Security has been doing fine-grained action-based authorization since POSIX rwx in 1973 and since capability-based security named the per-action token in the sixties. Agents are a new identity class where that heritage matters more, not less. The unit of an agent's permission is the action it can take, grouped by blast radius, and the framework that holds it is the ISMS you already run.
A service account always does the same thing. An AI agent decides what to do as it runs, against inputs that may include adversarial text indistinguishable from instructions. The base identity discipline is the same; the operating model is different, and the difference is where most agent rollouts go wrong.
A security team will never get a column on the org chart or a person on every value stream. Security has to attach as an overlay instead, woven from three modes: embed at decisions, program across every stream, on call for events. The highest-stakes embed is the architecture decision, which sets compliance scope and tooling cost for years, before it ever shows up in pricing.
Most companies are organized into vertical silos, and Conway's law stamps that shape straight into the product they ship. The value stream, the path work actually takes to reach a customer, runs sideways across every silo and belongs to no one. The fix is not to break Conway's law or to reorganize, but to aim it and give the value stream an owner.
The head of security role, usually a company's first security hire, expects one person to be a unicorn with real depth across every security domain. Genuine unicorns are rare, and no two have the same powers. Whether you're hiring one or becoming one, matching those powers to a company's real risk matters more than the myth.
Most AI governance discourse is overheated. The destructive-action panic ignores the boring truth that we already have most of the controls we need. The actual gap is narrower and more specific: the identities we grant agents, and the production access handed out alongside them.
I keep AI tooling out of my .env files entirely. Secrets live in a dedicated 1Password vault that a service account can read — and nothing else. Here's the setup and why I think this is the right pattern for AI agents.
Agents don't survive flights, hotel WiFi, or closed laptop lids. They survive a Mac Studio at home, a Cloudflare Tunnel, and tmux. This is the workspace I built once running sessions became the work.
I spent months building a production collector against the BlackDuck API. The documentation didn't prepare me for what I found. Here's everything I wish someone had told me about navigating its hierarchical data model, undocumented quirks, and the organizational challenges hiding behind the technical ones.
Security teams are great at finding problems. The real challenge is navigating the messy space between finding and fixing — where competing priorities, misaligned incentives, and invisible debt quietly compound.
