Why do capable AI agents stall in the enterprise?

Usually not because the model is inadequate, but because giving it safe, scoped access to production systems is unsolved. The blocker is identity, authorization and accountability — what the agent is allowed to touch and whether you can prove what it did — not raw capability.

What is the Agent Gateway?

The brokered control point an agent passes through to act on real systems, with three components: Scoped Identity (its own least-privilege, short-lived credentials), Action-Level Authorization (permission per action, in-context, human-in-the-loop for high-impact, audience-bound tokens), and Audit & Reversibility (every action logged and reversible). It is where the value and the safety of agentic systems concentrate.

What is the biggest agent security risk?

Excessive agency combined with prompt injection: an over-permissioned agent whose access becomes someone else’s instructions. The defences are least privilege, per-action authorization, audience-bound tokens (no passthrough — the confused-deputy defence) and human-in-the-loop on high-impact actions, as OWASP and the MCP spec prescribe.

How should an agent authenticate to systems?

With its own non-human identity and least privilege, using short-lived, brokered credentials — never a borrowed human token or a standing key in a config. Non-human identities now vastly outnumber human ones and are the fastest-growing, least-governed part of the estate.

How is this different from securing AI-generated code?

That is build-time: the quality and security of code an AI writes. This is runtime: what an agent is allowed to do once it is live. A perfectly reviewed agent with a borrowed, over-privileged token is still a breach waiting to happen.

Delivery Assurance · 11 min read · Updated 2026-06-20

The Hard Part Is Access, Not Intelligence

Intelligence without access is a demo; access without control is a breach. Most organisations are treating AI as a model problem when it is rapidly becoming an identity one — and your biggest identity problem is no longer human. The hard, durable work is the Agent Gateway: scoped identity, action-level authorization, audit and reversibility.

By Priyanka Pandey · Founder & Editorial Lead

Reviewed and challenged by Sanjeev Purohit · Principal, Decision Architecture

Built from

Field experience
Independent research
Data-backed
Original framework
Reviewed with field experience

Last substantively reviewed · 2026-06-20

In brief

The binding constraint and the real risk in enterprise agentic AI is the access/permission/audit layer, not model intelligence — intelligence without access is a demo, access without control is a breach — so the durable work is the Agent Gateway: scoped identity, action-level authorization, and audit & reversibility.

The first AI problem is intelligence; the second — which decides whether anything reaches production — is identity. Most organisations are treating AI as a model problem when it is becoming an identity problem.
Your biggest identity problem is no longer human: identity is humans + services + agents + workflows + autonomous systems; non-human identities vastly outnumber humans and grow fastest, driven by AI.
Access becomes breach via prompt injection + excessive agency + the confused-deputy problem + borrowed/standing credentials. Every permission granted to an agent is an architectural decision.
The standards already wrote the answer (OWASP least-privilege/per-user-context/HITL; MCP OAuth 2.1, audience binding, no token passthrough, scope-min); the gap is that nobody built the place it is enforced.
The Agent Gateway (framework): Scoped Identity + Action-Level Authorization + Audit & Reversibility — the brokered control point where value and safety concentrate.
Least Agency (principle): give an agent the minimum it needs, brokered, logged and reversible; design boundaries and recovery before expanding access.
Decision Architecture decides who may decide; the Agent Gateway decides what those decisions may do — the same discipline at two layers.

Intelligence without access is a demo; access without control is a breach. Almost every enterprise AI conversation starts in the first state and gets stuck before the second. The model is impressive, the workflow is automated, the task that took hours takes minutes — and then someone asks what it is actually allowed to do in production, and the room goes quiet. The uncomfortable truth is that most organisations are still treating AI as a model problem when it is rapidly becoming an identity problem. The first AI problem is intelligence. The second — the one that decides whether any of it reaches production — is identity.

The first AI problem is intelligence. The second is identity.

