Back to Portfolio
AI Security
2026-05-18
7 min read

The Perimeter Is Pushing Its Boundaries Again. Did Your Security Strategy?

We moved from firewalls to identity. Now AI agents are making decisions without humans in the loop. The real question isn't where your perimeter is — it's whether you still control it.

The Perimeter Is Pushing Its Boundaries Again. Did Your Security Strategy?

Every generation of security leaders has had to answer the same question in a different way: where is the perimeter?

For decades, the answer was simple. The perimeter was the network edge — the firewall, the DMZ, the point where your infrastructure ended and the internet began. Build the wall high enough, the thinking went, and you control what gets in and what gets out.

Then the cloud arrived. Then mobile. Then SaaS. Then remote work. The wall didn't fall — it dissolved. The perimeter stopped being a place and became an idea. And the security industry responded by rebuilding it around identity. Zero Trust. Never trust, always verify. The user is the new perimeter.

That model is still correct. And it's already becoming insufficient.

Because now there's a third actor in your environment — one that isn't a network and isn't a human. It's an AI agent. It reasons. It decides. It acts. And in most organizations, nobody has figured out where its perimeter is yet.


The Three Perimeters — And Why Each One Broke

Understanding where we're going requires understanding how we got here. The history of enterprise security is really the history of three perimeters, each one rendered obsolete by a technology shift that nobody saw coming fast enough.

The Network Perimeter — 1990s to 2010s

The firewall era assumed a clear inside and outside. Your data center was inside. The internet was outside. Every security decision flowed from that geography. Intrusion detection, VPNs, DMZs — all designed to control what crossed the line.

It broke when the line disappeared. Cloud infrastructure, SaaS applications, and remote work meant your data no longer lived inside your walls. Your employees were no longer inside your walls. The perimeter became meaningless because there was no longer a meaningful inside.

The Identity Perimeter — 2010s to present

Zero Trust replaced geography with identity. If you can prove who you are — through strong authentication, device compliance, behavioral signals — you can access what you're authorized for, from anywhere. The perimeter moved from the network edge to the login prompt.

This model is still the right foundation. But it has a fundamental assumption baked in: the entity requesting access is a human, or at least directly controlled by one.

AI breaks that assumption entirely.

The Autonomy Perimeter — Now

AI agents don't log in the way humans do. They operate continuously, often with persistent credentials, accessing systems and making decisions across long chains of actions — sometimes without a human reviewing each step. They read your emails, browse the web, execute code, call APIs, and generate outputs that flow back into your business processes.

The question "who is requesting access?" has a new possible answer: an AI that was authorized by a human, acting on behalf of that human, interpreting instructions in ways the human may not have anticipated.

That's a perimeter problem nobody has fully solved.


What the AI Perimeter Actually Looks Like

The network perimeter controlled where data could go. The identity perimeter controlled who could access it. The autonomy perimeter controls what can be decided — and by whom.

This is the shift that most security frameworks haven't caught up with yet. We know how to authenticate a user. We know how to check whether a device is compliant. We don't yet have mature, standardized answers to questions like:

  • How do you verify the intent behind an AI agent's action, not just its credentials?
  • How do you enforce least privilege on a system that's designed to be flexible and context-aware?
  • How do you audit a decision made by a model that processed thousands of inputs to reach it?
  • How do you detect when an AI agent has been manipulated — through prompt injection, poisoned data, or adversarial inputs — into acting against its operator's interests?

These aren't hypothetical questions. They're operational ones, arriving in security teams' inboxes right now as organizations deploy AI agents into production workflows.


The Three Dimensions of the New Perimeter

Adapting to the AI era requires thinking about security across three dimensions that didn't exist — or didn't matter — in the firewall era.

01 — Identity: Still the Foundation, But Expanding

Identity remains the bedrock. But the identity model has to expand beyond humans. Every AI agent operating in your environment needs an identity — a cryptographically verifiable, auditable identity that carries the same governance weight as a human user account.

That means:

  • AI agents should have scoped service accounts, not inherited human credentials
  • Agent permissions should follow least-privilege principles — access only what's needed for the specific task
  • Agent activity should be logged at the same fidelity as human activity
  • Agent credentials should rotate and expire like any other credential

Most organizations haven't implemented this yet. Their AI agents are running under broad service accounts with excessive permissions, minimal logging, and no lifecycle management. That's not an AI problem — it's an identity hygiene problem applied to a new class of actor.

02 — Intent: The Emerging Control Layer

Beyond identity, the AI era introduces a new control question: not just who is acting, but what they're trying to accomplish and why. Intent verification is nascent as a security control, but it's where the field is heading.

