Insight
Defence in Depth for the Agentic Age
Why agentic AI breaks old security assumptions and how practitioners are adapting
Most organisations think they’re securing AI – they’re actually securing fragments of it.
Inventory looks neat. Posture dashboards feel reassuring. Risk registers are filling up.
Then someone asks a simple question:
“What does our AI actually do, end to end?”
That’s where the confidence starts to fade.
A familiar field lesson
This keeps coming up in conversations with security and technology leaders.
An organisation is well into its AI journey. Agents are in play. Workflows are automated. Tools are connected. Value is being delivered.
Security has done what the market told them to do.
They’ve catalogued models. Tagged AI platforms. Mapped vendors. Assessed high-level risk.
On paper, things look under control.
Then a deeper walkthrough happens.
An agent doesn’t just answer questions. It calls tools. Pulls data. Triggers workflows. Hands work off to other agents. Writes results back into systems.
Suddenly the question isn’t “is this model secure?”
It’s “what happens if this chain is abused?”
That’s the moment many organisations realise they’ve crossed into the agentic age, without changing how they think about defence.
Agent-based vs agentic, why this distinction matters
This is where a lot of confusion starts.
Agent-based systems are still largely reactive. They assist. They recommend. They act within narrow, predefined bounds.
Agentic systems are different.
They:
- Decompose goals
- Decide next actions
- Chain tools and agents
- Operate across systems
- Adapt based on outcomes
The system doesn’t just respond. It behaves.
That behavioural shift is why traditional controls struggle.
You can inventory an agent. You can’t inventory emergent behaviour.
The myth the market is selling
Right now, the market is heavily focused on:
- AI inventory
- AI posture management
- Model governance
- Policy enforcement
These are necessary. They are not sufficient.
They tell you what exists. They rarely tell you how it connects, how it behaves, or how it can be abused.
In agentic architectures, risk doesn’t sit in a single component.
It sits in the connections.
Why defence in depth needs to be rethought
Traditional defence in depth assumes relatively static systems.
Agentic systems are anything but static.
They are:
- Composable
- Dynamic
- Context-driven
- Capable of lateral movement
Security teams aren’t just defending assets anymore.
They’re defending decision-making systems.
That’s a fundamentally different challenge.
A practitioner-aligned framework for the agentic age
One approach that’s resonating with experienced teams aligns well with the MAAIS way of thinking, not as a product, but as a mental model.
1. Discover what actually exists
Start with discovery, but go deeper than inventory.
This isn’t just:
- Models
- Platforms
- Vendors
It’s also:
- Agents
- Tools
- Orchestration layers
- MCP-style servers
- Data dependencies
The goal is not completeness. It’s understanding.
2. Map runtime behaviour, not architecture diagrams
Static diagrams lie by omission.
Runtime mapping asks harder questions:
- Which agent can call which tool?
- Under which identity?
- With access to what data?
- In what sequence?
This is where many “secure AI” narratives start to break down.
3. Control permissions at the action layer
In agentic systems, permissions are not just about access.
They’re about capability.
Ask:
- What actions can this agent perform?
- Where can it write data back?
- Can it trigger downstream automation?
- Can it influence other agents?
Least privilege still applies. It just needs to be applied at a different level.
4. Red team the system, not just the model
This is where most organisations are underinvested.
Agentic systems need adversary simulation that focuses on:
- Prompt manipulation
- Tool misuse
- Agent chaining abuse
- Privilege escalation via workflow logic
This is not theoretical risk.
It’s how these systems fail in practice.
5. Govern the system as it evolves
Agentic systems don’t stand still.
Models change. Tools expand. Workflows grow.
Governance in this context means:
- Continuous review
- Clear ownership
- Change awareness
- Runtime visibility
Not control for control’s sake. Control for predictability.
Common traps teams keep falling into
Even mature organisations repeat the same mistakes:
- Treating agentic systems as “automation plus AI”
- Assuming posture scores reflect real risk
- Over-focusing on models while ignoring execution paths
- Delegating responsibility entirely to platform teams
- Waiting for standards to mature before acting
Agentic systems won’t wait.
Quick wins you can act on this week
You don’t need a new tool to start thinking differently.
This week:
- Ask a team to walk you through a single agent task, end to end
- Identify which identity each agent operates under
- Map which tools and APIs an agent can call
- Review where agents can write or trigger actions
- Run a tabletop or light red team exercise on one workflow
- Assign explicit accountability for agentic security decisions
These conversations surface risk faster than most dashboards.
The real shift leaders need to make
Agentic AI didn’t create new security problems.
It exposed how much we relied on assumptions that no longer hold.
Inventory is no longer enough. Static controls are no longer enough. Model-centric thinking is no longer enough.
Defence in depth still matters. It just needs to evolve.
Final Takeaway
Agentic systems change how technology behaves.
Defence in depth is how we ensure that behaviour remains predictable, explainable and safe.
Not by slowing innovation. But by understanding it properly.