Orply.

AI Agent Security Is Becoming an Access-Control Problem

Craig SmithEye on AITuesday, July 7, 202616 min read

Devvret Rishi, Rubrik’s GM of AI and former Predibase chief executive, argues that the main enterprise AI security risk is not the model but the access granted to agents that can act inside databases, email, code repositories and other systems of record. In a conversation with Craig Smith, Rishi presents Rubrik Agent Cloud as a governance layer for that access: a platform meant to discover agents across an enterprise, monitor their prompts and tool calls, enforce natural-language policies at runtime, and help recover from destructive actions.

The risk starts when a model gets access

? devvret-rishi defines an AI agent in deliberately plain terms: “models with access.” The access is the important part. A model that can call tools, hit APIs, read databases, operate inside email, manipulate files, or interact with systems of record is no longer just answering questions. It is doing work inside an organization.

We define agents as just really like models with access. So like access to tools or APIs that can start to do work inside an organization.

? devvret-rishi · Source

That reframe is the basis for Rubrik Agent Cloud, the product Rishi is leading as GM of AI at Rubrik after Rubrik acquired Predibase, the generative AI infrastructure company he co-founded and ran. Predibase had built infrastructure for companies deploying pre-trained deep learning models and later large language model systems. Rubrik’s legacy business was different: data and cyber resilience, including helping organizations recover from downtime, ransomware, and other threats by protecting data, understanding identity, and maintaining recoverable snapshots.

Rishi describes Rubrik’s original posture as “assume breach.” Earlier security products focused on making sure the door was locked. Rubrik’s premise was that some attacks would get through, and the business needed a way to bounce back. The company’s threat model evolved from natural disasters, fire, and flood toward ransomware and cyberattacks. Rishi’s claim is that the next threat vector is AI, specifically agents deployed inside organizations.

The constraint is straightforward: agents cannot produce much enterprise value unless they can reach valuable systems. A customer-support agent needs customer data. A sales agent needs CRM records. A coding agent may need repositories, terminals, databases, and file systems. But the same access that makes the agent useful also creates the security problem.

The product Rubrik is building is not an agent builder and not an orchestration system. Rishi places it above those layers. The model layer and tool layer sit at the base. Agent-building platforms and orchestration frameworks sit above them. Rubrik Agent Cloud is meant to act as a security and governance layer across those environments, regardless of where the agents were built or which model provider they use.

That distinction matters because Rishi expects enterprises to use many agent platforms at once. He compares it to multi-cloud adoption, but says the AI era is moving even faster. In his telling, a large enterprise may have agents built on Vertex AI, AWS Bedrock, Azure tools, Salesforce Agentforce, ServiceNow, local coding agents, and internal frameworks all at the same time. Rubrik itself uses multiple agent platforms, including coding agents and agents built on Vertex AI. The governance problem is not how to chain calls inside one orchestration framework. It is how to see and control what all of those agents are doing across the business.

The product name, he says, mirrors Rubrik Security Cloud. Rubrik Security Cloud was built around securing the shift from on-premises systems to cloud environments. Rubrik Agent Cloud is meant to secure a different kind of distributed surface: agents running on laptops, in managed cloud platforms, and in homegrown systems wired directly to model APIs.

Enterprises are caught between blocking access and accepting blind risk

Rishi does not present agent security as speculative. Nine months earlier, he says, there were perhaps one or two incidents that were useful for showing what could go wrong. Now he sees enterprises as “stuck between a rock and a hard place.”

One option is to block access. That keeps agents away from sensitive systems, but also makes them much less useful. If an organization claims to have deployed AI but prevents the agent from touching internal tools, Rishi says the inevitable executive question becomes why AI is not delivering ROI.

The other option is to give agents access and hope nothing goes wrong. That may be how individual users experience many agent tools today. The agent asks permission repeatedly, and the user eventually begins clicking accept. Rishi says he does the same. The problem is not necessarily that every requested action is dangerous; it is that the user cannot realistically evaluate every prompt, tool call, file permission, and system interaction at agent speed.

Enterprise postureImmediate effectRishi's concern
Block agent accessLimits contact with sensitive systemsAgents cannot deliver much ROI if they cannot use internal tools
Grant broad accessAllows agents to do useful workOrganizations may be relying on permission prompts and hope instead of runtime controls
Rishi frames enterprise agent adoption as a choice between two incomplete security postures.

