AI Agents Need More Than Permissions. They Need Behavior-Based Governance.

Traditional security perimeters, like firewalls, static permissioning, and access checkpoints, were built for predictable human users. But AI agents are hardly your typical users, triggering actions across multiple applications in ways that no human could begin to comprehend, and no IAM system could predict. Because of this, security teams are realizing that static perimeters aren't enough, and that they should start pivoting toward behavior-based AI governance, where continuous monitoring and incident readiness matter more than the tools themselves.

Sai Santhosh Goud Bandari is a Generative AI Developer at TCS working on AI systems for banking client BMO. Bandari builds and secures LLM-powered applications and agentic workflows within heavily regulated banking and insurance environments, drawing on prior enterprise engineering experience at MetLife. In his daily work, he sees firsthand how underlying identity and access infrastructure often struggle to keep up with how enterprises actually want to automate their workflows. "AI security should be risk-based rather than convenience-based," Bandari says. "If a configuration change can reduce safety, it requires more documentation, more approvals, and more monitoring."

The chatbot ceiling and sandboxing the AI circus

Many enterprises are currently stuck in the "chatbot phase" of AI maturity, where an organization integrates AI into processes as a sort of handoff: get data from a customer or user and pass it to internal automation. As Bandari says, "Most of the people right now are depending upon the chatbots because we are not fully implementing end-to-end automation. Complete end-to-end automation was a little bit held back because of security." These organizations are eager for agentic workflows, but hesitate to grant AI more complete access to sensitive data because their internal controls were not designed for non-human entities. Because traditional IAM frameworks were originally built around static rules, IT leaders are finding they struggle to handle autonomous agents that act on behalf of users and consume identities at a scale human-centric architectures were never built to manage.

As experimentation accelerates, that identity gap often shows up first in fast-paced test environments. Developers looking for speed sometimes adjust optional configurations in a sandbox or local development environment. Shadow AI builds with relaxed guardrails often struggle when teams try to move them into production, creating heavy operational friction if those same patterns persist beyond testing. "There is an AI circus going on. Everyone wants to build a PoC, everyone wants to say they have AI," Bandari says. "But when it comes to deploying it securely in a regulated environment, the politics and the legacy mindsets take over. They build it in a sandbox with no controls, and then wonder why it can't go to production."

Classifying controls by risk and embedding security at design

To tame that sandbox chaos, Bandari advocates for a graduated, three-tier classification of security parameters: "critical," "mandatory," and "optional" controls. In regulated banking, high-priority controls require strict, sequential approval chains, often moving from a director to a team lead and finally to a principal architect, before any security-relevant change goes live. Mandatory controls can be adjusted selectively based on the environment, while optional controls may be tuned in lower-risk regions, such as SIT or staging, provided they remain within documented boundaries. On top of that, non-deterministic models are prompting many teams to adopt AI-native layers, such as strict prompt filtering and model output controls. 

This risk-based posture is about enabling AI safely. Rather than relaxing controls indefinitely for speed, some organizations are exploring browser-based controls and integrations that give security teams granular visibility, enabling them to say "yes" to new use cases without losing track of where data goes. In highly regulated sectors like banking, "it works" isn't enough; the system must also be provably secure and auditable. Historically, security was introduced near the end of the delivery process, which often created bottlenecks and costly late-stage issues. For some organizations, moving to a DevSecOps model brings risk evaluation into the work much earlier, backed by rigorous policies, training, risk assessments, and regular audits. For Bandari, the lesson from working across regulated enterprises is that perimeter defense must give way to zero trust, continuous monitoring, and security embedded in the design phase, because security cannot be bolted onto an AI model after it is built.

Rethinking the workforce

Reaching that level of integration relies on a clear operational hierarchy: mitigation strategy first, then the people, then the progress. Preparing the workforce often means rethinking habits shaped by two decades of perimeter-focused IT. The steep learning curve of unlearning static defense is prompting enterprises to rethink how they staff their security operations, balancing seasoned operators with newer hires who are more familiar with AI-native tools. "Governance is really hard," Bandari notes. "That's the reason most of the companies are hiring freshers or undergrads because they can learn these new governance models faster than trying to retrain someone with 20 years of legacy IT experience."

Ultimately, aligning safe AI innovation with strict compliance standards requires a transition away from the perimeter. The pivot often requires greater reliance on centralized logging and real-time threat monitoring within SIEM platforms, as well as dedicated incident-readiness and spontaneous-response protocols. By combining modern identity systems with adaptive governance and people, enterprises can replace static rules with the operational foundation needed for truly agentic automation. As Bandari puts it, "Security is completely moving from the purity of static control to the dynamic model and behavior of an AI agent. Static control is not enough for long-term success. And it looks like governance jobs and security jobs will be in high demand, even compared to development jobs."