Anthropic's model specification — which governs how Claude behaves — is an early example of intent governance at the model level. It defines not just what the model can do, but what it should prioritize, what it should refuse, and how it should behave when instructions conflict. That's behavioral policy, not just access policy.

For enterprise security teams, the implication is that AI governance needs to include behavioral specifications, not just access controls. What is this agent supposed to do? What should it refuse even if instructed? Who can override its defaults, and under what conditions?

03 — Autonomy: The Hardest Problem

The deepest challenge is autonomy itself. The more capable AI agents become, the more they operate outside direct human supervision. A human analyst reviews their work periodically, not continuously. They take sequences of actions — some reversible, some not — before a human sees the outcome.

This creates a new attack surface: the gap between authorization and oversight. An attacker who can manipulate an AI agent during that gap — through prompt injection, adversarial inputs, or poisoned data — can cause real damage without ever touching a credential or crossing a firewall.

The security response to autonomy isn't to eliminate it — that would negate the value of AI entirely. It's to build what Anthropic calls "minimal footprint" principles into every agentic deployment: prefer reversible actions, escalate to humans at decision points that carry significant consequences, maintain audit trails of reasoning, not just outputs.


How to Be Adaptive in an Exploding AI Landscape

The pace of AI development is genuinely unprecedented. Models that didn't exist eighteen months ago are now embedded in enterprise workflows. Capabilities that seemed years away are arriving in quarterly releases. No security framework — including this one — will stay current without continuous adaptation.

Here's what adaptive AI security looks like in practice:

Build for change, not for today's threat model The specific risks of today's AI agents will look different from those of next year's. Design your governance framework around principles — least privilege, human oversight, audit trails, behavioral boundaries — rather than specific tool configurations that will be obsolete quickly.

Treat AI vendors as a new category of third-party risk Your AI vendors don't just process your data — they influence your decisions. Their model updates, training data, and behavioral specifications are now part of your risk surface. Add AI-specific questions to your vendor assessments: How do model updates get communicated? What behavioral changes ship silently? What data is retained from your interactions?

Invest in AI-specific security skills Prompt injection, adversarial machine learning, model evasion — these are real attack techniques that require real defensive expertise. The security skills needed to defend AI systems overlap with but don't duplicate traditional security skills. Build that capability now, before you need it urgently.

Make human oversight a design requirement, not an afterthought Every agentic AI deployment should have a defined human oversight model built in from the start — not retrofitted after an incident. Where are the checkpoints? Who reviews consequential decisions? What triggers escalation? These are architectural decisions, not operational ones.


Why Executives Need to Care

The firewall era produced a generation of security conversations that executives could safely delegate to IT. The identity era brought security into the boardroom via breach headlines and compliance mandates. The autonomy era will bring it into the boardroom via something more fundamental: questions about who — or what — is actually making decisions in your organization.

Questions the board and C-suite should be asking:

  • Do we have an inventory of every AI agent operating in our environment — what it has access to, what it's authorized to do, and who oversees it?
  • Have we extended our identity governance model to cover AI agents, or are they operating under human credentials with no lifecycle management?
  • Do our AI deployments follow minimal footprint principles — scoped access, reversible actions, human oversight at consequential decision points?
  • How do we detect when an AI agent has been manipulated into acting against our interests?
  • Is AI security represented in our threat model, our red team exercises, and our incident response playbooks?
  • What is our process for evaluating behavioral changes when our AI vendors ship model updates?

The Bottom Line

The perimeter hasn't disappeared — it has evolved. From geography to identity to autonomy. Each evolution demanded a fundamental rethink of how security works, not just an update to existing tools and policies.

We are in the early days of the autonomy era. The organizations that adapt fastest — that extend their identity models to AI agents, that build intent governance into their AI deployments, that design human oversight into agentic systems from the start — will be the ones that capture AI's benefits without becoming its casualties.

The perimeter is dead. Long live the perimeter.

The question is whether you're building the next one — or waiting for an incident to force the conversation.


References

  • Anthropic, Claude Model Specification, 2026. anthropic.com/claude/model-spec

  • NIST, AI Risk Management Framework (AI RMF 1.0). nist.gov

  • OWASP, Top 10 for Large Language Model Applications, 2025. owasp.org

  • Gartner, Emerging Tech: Security — The Future of Cyber with AI, 2025.

  • Microsoft, Security for AI: How Microsoft Approaches AI Security, 2025. microsoft.com/security