Most enterprise AI agents today are still being deployed in controlled environments. They sit inside a platform, perform a defined task and operate under the identity and access controls of that environment, however that window is closing. For many security teams, the current state makes the problem feel manageable. If the agent is inside the fence, the thinking goes, it can be governed by the controls already in place.
That view is understandable. Security teams already have more than enough to manage as AI models become more capable. The near-term implications for vulnerability discovery, fraud, social engineering and incident response are real, and they are moving quickly. Against that backdrop, the question of what happens when agents operate across boundaries can feel like a later-stage concern.
It is not. Identity and access controls can govern an agent inside a particular environment. The harder problem is maintaining accountability when the agent begins operating beyond it. Anthropic’s recentZero Trust framework for AI agents is explicit on this point: each agent instance should have a unique, cryptographically rooted identifier that persists through its lifecycle, appears in logs and access requests, and supports authentication, rotation and revocation. That kind of verifiable identity is what makes safe interoperability possible. As agents move between environments, accountability has to move with them, so the audit trail does not end at the boundary where the risk begins.
The limits of local control
The value of agents comes from their ability to act. They are being designed to invoke tools, coordinate work, exchange information and carry out tasks on behalf of people and enterprises. An agent that can only operate inside one tightly controlled environment may be easier to secure, but it will also be limited in what it can accomplish.
That is the tension enterprises now face. The same interoperability that will make agents valuable will also expand the risk surface around them.
Security leaders are right to focus on the risks already in front of them. More capable models are changing the threat environment in ways that matter right now. But model sophistication is only one part of the issue. The other is autonomy. As agents are given more tools, more permissions and more responsibility, the assumptions behind local control will become harder to sustain.
When Interoperability Becomes A Risk
Most agents are not yet moving freely across enterprise boundaries. Many remain narrow, supervised and limited in scope. But there are two reasons the boundary problem cannot wait.
The first is business value. If agents remain fully contained, their usefulness is constrained. Enterprises will look for returns from AI by connecting agents to more workflows, more tools and more partners. They will want agents to coordinate work across the places where business actually happens.
The second is control. Even enterprises that take appropriate precautions may overestimate how reliably agent activity can remain confined over time. Permissions change. Workflows expand. Tools are added. Business teams find new uses for systems once those systems begin producing value. The environment around agents will keep changing, and accountability needs to remain recognizable when it does.
Security teams are already seeing early versions of this problem in how autonomous AI systems interact with the outside world. An agent exposed to untrusted content may receive instructions the user never sees. An agent with broad permissions may take actions in a context its developers did not fully anticipate. An agent connected to internal data and external communication channels may create a path for leakage or misuse. These are practical control problems, and they become harder to manage as agents gain more tools, more permissions and more autonomy.
For CISOs, the pattern should sound familiar. Some of the hardest security problems emerge at the boundaries between systems, vendors and enterprises. Third-party risk and software supply chain incidents have shown how quickly trust assumptions can break down when no single party controls the full path of activity. Agents introduce a new kind of actor into that same environment. They may be delegated by one enterprise, executed through another platform and interact with a third party in the course of completing a task. In those moments, accountability has to travel with the agent rather than remain tied to the environment where it originated.
The cost of fragmented accountability
In that setting, local identity is not enough. An enterprise may be able to identify and monitor an agent inside the platform where it was created. But once the agent acts elsewhere, that identity may not travel cleanly. Another environment may not know which organization stands behind the agent, whether that relationship can be independently verified, or how trust should be adjusted if circumstances change.
This is where fragmentation becomes a practical security problem. If every platform defines agent identity in its own way, enterprises will inherit a patchwork of trust models. Each may work locally. Together, they create friction at best and gaps in accountability at worst.
Security teams could be left translating between local controls just as agents become more autonomous and more operationally important. That is a difficult place to put defenders. When something goes wrong, they need to know what acted, who was responsible and whether the activity can be contained. Those questions should not depend on which platform created the agent or where it happens to be operating at that moment.
A single high-profile failure could also have consequences beyond the immediate incident. If a rogue or misattributed agent causes material harm, the response could put a chill on the broader market. Security reviews could freeze, integrations could stall and product teams could be forced into a defensive posture as enterprises try to determine which agent activity they can trust. That remains a real risk as long as identity is fragmented and ownership cannot be consistently resolved.
That is not a sustainable foundation for enterprise adoption.
The answer is not to stop agent innovation or force every action back through manual review. That would defeat much of the purpose of the technology. Enterprises want agents because they can move work faster, connect processes and reduce the burden on people. Security teams need a way to support that progress without losing the ability to answer basic questions when something goes wrong.
Which organization stands behind the agent? Can that relationship be independently verified? Can its activity be traced across environments? Can trust be adjusted when circumstances change?
The June 2026 White House executive order on advanced AI innovation and security shows that these questions are now a national priority, one that applies equally across government, industry, and critical infrastructure. The only practical and durable solution for enforcing that is through a standard of accountability that is recognized everywhere.
A standard for portable accountability
Open matters. If the accountability layer for agents is defined separately by every major platform, then trust will fragment at the moment the market needs consistency. Enterprises will face the burden of reconciling competing approaches, and security teams will be forced to govern agents through local controls that do not resolve cleanly beyond their own environments.
A neutral trust layer gives the market a better path. Platforms, model developers, cloud providers and enterprise software companies can still innovate above it. But the basic ability to establish ownership and accountability for an agent should not depend on any one proprietary ecosystem. The trust layer has to be common enough to travel, and that means it’s probably one that already exists.
We have seen this pattern before. The internet was able to grow because certain foundational functions were treated as shared infrastructure. The Domain Name System did not solve every security challenge on the internet, and it was never meant to. But it did create a common way to resolve names across a global network without requiring one company to control the applications and services built above it. AI agents now need a similar foundation for accountability and trust.
That work should begin now, while the agent ecosystem is still forming. Waiting until agents are deeply embedded in enterprise workflows will make the problem harder to solve. By then, fragmented trust models may already be built into products, contracts, integrations and operating processes.
The promise of agents is real. So is the risk surface they introduce. The way forward is to build the accountability layer before fragmented trust models become embedded in the systems that agents will ultimately depend on.
The Cipher Brief is committed to publishing a range of perspectives on national security issues submitted by deeply experienced national security professionals. Opinions expressed are those of the author and do not represent the views or opinions of The Cipher Brief.
Have a perspective to share based on your experience in the national security field? Send it to Editor@thecipherbrief.com for publication consideration.
Read more expert-driven national security insights, perspective and analysis in The Cipher Brief

8 hours ago
4