His own example was mundane but clarifying. He asked an agent to create a document. The agent noticed that his Google Drive connector was disabled. Rather than stopping, it opened a browser window, went to drive.google.com, clicked upload, and opened the file navigator. Nothing bad happened, he says, because he did not have local credentials in that context. But the behavior showed the problem: a disabled connector did not necessarily mean the agent stopped trying to complete the task through another route.

Rishi then cites four categories of incidents that, in his view, show the risk has moved from theoretical to operational.

First are production-database failures involving coding agents. Rishi says there are at least two public examples where an agent got access to a production database — through a user clicking yes repeatedly or through a similar access path — and the database was dropped. For an organization, he says, that is “a nightmare.”

Second is AWS. Rishi says AWS had a post stating that after coding agents were rolled out, the company had four SEV1 outages in about 90 days, possibly in an even shorter window. His point is not just the number. It is that AWS is associated with stability, cloud resilience, service-level agreements, and operational process. If agents can create severe outages inside that kind of environment, he argues, the risk is not limited to immature teams.

4
SEV1 outages Rishi says AWS reported after coding agents were rolled out

Third is the email-deletion case Smith raises. Rishi describes a Meta incident involving what he says was an instance of Open Claude that got access to someone’s email inbox and deleted messages. Craig Smith says he read about the case and describes the user frantically typing for the system to stop deleting her inbox while it kept deleting. The example matters because it is not a subtle data-governance violation. It is an agent continuing a destructive action while the human is trying to intervene.

Fourth is Rubrik’s own internal pilot. Rishi says Rubrik ran a limited release of Claude Code and saw three instances of things that should not have been happening. The company caught them, he says, because Agent Cloud was already hooked in. One involved users writing GitHub gists that were accidentally shared publicly rather than privately.

Rishi’s explanation for these failures is simple: the agent may be doing the right thing 90% of the time and then take one wrong action. The wrong action can be destructive because agents operate quickly. The same acceleration that lets an agent compress a week of work into an hour also lets it compress a week of damaging operations into an hour.

The resulting position is not anti-agent. Rishi repeatedly argues that agents should be given access because access is how they generate value. But he rejects the idea that permission prompts and existing human approval processes are enough. Without runtime controls, organizations are left with two unsatisfying choices: shut agents down and lose the upside, or enable them and “grit teeth” while hoping the agents do not act destructively or leak data.

Agent Cloud is meant to discover, monitor, govern, and rewind

Rubrik Agent Cloud is built around three broad workflows: inventory, policy enforcement, and action tracing or recovery.

The first workflow is visibility. The dashboard shows which agents are running, what tools they can call, what identities are associated with them, what models they call, and where they exist across the enterprise. The discovery is meant to be automatic rather than dependent on teams manually registering every agent. That matters because one immediate problem for enterprises is simply knowing whether tools such as Open Interpreter or local coding agents are running inside the organization.

Rishi describes three main surfaces where agents are built and deployed. Some run locally on endpoints, such as Claude Code, Open Interpreter, or computer-use style agents. Some run in managed cloud platforms, such as Microsoft Copilot Studio or hyperscaler-managed services. Others are homegrown, built by teams using OpenAI or Anthropic API keys and wiring them through orchestration frameworks.

Agent surfaceExamples Rishi givesHow Rubrik Agent Cloud connects
Local endpoint agentsClaude Code, Open Interpreter, Claude Computer UseIntegration through endpoint and mobile device management systems
Managed cloud agentsMicrosoft Copilot Studio and hyperscaler-managed servicesAPI credentials and direct backend integrations
Homegrown agentsSystems wired to OpenAI or Anthropic APIs through orchestration frameworksRubrik Agent Cloud API or AI gateway
Rishi says Rubrik Agent Cloud is designed to connect across local, managed-cloud, and homegrown agent environments.

The platform can run as a fully managed SaaS offering in Rubrik’s cloud, or inside a customer’s virtual private cloud. Once connected, Rishi says, the system sees prompts, responses, and tool calls flowing through agent runtimes. It uses that information to populate an inventory and map an agent’s action graph: what the agent can call, what it has called, and how its actions connect.