The demo and the second conversation

The pattern is so consistent it is almost a law. The first conversation is a triumph; the second is where it gets hard — because the second conversation is about access. Can it update a record? Approve a transaction? Trigger a workflow? Reach customer data? And if it does, with whose permissions, under what authority, and how would anyone prove afterwards what it did? At that moment the discussion moves, irreversibly, from intelligence to access — and the teams that get past it stop trying to make the model trustworthy and start engineering what it is allowed to touch.

From the field

The first conversation was usually impressive. A model answered questions. A workflow was automated. A task that once took hours now took minutes. The demonstration worked. The second conversation was where things became difficult. Somebody eventually asked what the system could actually do in production. Could it update a record? Approve a transaction? Trigger a workflow? Access customer data? And if it did, who authorised the action, what permissions were used and how would anyone prove what happened afterwards? The discussion shifted almost immediately from intelligence to access. The model was rarely the constraint. Identity, authorization and accountability were. The teams that moved beyond demonstrations treated access as a product in its own right. They designed permissions, audit trails and reversibility with the same care they applied to prompts and models. Looking back, very few initiatives stalled because the model was not capable enough. Many stalled because nobody could answer a much simpler question: what exactly are we comfortable letting it touch?

Your biggest identity problem is no longer human

For thirty years, identity meant people — employees, contractors, customers — and access management was built around them. That assumption is now wrong. Machine identities already outnumber human ones by something like eighty to one (the exact ratio varies wildly by how you count, but every serious estimate points the same way and steeply upward), a large share of them hold privileged access, and AI is now the single biggest driver of new privileged identities. An agent is not a feature of a system; it is a new actor in it — and so are the services, workflows and tools it calls. Identity is no longer humans. It is humans plus services plus agents plus workflows plus autonomous systems, and the population you never managed is the one growing fastest. The unnerving part is how few organisations have noticed: by one 2025 survey only about a tenth have a developed strategy for governing non-human identity at all.

Identity is no longer humans. The population you never managed — services, agents, workflows — is the one growing fastest.

How access becomes breach

Give a capable agent broad, standing access and you have not built a product; you have built a blast radius. The failure modes are now well catalogued. Prompt injection turns an agent’s access into someone else’s instructions — a malicious string in a document or a web page becoming a command executed with the agent’s permissions. Excessive agency — too much functionality, too many permissions, too much autonomy — means an unexpected or manipulated output causes real damage because nothing constrained what the agent could do. The confused deputy problem means an over-privileged agent is tricked into using its authority on someone else’s behalf. And underneath it all sits the oldest mistake, now at machine scale: borrowed and standing credentials, hardcoded keys, secrets sprawled across configs. The lesson compresses to a single design fact: every permission granted to an agent is an architectural decision, whether you treated it as one or not.

The answer the standards already wrote

The encouraging news is that the hard thinking is largely done; it just has not been built. The OWASP guidance for LLM applications already prescribes the doctrine: least privilege, authorization carried in the user’s context rather than a borrowed, over-privileged token, and human-in-the-loop approval for high-impact actions. The Model Context Protocol encodes the same discipline into the wire: servers act as proper OAuth resource servers, tokens must be audience-bound to the server they were issued for, passing a token through to a downstream service is explicitly forbidden (precisely to defeat the confused deputy), consent is per-client, and scopes are minimised. The gap in most enterprises is not knowledge of what good looks like. It is that nobody has built the place where all of it is enforced.

The Agent Gateway

That place is the Agent Gateway: the brokered control point an agent passes through to act on anything that matters, where both the value and the safety of agentic systems concentrate. It is not a firewall bolted on afterwards; it is an architecture, with three components:

Scoped Identity — every agent gets its own non-human identity with least privilege and short-lived, brokered credentials, never a borrowed human token or a standing key in a config.
Action-Level Authorization — permission is checked per action, in the user’s context, with human-in-the-loop approval for high-impact operations and audience-bound tokens that cannot be passed through (the confused-deputy defence).
Audit & Reversibility — every action the agent takes is logged in a form a human can read on a bad day, and designed so it can be withdrawn, reversed or halted.

