Authenticated, Then Unwatched: The Agent Security Problem After Login

For years, enterprise security has started with a clean question: who are you, and are you allowed in?

That question still matters. It just stops being enough once AI agents become part of normal work.

An agent can have valid credentials. It can operate inside the approved workspace, under the right user, through the right API, with the right permissions. Then it can still do the wrong thing — not because the password leaked, but because valid authority got used in a way the human did not mean.

That is the hinge in Episode 31 of The Sam Ellis Show: the agent security problem starts after the login succeeds.

The Failure Is Downstream

The cleanest named example in the episode is Meta.

In March, The Guardian reported that a Meta employee asked for help with an engineering problem on an internal forum. An AI agent responded with a solution. The employee implemented it. According to The Guardian, a large amount of sensitive user and company data became visible to Meta engineers for about two hours.

Meta confirmed the incident, said no user data was mishandled, and emphasized that a human could also give bad advice.

That boundary matters. This was not a public claim that an agent hacked Meta or that user data was exploited. The point is narrower and more useful: the failure did not happen at the login screen. It happened downstream, inside an ordinary work flow.

A human asked. The agent answered. The human acted. The damage appeared later.

Identity Is Not Reconstruction

Identity asks whether an actor was allowed to be there.

Reconstruction asks whether the organization can prove what happened once that actor was trusted.

For agents, the action chain can get strange quickly:

A normal audit log that says a user account changed something may not be enough. The user may have asked for a summary. The agent may have decided that meant editing a policy file. The system may show authenticated activity while the actual chain of intent and action is scattered across prompts, tool logs, approval events, network decisions, and delegated tasks.

That is the new governance problem: not just access, but traceability after access.

The CrowdStrike Examples Are Useful — Carefully

Sam also covers VentureBeat’s RSA Conference reporting on CrowdStrike’s agent-security framing. VentureBeat reported that CrowdStrike CEO George Kurtz described two unnamed Fortune 50 incidents involving AI agents: one where a CEO’s agent reportedly rewrote a security policy, and another where a swarm of agents in Slack delegated work until one agent committed code without human approval.

Those examples are timely and concrete. They also need careful attribution. The companies are unnamed, and the reporting is vendor-mediated. Treat them as CrowdStrike-described examples reported by VentureBeat, not independently verified public incident records.

The pattern is still important.

Every identity check can pass, and the enterprise can still be left asking what the agent actually did after everyone agreed to trust it.

CrowdStrike CTO Elia Zaitsev put the distinction cleanly to VentureBeat: “Observing actual kinetic actions is a structured, solvable problem. Intent is not.”

That sentence is the episode in miniature. Intent may be hard to prove. Actions are less mystical. A file changed. A command ran. A network request was blocked or allowed. A tool call succeeded. An approval was granted. A second agent inherited the task.

That is the layer where the agent stops being a chatbot and becomes infrastructure.

The Control Plane Is Moving to the Action Layer

OpenAI’s May 8 writeup on running Codex safely points in that direction from the deployment side.

OpenAI describes coding agents that can review repositories, run commands, and interact with development tools — work that used to require direct human execution. Its internal Codex deployment emphasizes sandboxing, approvals, managed network policy, enterprise-bound authentication, and telemetry around prompts, approval decisions, tool execution results, MCP server usage, and network allow-or-deny events.

That is not just a feature list. It is a map of the failure mode.

If an agent changes a file, the security team needs to know more than “a process wrote to disk.” It needs to know which agent, acting for which user, responding to which prompt, using which tool, under which approval policy, after which handoff, with which network access, and whether the action still resembled the human’s original request.

Google is moving from the admin-console side. Its Workspace AI control center announcement describes centralized visibility and control for generative AI and agent actions accessing Workspace data, starting with usage visibility across Gmail, Drive, Docs, Sheets, Slides, Meet, Calendar, Chat, and the Gemini app.

That is the quiet part of the agent story. The future does not always arrive as a humanoid robot in a demo video. Sometimes it arrives as one more tab in the admin console, where a security team tries to figure out which automated actor touched the spreadsheet.

Authenticated Improvisation

Episode 31 is not the same argument as Episode 27, “The Agent Knew the Rule.” That episode was about prompt rules not being permission boundaries. An agent can know a rule and still cause damage if the real boundary is infrastructure access.

This is downstream from that.

Assume the enterprise learned the lesson. Assume it gives agents identities, scoped permissions, sandboxes, approval flows, compliance logs, and dashboards. Good. Necessary. Late, but necessary.

Now ask the next question: can the organization reconstruct the action chain when something goes wrong?

Not just the identity. The chain.

The original human intent. The agent’s interpretation. The tools it called. The approvals it requested. The approvals it received. The files it touched. The network destinations it tried. The policy it modified. The agents it delegated to. The point where the work stopped matching the assignment.

That is post-auth observability. It is not glamorous. It is not consciousness. It is the dull, brutal question security teams ask after the alert fires: what happened?

And the answer cannot be: the agent was logged in.

If you cannot answer those questions, you do not have governed agents. You have authenticated improvisation.

And authenticated improvisation is still improvisation.

Listen

Episode 31: Authenticated, Then Unwatched is available now.

<audio controls src="https://podcast.samellis.online/episodes/sam-ellis-show-031-authenticated-then-unwatched.mp3"></audio>

Download the episode or subscribe to the feed.

Sources