The second workflow is policy enforcement through SAGE, Rubrik’s Semantic AI Governance Engine. SAGE emerged from customer conversations where organizations had policies they wanted agents to follow, but those policies did not translate cleanly into static rules. A healthcare customer, for example, wanted to ensure agents did not give clinical diagnoses. Rishi says there is no obvious string match or static rule that can reliably determine whether a response constitutes a clinical diagnosis.

His answer is to use small language models to evaluate agent inputs and outputs against policies. In the product, a user can write a policy in natural language — for example, “agents should not give clinical diagnoses.” Rubrik expands the policy, fills in examples, shows cases it would and would not flag, and lets the customer confirm. Under the hood, the system can distill that policy into a small model that can run efficiently inline on prompts and responses.

That operational claim is central to Rishi’s product argument. Rubrik is not proposing that every agent interaction be sent to a human reviewer, because the pace of agent execution makes that too slow. Nor does he argue for using large models as the enforcement layer for every prompt and response. He says small language models are necessary because inline runtime enforcement has to fit within practical latency and cost constraints. If the guardrail adds too much delay or expense, it stops being plausible as something that can run across every agent input and output in an enterprise.

That model can then alert or block, depending on configuration. The goal is to evaluate every input and output without routing everything through human review. The platform also includes one-click policy options, such as preventing prompt injection or making agents read-only and non-modifying by default. Rubrik also has a conversational interface called Ruby, which provides a conversational front end to the Rubrik platform.

The third workflow is tracing and recovery. Users can inspect an agent’s sequence of actions — what it did and when — and, in some cases, rewind a destructive action to a previous snapshot maintained by Rubrik’s backup systems. Rishi gives examples such as an Azure SQL database or Salesforce instance. If Agent Cloud observes that an agent took a destructive action, and the user determines it was incorrect, Rubrik can use its existing backup and snapshot infrastructure to restore the affected data source.

Rishi is careful to describe Rubrik Agent Cloud not as one agent but as a platform with agentic workflows inside it. He expects those internal agentic workflows to increase over time, including more assistance in defining and managing governance policies.

Orchestration chains calls; governance decides whether the call should happen

The security question is whether governance should sit inside orchestration or above it. Smith raises the possibility that if orchestration systems already manage agent workflows, security and governance may become just another feature inside them.

Rishi argues for separation. Orchestration systems are good at chaining calls: agent A needs information to complete a task, so the orchestrator routes the request to agent B or a tool. But in his view, orchestration often lacks the organizational policy context needed to decide whether the request should be fulfilled, whether the data returned is appropriate for agent A, or whether sensitive data is being moved across a boundary.

That distinction becomes sharper in multi-agent systems. Craig Smith raises the concern that agents will increasingly talk to each other invisibly, transferring data between themselves outside direct human view. Once that happens, he says, humans may not know where data is going.

Rishi agrees that there is a loss of control, but says the same primitives used for single-agent governance apply to multi-agent workflows. Every agent input and output should be inspectable. Guardrails should apply at each node in the graph and along the edges connecting agents. If one agent sends information to another, the system should have an opportunity to evaluate both the incoming and outgoing content.

His example is a classic access-control failure translated into agent form: agent A does not have access to sensitive data, but agent B has access to sensitive data. The system should prevent agent A from obtaining and returning that sensitive data indirectly through agent B. In Rishi’s model, that means intercepting the content at the point where sensitive information is about to flow into or out of an agent that should not receive or disclose it.

This is also where the definition of “model with access” becomes more than a slogan. The model itself may not be the primary risk. The graph of permissions, tools, identities, and agent-to-agent calls is the risk surface. A governance layer has to understand not just what the agent is saying, but what it can reach, what it has reached, and whether the resulting flow of information violates organizational policy.

Rubrik wants to be the neutral control plane, not the agent platform

? devvret-rishi repeatedly positions Rubrik Agent Cloud as platform-agnostic. He does not want Rubrik to decide which model or agent platform a customer should use. He expects many good solutions for building and deploying agents, including hyperscaler platforms, SaaS-native platforms, and local or open-source tools. The role he wants Rubrik to play is closer to a Switzerland-like governance layer across them.