The Agent Gateway: the brokered control point where scoped identity, action-level authorization, and audit & reversibility converge.

Least Agency

The principle that runs the gateway is the deliberate inverse of OWASP’s “excessive agency”: Least Agency. Give an agent the minimum it needs to do the task in front of it, brokered and logged, reversible by default — and widen that only on evidence, the way you would extend trust to a new hire, not all at once on day one. The teams that get this right design the boundaries before they expand the access: they assume the agent will be wrong, and build for recovery first. The teams that get it wrong treat safeguards as something to add later, once the value is proven — by which point the access is already broad and the difficult decisions have become urgent.

Least Agency: the deliberate inverse of excessive agency — the minimum an agent needs, brokered, logged and reversible.

The most revealing question was never what the agent could do — it was what happened when it was wrong. Could the action be reversed? Could access be withdrawn? Could a human intervene? The strongest teams designed those answers before they expanded access; the ones that struggled treated safeguards as something to add later — by which time the hard decisions had already become urgent.
— Sanjeev Purohit, from our delivery work

Pillar	What it governs	Without it
Scoped identity	Who or what the agent is — a narrow, per-task identity	A shared, over-privileged credential nobody can trace
Action-level authorization	What each call may do — allow / deny / ask, per action	Excessive agency: it can do anything it can reach
Audit & reversibility	A record of who decided what — and the ability to undo	A breach you can neither reconstruct nor stop

The Agent Gateway — govern what an agent may DO, not just how smart it is. Least agency by default.

Decisions and actions are the same discipline

This is the runtime twin of a governance idea. Decision Architecture determines who is allowed to decide; the Agent Gateway determines what those decisions are allowed to do. One assigns rights, gates and reversibility to human and organisational decisions; the other assigns identity, authorization and reversibility to agent actions. They are the same discipline pointed at two layers — and an organisation that governs its decisions but not its agents’ access has simply moved the ungoverned risk one layer down. Govern both, or you govern neither.

Which reframes the whole race. The question is no longer whether an agent is intelligent enough to act. The question is whether your organisation is disciplined enough to let it. The winners in enterprise AI will not be the ones with the cleverest agents; they will be the ones who built the gateway that lets a capable agent act on real systems without becoming the breach. The intelligence was never the hard part. The access was.

Frequently asked

Why do capable AI agents stall in the enterprise?: Usually not because the model is inadequate, but because giving it safe, scoped access to production systems is unsolved. The blocker is identity, authorization and accountability — what the agent is allowed to touch and whether you can prove what it did — not raw capability.
What is the Agent Gateway?: The brokered control point an agent passes through to act on real systems, with three components: Scoped Identity (its own least-privilege, short-lived credentials), Action-Level Authorization (permission per action, in-context, human-in-the-loop for high-impact, audience-bound tokens), and Audit & Reversibility (every action logged and reversible). It is where the value and the safety of agentic systems concentrate.
What is the biggest agent security risk?: Excessive agency combined with prompt injection: an over-permissioned agent whose access becomes someone else’s instructions. The defences are least privilege, per-action authorization, audience-bound tokens (no passthrough — the confused-deputy defence) and human-in-the-loop on high-impact actions, as OWASP and the MCP spec prescribe.
How should an agent authenticate to systems?: With its own non-human identity and least privilege, using short-lived, brokered credentials — never a borrowed human token or a standing key in a config. Non-human identities now vastly outnumber human ones and are the fastest-growing, least-governed part of the estate.
How is this different from securing AI-generated code?: That is build-time: the quality and security of code an AI writes. This is runtime: what an agent is allowed to do once it is live. A perfectly reviewed agent with a borrowed, over-privileged token is still a breach waiting to happen.

Our perspective

The common view

Enterprise AI is gated by model capability; better/bigger models and more pilots are the path to value, and access/security is an integration detail to handle later.

