Skip to content

AI Security

Your AI agent is another user

An AI agent connected to email, CRM or finance needs its own identity, limited permissions, clear approval points and someone who can switch it off.

Agent identityEnquiries agent
Responsible person · Josh
Can read
Support inbox and assigned CRM records
Allowed
Can write
Internal notes and draft replies
Allowed
You sign off
Messages sent outside the business
Sign off
Cannot
Payments, deletion and permission changes
Blocked
Access reviewed before launchProduction access record
AI SecurityVibeZero insight

An AI agent that can read email, update your CRM or trigger a payment needs its own identity, limited permissions and a person responsible for switching it off. Calling it AI does not change what those permissions allow.

The quickest way to get an agent working is to hand it a key to the systems it needs. An enquiries agent gets access to a shared mailbox, a CRM token and permission to draft replies. Someone uses an administrator token because the narrower role is not ready yet. The demo works, everyone moves on, and two months later that temporary token is still there. Nobody can say which customer records the agent touched.

We would not onboard a staff member that way. The model should not get a pass because it works through an API.

A chatbot gives you an answer to review. An agent can take the next step itself because somebody connected it to email, files, customer records or finance software. Once that happens, the model is only part of the security picture. The account decides what it can reach, and the workflow decides what it can change.

The agentic AI security guidance published by ASD's Australian Cyber Security Centre and its international partners makes the same point in more technical language. It recommends a distinct identity for each agent, the minimum permissions required for its approved job, human approval at decision points and continuous monitoring of what the agent does. The guidance was written for large organisations and infrastructure, but those controls make just as much sense for a business with ten people connecting an agent to Outlook and HubSpot.

Start by asking whether you need an agent

An agent is useful when the next action depends on context that fixed rules cannot handle cleanly. It may need to read an enquiry, work out which service it concerns, find the matching customer record and prepare a response. That is different from copying every new form submission into a spreadsheet, which ordinary automation can do with fewer moving parts.

The government guidance makes an unfashionable point before it gets into security controls. A business should consider whether it can simplify or remove a repetitive process before adding an agent to it. We agree. If a fixed workflow can do the job, use the fixed workflow.

When an agent is justified, the access plan belongs in the design from the start. It should not arrive as a security clean up after the demo.

The prompt is not the boundary

People spend a lot of time tightening the instruction given to an agent. That instruction matters, but it does not reduce the permissions on the credential underneath it.

An enquiries agent may be told to update only the lead record attached to the current email. If its CRM token can export every contact, change record owners and delete deals, all of those actions remain available. A good prompt asks the model to stay in its lane. The account decides whether a mistake can leave it.

The permission gap
What the instruction says

Update the assigned lead record.

What the account allows

Read, export and edit every contact in the CRM.

The prompt asks for one record. The credential can reach all of them.

This becomes more important when the agent reads material from outside the business. An incoming email is data to a person, but it is also text that a model may interpret as an instruction. Microsoft's current guidance on prompt injection in email says the malicious instruction may sit in the subject, body, quoted replies, an attachment or hidden markup. An assistant that summarises or replies to the message may follow the attacker's instruction instead of yours.

Filtering and prompt design can reduce that risk. They cannot turn an administrator token into a sensible security boundary. If the agent follows the wrong instruction, limited permissions decide how far it gets.

Give the agent its own identity

Every platform names this differently. An agent may use a dedicated agent identity, a service principal, a service account or delegated access from a person. The useful rule is that you must be able to identify it separately from the employee who created it.

Microsoft Entra now treats an agent identity as the primary account an agent uses to authenticate. It receives its own identifier and may record a human sponsor who is accountable for the agent. Some Microsoft services still require an optional user account as well, which is why the title of this article is a mental model rather than a claim that every platform stores agents as ordinary users.

The distinction matters when something changes. You should be able to disable the agent without locking out the person who built it, remove one permission without breaking a shared integration, and read an audit record that names the agent rather than making every action look like it came from an administrator.

A shared staff login fails all three tests. So does one API key reused by several agents.

