Shreyans Mehta is the cofounder and CTO of Cequence Security, a pioneer of unified application and API protection.
In a previous article, I argued that the Model Context Protocol (MCP) is rewriting the trust model for enterprise AI and that organizations can’t simply borrow yesterday’s API security playbook for tomorrow’s agentic world. The response from CISOs and CTOs I spoke with afterward was unanimous: “We get the trust problem. But what do we actually do about it?”
That question has only gotten more urgent. In the months since, I’ve watched enterprise AI shift from copilots that draft emails to autonomous agents that query HR systems, move money, update CRMs and chain tools across dozens of SaaS applications—all at machine speed and all on behalf of a human who may have no idea what’s happening underneath the covers, let alone three API calls deep. We’re not deploying software anymore. We’re hiring a digital workforce. And we’re onboarding them with the rigor of a perfunctory SaaS procurement checklist.
This must change.
We know how to govern humans, but we’ve forgotten to apply it.
Think about what it takes to put a human into a sensitive role. HR validates identity, runs background checks and assigns that person to a specific position with defined responsibilities and limits. IT maps that role onto permissions across identity providers, applications and data stores, aligned with least-privilege and separation-of-duties rules. Compliance layers on training, attestations, acceptable-use policies and regular audits.
Once that employee is active, organizations log activity through SIEM, endpoint DLP and behavioral analytics. There’s also a powerful informal control most people don’t think about: Humans understand that malicious behavior has consequences, including to one’s career, personal reputation and freedom.
AI agents have none of this. No background check. No job description. No fear of getting fired. And unlike a human analyst who can only read so many files or log into so many systems before someone notices, an agent can inventory your entire SaaS estate overnight without tripping a single alarm.
Your DLP and SASE stack was built for humans on laptops. AI agents don’t have laptops.
Here’s the uncomfortable truth that most security vendors won’t tell you: The billions of dollars enterprises have invested in endpoint data loss prevention (DLP), SASE, secure web gateways and cloud access security broker (CASB) solutions are architecturally irrelevant to the AI agent problem. Not insufficient, but irrelevant.
These tools share a foundational assumption that there is a human sitting at a device, and if you control what happens on that device and monitor the traffic flowing through it, you control the data. Endpoint DLP agents watch copy-paste, USB usage, local file access and browser traffic. SASE platforms route employee internet traffic through cloud-based inspection points. CASBs sit between users and SaaS apps to enforce policies.
Every one of these tools assumes the data passes through infrastructure that the security team controls: an employee’s laptop, a corporate browser or a managed network path. AI agents don’t operate in any of those places. They run in cloud containers, serverless functions and SaaS-hosted runtimes, speaking protocols like MCP directly to CRM, HR and document systems via cloud-to-cloud API calls.
A sales agent can pull customer records from one platform, join them with pipeline data from another and populate agreements in an e-signature system, all without a single packet ever touching any infrastructure where your DLP agent is installed or your CASB is watching.
This isn’t a gap you can patch with a configuration change. It’s a fundamental architectural mismatch. Your DLP might faithfully block a human from dragging a spreadsheet to a USB stick while an over-privileged “ops assistant” syncs the same customer data into three external systems. This could happen because that traffic flows entirely within cloud infrastructure that your endpoint-era security stack was never designed to see. Your SASE platform can inspect every byte an employee downloads through Chrome, but it has zero visibility into an agent making OAuth-authenticated API calls from a Kubernetes pod in US-East-1.
The security industry spent the past decade moving from on-premises firewalls to cloud-delivered SASE, and that was the right move for a human workforce going remote. But AI agents aren’t remote humans. They’re cloud-native workers that were born in the infrastructure your endpoint tools can’t reach. The meaningful control point for AI agents is at the API and gateway layer, where they communicate with applications and data, not at the device edge.
There is a connector problem hiding in plain sight.
For many organizations, the on-ramp to this risk wasn’t a bespoke agent framework. It was the enterprise chatbot they just rolled out. ChatGPT Enterprise, Claude for Work, Copilot, Gemini and similar services either already ship with rich connectors into SaaS apps or are racing to add them. The pitch is seductive: Plug everything in, then ask the AI.
The governance problem is the visibility gap. A user can ask an enterprise chatbot to summarize the Q4 pipeline from Salesforce, cross-check with HubSpot and pull relevant risks from Teams chats, and the system will happily comply. In many environments, security and compliance teams have no unified, tamper-evident record of which objects were accessed, which documents were read or what data was modified. It’s like hiring an analyst, granting them access to every system and never logging what they opened, copied or sent out.
The organizations that get ahead of this won’t be the ones that move fastest on AI adoption. They’ll be the ones that ask the right governance questions and address them before they scale.
Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?

