Security
Herding Agents: A Five-Layer Architecture for Governing AI at Scale 

Executive Summary 

AI agents can do a lot. But they can’t govern themselves. 

Enterprise agentic adoption is accelerating faster than the control architectures designed to govern it. When the tools literally have “minds” of their own, keeping track of everything agentic running within the enterprise feels a lot like herding cats. Agents now authenticate to downstream systems, invoke tools across environments, access sensitive data, and influence production outcomes.  Yet most governance remains built for humans or bounded applications, creating what we at AHEAD and Onyx are calling a “runtime trust gap.”  

This gap is starting to cause huge headaches for security teams.  Organizations are struggling to answer basic risk questions with confidence: What agents are operating in our environment? What data and systems can the Agents access or influence? When an agent makes a decision, what is our audit trail? If an agent behaves outside policy, what is our containment posture? 

What frameworks are going to protect the organization? 

AHEAD and Onyx Security’s reference architecture for securing and governing AI agents at enterprise scale focuses on five layers of security: 

  1. Identity and Access 
  2. Discovery and Inventory 
  3. Runtime Control 
  4. Telemetry and Detection 
  5. Governance and Response 

Together, these layers move organizations from fragmented point controls to an accountable operating model. Most of the underlying capabilities already exist in large enterprises. The real issue is whether those tools are organized around the actual execution path of modern agents. The organizations that close this gap first will treat AI agent security as an architectural discipline. 

Why This Matters Now 

In 2023, enterprise AI security discussions centered on chat interfaces, model endpoints, and content filtering. In 2026, agents operate across far more consequential surfaces. They use credentials, call tools, retrieve and modify data, trigger actions, and increasingly act inside workflows that carry operational, regulatory, or customer impact. 

AHEAD finds that most security and governance programs are designed for human activity: endpoint controls, IAM tuned for employees, and SIEM pipelines optimized for user-initiated events. The result is a structural problem where controls exist, but not always at the point where agent intent becomes action. 

Defining the Runtime Trust Gap 

The runtime trust gap is the difference between what companies believe their agentic programs control vs. the reality of what agents are capable of. AHEAD and Onyx have first-hand experience with clients who are seeing this gap show up in the following ways: 

  • An agent is approved, but its downstream tool calls are not governed. 
  • Logs show a human or service account, but the enterprise cannot reliably attribute which agent took which action. 
  • Discovery captures sanctioned deployments while shadow or embedded agents remain invisible. 
  • Monitoring records inputs and outputs but not the decision path that led to a sensitive action. 
  • Incident response assumes external compromise when the more realistic failure mode is an over-permitted or misdirected agent acting within authority. 

The Five-Layer Architecture 

Layer 1: Identity and Access 

Every agent authenticates throughout the enterprise using human or non-human identities. Securing them is a foundational discipline of IAM, extended across the supporting identity layers: privileged access management, secrets management, workload identity, and just-in-time authorization for processes operating without a human in the loop.  

The core architectural objectives of this layer require that: 

  • Each agent has its own identity separate from the initiating user. 
  • Access is scoped to task, session, or tool need rather than broad privilege. 
  • Credential issuance, use, and revocation are bounded and attributable. 
  • Delegation chains preserve both the acting identity and the originating principle. 

Without this foundation, every downstream control becomes harder to trust. 

 

Layer 2: Discovery and Inventory 

Continuous discovery and inventory of AI agents, including all sanctioned deployments, shadow agents, embedded vendor agents, coding agents, orchestration hosts, and the server infrastructure, is paramount for effective governance. Onyx’s live, query-able inventory is refreshed near-real-time and directly connects to the identity layer eliminating the need for manually assembled inventories that are obsolete the moment they are published. 

A defensible inventory answers the questions: 

  • How many AI agents are operating in our environment, and what can they reach? 
  • What credentials do they use? 
  • What data, tools, or systems can they reach? 
  • Which business process or owner is responsible? 

You can’t protect the agents you don’t know about. 

 

Layer 3: Runtime Control  

A runtime control plane must sit between agent reasoning and operation, evaluating an agent’s intended action before the tool call executes. This may include agent-aware gateways, function-call interceptors, policy engines, just-in-time authorization services, and runtime guardrails. 

This addresses the most consequential failure mode in modern deployments: agents don’t necessarily generate bad answers, but they might accidentally take a harmful action because no effective control sits between decision and execution. 

A mature runtime control plane can: 

  • Inspect tool calls before execution. 
  • Evaluate them against policy in real time. 
  • Allow, narrow, steer, or block based on risk and context. 
  • Record the policy decision with agent attribution. 
  • Establish behavioral baselines by agent role and detect drift. 

When this is absent, downstream layers become reactive rather than preventive.  

