into usage. But even here, the most important control is still user education.

These agents can be restricted to enterprise data and tied to corporate identity, which means you can finally apply policy. Network controls can help, but only if you’re clear about what you’re trying to achieve. And none of this matters if users don’t understand what data is appropriate to share. Data classification and the management of the data becomes the core security element.

Thanks for reading! Subscribe for free and receive new posts automatically via email.

SaaS Agents

SaaS agents are now being built directly into the applications your teams already use, giving them deep, domain‑specific knowledge and the ability to operate with far more precision than general‑purpose LLMs. Because they run inside a controlled environment with defined data boundaries, they can safely leverage enterprise data to deliver highly relevant insights and automate specialized workflows. Defining the focus of the agent ensures clear policies around identity, data access, and how the agent is allowed to act within its domain.

SaaS Agents: Domain‑Specific Agents

These are the focused, application‑specific agents, the ones built directly into your CRM, HRIS, ticketing system, or vertical SaaS platform. They’re trained on domain‑specific knowledge and often on your own corporate data. Their value comes from precision. They’re not trying to be everything to everyone; instead they’re designed to solve a specific set of problems, and they usually do it well.

Securing these agents is less about the user’s network and more about the agent’s environment. Many of them run inside containers with tightly scoped RAG stores. They can’t reach outside their sandbox, which is exactly what you want. Identity, data classification, and policy determine who can access what and what the agent is allowed to do with it. However, they do typically have access to all the data, and potentially can take actions, within that SaaS application domain.

SaaS Agents: Broad Platform Agents (Salesforce, etc.)

SaaS platform providers have of course built platform‑wide agents, which effectively sit across your entire enterprise system. These agents have broad access to data, broad authority to take actions, and broad impact if misconfigured. These agents have a lot of opportunities to perform effectively, but they can also interpret or implement solutions in ways you didn’t intend. And when users feel constrained, they’ll turn to shadow AI to fill the gaps.

These agents require the strongest alignment between identity, data, and policy. They also require a clear understanding of what “good” looks like.

SaaS Agents: Office Productivity

Office productivity is where most people will feel AI agents first. Tools like Microsoft Copilot, Gemini, and others are being wired directly into the core of how knowledge workers operate: email, documents, spreadsheets, presentations, chat. These agents don’t live off to the side as “extra tools,” they sit in the middle of the workstream, watching context, drafting content, and in some cases even taking actions on behalf of the user.

From a security perspective, these agents inherit both the strengths and weaknesses of your existing productivity stack. On the plus side, they usually respect the same identity, permissions, and data access rules already in place. If a user can’t see a file, the agent typically can’t either. But the risk shifts from access to amplification. Users may not be completely aware of policies and more importantly permissions within an environment, therefore creating an over-privileged agent without being aware of the impacts.

The control plane is still identity, data classification, and policy, but with productivity agents you also have to think about how quickly a single bad prompt can scale into a very large, very well‑packaged mistake.

Custom Agents

Custom agents are where the patterns from all the other agent types start to converge. Unlike web, enterprise, SaaS, or platform agents, custom agents are ones that people in your enterprise design, assemble, and operate. That means you don’t just consume the security model; you’re responsible for defining it. Identity, data, and network aren’t inherited from a vendor by default, you have to make explicit choices about every boundary. And, to quote the great philosophers (and rock band, Rush), “if you choose not to decide you still have made a choice”

Custom Agents: Stand-Alone

Stand‑alone, self‑hosted agents are the closest thing to “your own LLM in a box.” You control the runtime, the data stores, the RAG pipelines, and the integration points. The upside is maximum control and isolation: you can keep everything inside your own environment, align tightly with your existing IAM, and restrict network egress to exactly what’s required. The downside is that you own hardening, monitoring, logging, and failure modes, and non-security-aware developers or business users may not address these at all . A well-defined system and set of boundaries allow for an agent to be successful while remaining secure.

Custom Agents:API-Based

API‑based, agentic integrations sit one layer up. These agents don’t live as monoliths; they orchestrate across services. They call APIs, chain tools, and move data between systems. In practice, they start to look like automated users with superpowers. The security model here is all about scoping: least‑privilege API keys, fine‑grained permissions, strong auditing, and very clear guardrails around what the agent is allowed to do on behalf of a user or a system.

Custom Agents: Multi-System

Multi‑system custom agents are the most complex, these agents span environments: SaaS platforms, internal services, data lakes, ticketing systems, CRMs, whatever you wire in. They combine the broad access of platform agents with the flexibility of custom logic. At that point, you’re not just building an agent; you’re building a distributed automation layer with an LLM at the center. Here, identity must be unambiguous, policies must be machine‑enforceable, and governance can’t be an afterthought.

Security Across All Agents: One Framework, Different Stakes

No matter what kind of AI agent you’re working with, a free web tool, an enterprise LLM, a SaaS‑embedded assistant, or a platform‑wide copilot, the security fundamentals don’t change. What changes is the scale, the blast radius, and the level of discipline required to keep things under control. The same four pillars show up every time: Identity, Data, Network, and Education. The difference is how hard each one has to work.

Identity is always the anchor. It defines who the user is, what they’re allowed to see, and what actions the agent can take on their behalf. Without strong identity, you’re essentially letting the agent operate without controls.

Data is the real risk surface. Data classification isn’t optional anymore; it’s the only way to tell an agent what’s allowed to leave the boundary and what must stay inside. If you don’t know what the data is, you can’t protect it, and you definitely can’t expect the agent to make the right call for you.

Network controls still matter, but their role shifts depending on the environment. For on‑prem or tightly controlled agents, the network is a meaningful boundary. For SaaS and platform agents, the network becomes more of a gatekeeper than a guardrail. You can block access, but you can’t shape behavior. Identity and data policies do the heavy lifting in those environments.

Education is the universal requirement across every tier. Even with perfect controls, users can still misuse agents if they don’t understand the boundaries. Education is the only control that scales across every environment, every tool, and every use case.

When you put all of this together, you start to see that not all agents demand the same level of security maturity. Their complexity varies based on the sensitivity of the data, the authority of the agent, and the systems it touches.

Agent Complexity

Low‑complexity agents operate on minimal‑risk data. They rely on basic identity, basic network controls, and a heavy dose of user education.

Moderate‑security agents introduce real risk. Identity and data controls start to matter. Network controls play a supporting role. Education remains critical because users can easily over‑share or misinterpret what the agent is allowed to do.

High‑complexity agents are the ones that touch sensitive data, trigger high‑impact actions, or span multiple systems. These require strong identity, strong policy, and strong governance. They’re powerful, but they demand discipline.

Across all of these tiers, the pattern is the same: the fundamentals don’t change, but the stakes do. The more authority an agent has, the more intentional you have to be about how it’s secured. Identity, data, network, and education are not optional.

Taming the Frontier

We often think about the frontier as the literal “Wild West”, with few controls or constraints. The metaphor is apt here, as we’re certainly seeing rapid and broad business user adoption of AI, across all the types of agents outlined above. In our frontier town metaphor Information Security is the sheriff, but in reality, your role as an infosec leader is far more than just enforcing rules. The business as a whole truly doesn’t know how to securely, efficiently, or effectively build and operate AI agents. No single person or team has all the answers, but you should view this as an opportunity to take a leadership role, securely enable the business to benefit from this new and amazing technology, and help everyone learn along the way.

---

Want to learn more? Watch our recent video commentary series on Securing Agentic AI.