The Ivaaya view

The binding constraint and the durable risk are the access layer, not the model. Identity is now mostly non-human and ungoverned; access becomes breach via excessive agency and prompt injection; the standards already prescribe the controls. The work is to build the Agent Gateway (scoped identity, action-level authorization, audit & reversibility) and run it on Least Agency — and to treat access as a product, designed before access is widened.

“Better models / MCP will make this safe on their own.”: — Model capability does not grant safe access, and MCP is a spec, not an implementation — it encodes the right controls (audience binding, no passthrough, scope-min) but you still have to build and enforce them in a gateway. Spec ≠ practice.
“This is just integration / security plumbing to add later.”: — Treating access as a later add-on is the failure mode: by the time value is proven the access is already broad and the hard decisions are urgent. Access is a product in its own right — scoped, brokered, logged, reversible — designed before it is widened.
“Isn’t this the same as securing AI-generated code?”: — No. That is build-time (the security of code an AI writes). This is runtime (what an agent is allowed to do once live). A perfectly reviewed agent with a borrowed, over-privileged token is still a breach waiting to happen.

Give every agent its own non-human identity with least privilege and short-lived, brokered credentials.
Authorize per action in the user’s context; require human-in-the-loop for high-impact; use audience-bound tokens with no passthrough.
Log every agent action in a readable, reversible form; design recovery before widening access.
Build the Agent Gateway as the enforcement point; treat every granted permission as an architectural decision.

The evidence & related ideas →

What we’ve observed

OWASP (LLM06 Excessive Agency, LLM01 Prompt Injection) prescribes least privilege, per-user authorization context, and human-in-the-loop for high-impact actions (primary).
The MCP spec encodes the access doctrine at the protocol level: OAuth 2.1 resource servers, mandatory RFC 8707 audience binding, token passthrough forbidden (confused-deputy defence), per-client consent, scope minimisation (primary; fast-moving).
Non-human identities outnumber humans ~82:1 (CyberArk 2025; ~109:1 in 2026 — methodology-dependent, cite the direction); ~42% hold privileged access; AI is the top driver of new privileged identities.
Only ~10% of organisations have a developed strategy for non-human identity (Okta 2025).
~29M secrets leaked to public GitHub in 2025 (+34% YoY); AI-service credential leaks +81% (GitGuardian 2026) — a development-time signal adjacent to runtime access.

The demo that died at the second meeting: "what can it actually touch in production, and can we prove what it did?"
An agent handed a human’s broad token "to ship faster", or a standing API key in a config no one rotated.

How certain are we?

Non-human identities vastly outnumber and outgrow human ones, driven by AI — observed: Seen consistently in our own work.
OWASP/MCP prescribe least-privilege, audience-binding, no-passthrough and HITL controls — established: Observed repeatedly across delivery programmes.
The agent gateway is where agent value and safety concentrate — emerging: Still early, but increasingly visible.
Access — not model capability — is the binding enterprise constraint (our argued position) — emerging: Still early, but increasingly visible.

About the author

Priyanka Pandey

Founder & Editorial Lead

Priyanka Pandey founded Ivaaya and leads its editorial voice, translating real delivery experience into practical thinking on AI-native engineering, decision-making and technology leadership. Her work focuses on helping senior leaders make sense of the changes reshaping software delivery without adding to the noise.

Reviewed and challenged by

Sanjeev Purohit

Principal, Decision Architecture

Sanjeev works across enterprise architecture, product strategy and AI-native delivery. The ideas in this article have been challenged against real programmes, production systems and organisational decision-making before publication.

Part of a perspective

For the CTO — Strategy, economics and governance of agentic deliveryStep 8 of 10 →

Related thinking

Compare notes

If an AI pilot impressed everyone and then stalled at "what can it actually touch in production, and can we prove what it did?", the constraint was never the model — it was access. Tell us where an agent is stuck between demo and production; we are comparing notes with teams building the gateway — scoped identity, action-level authorization, audit and reversibility — rather than handing an agent a borrowed token to ship faster.

Where is an agent stuck? →

This made me think of…