 

Layer 4: Telemetry and Detection 

Traditional logging is not enough for agentic AI. Detection teams now need the agent’s decision trail: what the agent decided, what it attempted, what policy evaluation occurred, what data or systems were touched, and which identity performed the action.  

For audit-grade telemetry, you’ll need to be able to observe: 

  • SIEM 
  • XDR 
  • Security data lakes 
  • Non-human entity analytics 
  • Reasoning-trace capture 
  • Anomaly detection tuned to agent behavior rather than human behavior 

Without the upstream runtime layer, telemetry often arrives too late, when correct architecture could have prevented it.  

 

Layer 5: Governance and Response 

This is where the enterprise produces the artifacts that boards, regulators, auditors, and executives expect, including policy mapping, incident definitions, tested response playbooks, risk metrics, and governance reporting.  

Most large enterprises already have GRC platforms, incident response processes, and board reporting structures. What is often missing is the underlying technical evidence required to make those mechanisms meaningful for agentic systems. 

A functioning governance and response layer can answer: 

  • How many agents are in production, and what is their risk classification? 
  • What policy actions were taken against them this quarter? 
  • What incidents were detected, contained, or escalated? 
  • Which agent classes have tested incident response playbooks? 
  • Where does residual risk remain concentrated? 

In this layer, AHEAD’s Strategy, Governance, and AI Security teams help shift the conversation from abstract statements about AI risk to evidence of control operation, exposure trends, and response readiness. 

A Practical 90-Day Path Forward 

AHEAD recommends most enterprises refresh current policy and controls for AI applicability rather than build out a separate AI security program. Using engineering-first principles, AI security relies on the same core tenants that are already present in most organizations.  

A practical 90-day plan for agentic AI governance focuses on three steps: 

  1. Establish a real inventory for the highest-risk agents. Start with coding agents, finance-related agents, HR-data agents, customer-facing agents, and any agent operating with elevated or standing access. Build a current inventory tied to runtime, credential, ownership, and business impact. 
  2. Add a runtime decision point for sensitive tool calls. Focus first on repository write operations, production deployment actions, secrets access, database modification, and external API calls with write scope. The objective is to create a pre-execution decision point where none existed before. 
  3. Define and test one agent-specific response playbook. Choose a realistic scenario (e.g., a destructive coding-agent action, an HR-data agent exceeding purpose, or an agent using credentials outside approved scope). Document the containment path, escalation path, and evidence requirements. Then, test it. 

Agentic AI security can’t be a one-time briefing exercise. You have to build on the security and governance foundations your organization already has in place, and continue to fine-tune these controls for agentic AI as adoption increases. 

Conclusion: From Principles to Architecture 

Enterprise AI agent security is no longer a narrow model-security problem. It is a control architecture problem, and the organizations that move fastest will not be the ones that simply deploy more automation. They will be the ones that create a runtime control and governance architecture capable of making that automation trustworthy. 

AHEAD and Onyx’s reference architecture gives organizations a way to identify agents, constrain them, observe them, and explain their behavior to the people who own the risk. That is what mature AI agent governance will increasingly require. 

 

 

About the Authors

Shahzad Akhai, Principal AI Security Consultant – AHEAD 

Shahad advises enterprise and public sector organizations on AI strategy, governance, and security. He specializes in helping organizations securely adopt generative and agentic AI by developing governance frameworks, conducting AI risk assessments, and implementing practical security controls. Drawing on experience across highly regulated industries, Shahzad works with executive leadership to balance innovation with effective risk management, enabling organizations to deploy AI technologies with confidence, resilience, and trust.

Christian Kon, Director Security GRC and Resiliency – AHEAD  

Christian is a dynamic technology leader with an electrical and computer engineering background with a passion for energy and healthcare. He leads AHEAD’s delivery services for the S-GRC and Resilience pillars covering security strategy, governance, risk, compliance, AI Security, OT Security, Vulnerability Management, Threat Intel, Cyber Response and Recovery. 

Timothy Youngblood, Chief Strategy Officer – Onyx Security 

Timothy drives Agentic AI security strategy for Fortune 100 companies globally. A globally recognized cybersecurity executive, he previously served as SVP, Chief Security Officer, and Product Security Officer at T-Mobile, and as CISO at McDonald’s Corporation, where he secured digital platforms for 65 million visitors daily across 38,000 locations. Timothy also established the first global CISO roles at Dell and Kimberly-Clark, and is a CSO Hall of Fame inductee and Top Global CISO of 2025. He is active across the venture and startup ecosystem, advising firms including Glilot Capital Partners, CyberStarts, .406 Ventures, and Insight Partners, and is a recognized angel investor and adjunct professor at the University of Oklahoma. Timothy holds degrees from Florida A&M University and the University of Texas at Austin, with executive credentials from MIT and Columbia.

SUBSCRIBE

Subscribe to the AHEAD I/O Newsletter for a periodic digest of all things apps, opps, and infrastructure.
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.