Agents and Security: Walking the Line

Agentic AI isn’t just changing the way development and test teams work. The technology has huge implications for security teams as well. How many times have you checked a box online to prove you’re not a robot? Or squinted at a blurry photo to see whether or not it includes a traffic light so you can select the right images in a CAPTCHA? Maybe you’ve gotten used to waiting for authentication codes to arrive via text message or email so you can securely log into your accounts. For many people, these steps simply create a few seconds’ delay in the task at hand. 

For AI agents, however, these security measures can serve as total blockers to accomplishing a goal. Agentic AI is designed to complete tasks autonomously, without human intervention. But most organizations have designed their apps and websites to detect, deter and/or reject input from bots and automated systems. 

Some common security controls that can limit agents 

Most security measures were designed with humans in mind – often, they were put in place to specifically prevent automated attacks or non-human transactions. These existing protocols introduce barriers for individual users looking to use agents to complete certain tasks, such as ordering groceries or booking travel. Security requirements can also present challenges for organizations who wish to serve customers who rely on agents, as well as those looking to automate certain types of workflows through agentic AI. 

Some security measures that pose problems for AI agents include:    

• Authentication requirements: call for users to prove their identity via login credentials, multi-factor authentication (MFA), biometrics, etc. Agents often can’t complete tasks that require a fresh login or MFA unless they’re explicitly authorized or given secure credentials.

• CAPTCHA and bot detection: use challenges like image selection or puzzle-solving to verify a human is interacting with the system. Designed specifically to prevent automation, these mechanisms block agents unless explicitly bypassed or the system has whitelisted them.

• Rate limiting and throttling: limit the number of requests from a user or IP in a given time frame to prevent abuse. Agents making multiple calls to APIs or websites for planning or execution might get throttled or temporarily blocked.

• Role-based access control (RBAC) and permissions: require explicit authorization for users or systems to access certain data or functions. Even if an agent has credentials, it may lack read/write permission for certain data or to trigger specific workflows.

• Session expiry and token refresh policies: end sessions after a set time or inactivity, requiring re-authentication or token refresh. Long-running tasks may be interrupted mid-execution if tokens expire and an agent cannot renew.

• Content security policies (CSP) and cross-origin resource sharing (CORS): restrict where scripts in websites and apps can load content from, and which domains can access APIs.
  Web-based agents or plugins that attempt cross-origin requests can be blocked unless explicitly allowed. 

• Audit logging and anomaly detection: log activity and flag unusual behavior patterns that may indicate automation or abuse. Even well-intentioned agents may trigger security alerts, which may halt tasks or suspend accounts.

• Data loss prevention (DLP) and export controls: limit data movement — especially export, copy, or share functions. This can block data transfer between systems, such as tasks like summarizing and sending reports.

Why interrupting agents’ autonomy creates problems

Interrupting an agent’s ability to function autonomously undermines the core value proposition of agentic AI — which is its capacity to act independently toward goals, using planning, memory, tool use, and feedback loops. Agentic AI is designed to operate in a goal-driven loop:

Observe → Plan → Act → Reflect → Adjust → Repeat

When human intervention is required to complete MFA, solve a CAPTCHA, or approve a task, this loop halts, forcing the system to wait for human input before proceeding. This transforms what should be a seamless, self-adjusting workflow into a series of stop-and-start tasks.

Open AI describes how its agent, Operator, handles these sorts of interruptions: “You describe the task (e.g., ‘Book a flight,’ ‘Order groceries’), and Operator executes the necessary steps. If it encounters a challenge—like a CAPTCHA or password field—it will pause and prompt you to take over, ensuring you stay in control.” If Operator encounters a task it cannot complete, “it will notify you and pause, suggesting you take over. Once you manually resolve the issue (or give it the information it needs), you can either finish the task yourself or hand control back to Operator.”

While this might not seem like a big deal, when an agent has to pause and wait for a human, it may lose working memory or execution context — especially if sessions expire or tools reset. The agent may then:

• Restart the task from scratch
• Require re-planning
• Fail to finish the task entirely

This makes long-horizon tasks much harder to complete reliably. Preventing agents from responding in real time can be especially problematic in scenarios like customer support, system monitoring, or other situations that call for speed and continuity.

One of the promises of agentic AI is that it can scale tasks without human micromanagement — whether it’s scheduling meetings, triaging incidents, or optimizing workflows. If each agent instance requires manual steps to proceed, that human-in-the-loop cost scales linearly, which defeats the purpose of automation.

Security must adapt to accommodate agentic AI

To harness the true efficiency of agentic AI, systems need secure ways to delegate trust and control, so agents can act independently within bounded, observable environments. Designing systems that support agent autonomy securely means finding ways to balance agent freedom with enterprise-level control, observability, and safety. 

My background in security has got me thinking about how organizations will need to revamp their approaches to security to accommodate agentic AI. They’ll need to consider both internal use cases and how to support customers and other external stakeholders using agents to interact with their websites and apps. Some first steps include: 

• Defining agent boundaries
• Giving agents temporary, scoped access
• Setting up human-in-the-loop escalation triggers 
• Implementing behavioral guardrails that layer runtime safety mechanisms

Humans need to be in the loop for any type of software development and testing. One of the challenges with agentic AI is delivering secure, trustworthy applications while making sure that humans don’t bog down the system.