Access should match one job

Start with the job in ordinary language. Our illustrative enquiries agent reads messages sent to the support inbox, finds the matching lead, adds an internal note and drafts a reply. It does not need the finance system, the full SharePoint library or permission to change who owns a CRM record.

Illustrative access review
Support inbox
Read messages assigned to enquiries
Allowed
HubSpot
Read and update assigned leads
Allowed
External email
Draft only until a person approves it
Sign off
Xero and SharePoint
Blocked because the job does not require them
Blocked

One account, one job and no inherited administrator access.

This is where broad role names become a problem. "CRM access" tells you almost nothing. Write down which records the agent can see, which fields it can change and whether it can act on every customer or only the one attached to the current task.

Time matters as well. Access needed for one import or repair job should expire when that work finishes. The ACSC guidance recommends short lived credentials and removing elevated access after a privileged task rather than leaving a permanent key in place because it may be useful later.

Put approval where damage starts

Approval on every step makes an agent slow and expensive. Approval nowhere turns a model error into a business action. The useful point sits immediately before an external consequence or a change that is difficult to reverse.

Action Who decides
Read an assigned enquiry The agent
Add an internal CRM note The agent
Draft a reply The agent
Send the reply outside the business Your team signs off
Issue a refund Your team signs off
Delete a customer record Blocked

The line will differ by workflow, but it should be written down. Sending an email, moving money, deleting a source record, changing access and accepting a contract all deserve a person at the point of consequence. The ACSC guidance recommends mandatory human approval at decision steps and the ability to interrupt an agent while a task is running.

An approval screen also needs enough context for a person to make the decision. "Approve action" is useless. Show the message, the customer, the proposed change and the source material the agent relied on.

Logs belong in the build

An agent that works under somebody else's account produces a misleading record. The log may say an administrator changed a contact at 2:13am when the administrator was asleep and an agent retried the same task four times.

We want a record that answers practical questions.

  • What started the task?
  • Which customer records did the agent read?
  • What action did it propose?
  • Who approved it?
  • What changed in the source system?
  • Did the agent retry or call another tool?

You do not need to preserve every token the model produced. You do need enough information to reconstruct the business action and separate the agent from the people using it. The government guidance recommends monitoring prompts, tool calls, memory interactions, decisions, actions and changes to identity or permissions. That work is much easier when the agent has a name of its own.

Logs also need an owner. A record nobody reviews only helps after somebody has already noticed the damage.

Make every action reversible

Agents retry tasks. Networks fail halfway through an operation, APIs return ambiguous errors and a model may decide that running the same step again is the safest response. If the action creates an invoice or sends an email, a retry can become a duplicate with a customer on the other end.

Build the recovery behaviour alongside the successful path. The workflow should keep the original record, stop after an agreed retry limit and flag the right person when it cannot finish cleanly. Where an action can be made safe to repeat, design it that way. Where it cannot, require a fresh check before the agent tries again.

The off switch belongs here too. Disabling one agent should revoke its access without taking down every automation or locking out the staff member whose credential it borrowed. That is another reason its own identity matters.

The launch gate

The launch decision does not need a governance pack with a hundred pages. It needs clear answers about one agent and one job.

Before launch

The agent access review

  • The agent has its own identifiable account.
  • A person or accountable team is responsible for it.
  • Every connected system is listed.
  • Its access is limited to the records and actions the job requires.
  • A person signs off before money, deletion or an external commitment.
  • The logs show what the agent read and changed.
  • You can disable the account without shutting down the whole workflow.

If you cannot answer these points, the agent is still a demo.

We use the same questions whether the agent is built with n8n, Copilot Studio or custom code. The implementation changes, but the access problem does not.

If you are planning an agent that will touch business systems, start by mapping one workflow and its control boundary. Our AI agent development work covers the build and the access design together. For an existing deployment with unclear permissions, an AI security review or AI data loss prevention assessment is the better starting point.

If nobody can name the account, the systems it reaches and the person who can stop it, the agent is not ready for production.

More useful thinking, only when it is ready.

New articles and sourced Field Notes, roughly monthly. No recycled AI news and no automated sales sequence.

Next step

Want to work through what this means for your business?

Start with the problem. We will give you a straight answer on the fit.

Perth on-site · remote nationally