Who gave your AI agent authority?

Reddit r/AI_Agents Tools
ai-agents security authorization runtime-control enterprise human-in-the-loop audit-trail

Summary

Discusses the security gap in AI agent workflows where agents assume human oversight at critical steps, and proposes a runtime control plane that enforces permissions and requires human approval for destructive actions, demonstrated with a Tandem demo.

In most agent workflows we basically assume the agent will stop and ask when it gets to a critical point. For example, when an agent can send email, delete files, modify repos, or touch production systems, we expect it to ask for permission before doing something destructive. That might be fine in demos. In production, I don't believe that would pass a serious CISO/security review. As agent tools like OpenClaw and Hermes start doing real work inside companies, the issue becomes more obvious: companies are not going to let agents operate with only prompting as the security boundary. The risk of destructive actions, data leaks, or tool misuse is too high. What if the answer is not better prompting, but a runtime/control plane that decides what authority the agent has at each step? I built a small Tandem demo around this: an agent drafts an email, but the runtime stops it before send, waits for human approval, then resumes with an audit trail. See comments for the demo. What controls would you expect before trusting agents with real company tools?
Original Article

Similar Articles