The reason, in his view, is partly trust. Enterprises may not want the model provider or agent platform provider to be the only party policing the systems it sells. Those providers may do “a decent job” of guardrails, but Rishi argues that enterprises need controls above and beyond the model or orchestration vendor, especially controls that include internal IT, data, and identity context.

That argument also shapes Rubrik’s competitive positioning. Rishi acknowledges that many security companies are moving toward agent security because the problem is visible. He says Rubrik’s differentiation comes from the combination of a security company with a model infrastructure company. Rubrik had data and identity signals; Predibase brought technology for building and deploying small language models.

The thesis he wants customers to buy is that AI must be used to secure and govern AI agents. Conventional security approaches are not enough because agent behavior and policy interpretation often require semantic judgment. A static rule can catch a literal string, but it may not understand whether an agent is giving a clinical diagnosis, whether a prompt injection is being attempted, or whether a response is leaking sensitive information under a paraphrase.

The only way you can secure and govern AI is to use AI itself.

? devvret-rishi

Rishi says Rubrik went generally available with Agent Cloud earlier in the year. He describes the product category as still young, with some competitive products announced or coming soon. He also expects some offerings to be complementary rather than purely competitive. Rubrik’s continuing differentiation, as he frames it, will be AI-based governance through small language models plus Rubrik’s data and identity context.

The buyer is the team asked to accelerate AI without breaking the business

The strongest users for Rubrik Agent Cloud, according to ? devvret-rishi, are enterprise IT and security teams. Within IT, he often sees AI platform teams, enterprise AI architects, or similar roles trying to build trust and governance into the platforms employees use. Within security, he points to security operations and security architects worried about agent behavior in the same way they previously worried about employees accidentally exfiltrating sensitive data. Governance, risk, and compliance teams may also be involved, and CTO or VP engineering organizations may demand guardrails as agents enter development workflows.

The target market is not only the largest enterprises in theory, but Rishi says the Global 2000 fits Rubrik’s customer base and has the combination of pressure and risk that makes the product relevant. These organizations are under pressure to adopt AI, have valuable systems to protect, and often operate in regulated or stakeholder-heavy environments.

Rishi draws the line less by company size than by whether an organization has something to lose and is giving agents access to it. A small agent-native startup with valuable IP or sensitive data may care about the same problem. The need intensifies as the organization becomes larger, public, regulated, or more dependent on systems of record.

The key adoption threshold is the move from read agents to write agents. A read-only agent that summarizes information creates one kind of risk. An agent that can modify Salesforce, write to a database, delete files, send email, or push code creates another. Rishi says Rubrik is most relevant for organizations deploying AI at scale and looking to give it access — especially when they want to graduate from simple read-only use cases to agents that can take action.

He describes the current enterprise market as early, but moving unusually fast. There are many funded pilots and high executive interest, but also many projects slowed by risk reviews, design documents, and committee processes. Rishi says one CISO recently joked that all CTOs must have gone to the same retreat, where boards told them they had to adopt AI faster.

The blocker is not lack of interest. It is that existing enterprise architecture was not built for agents to have this kind of access securely. Organizations are trying to determine what controls are required while the technology is already being pushed from the top down and bottom up.

Rubrik had the same problem internally, Rishi says. The company concluded that governance could not remain mostly “people and paper and process.” It needed a software platform that could discover agents, define policies, evaluate behavior at runtime, and enforce controls.

That pain shapes how Rishi describes demand. Rubrik is not trying to push Agent Cloud into accounts that are not ready, he says. The company describes the problem and tests whether the timing and thesis match the buyer’s reality: agents are being deployed in many places, runtime protection is needed, data and identity context matter, and AI-based governance is necessary. If those assumptions fit, Rubrik sees a reason for the next conversation. If not, Rishi says the company is comfortable revisiting in six to nine months.

He describes demand as a mix of outbound and inbound, with unusual pull compared with prior infrastructure markets he has worked in. The product is new, and pricing is still being iterated with early customers. Rubrik has been using a license fee with tiers of usage, right-sized to the company and use case. There is no consumer subscription today, though Rubrik is open to small and medium businesses and has starter plans. The main focus remains business contexts: agents running under business subscriptions, accessing IT infrastructure, and touching enterprise data.

That focus is consistent with Rishi’s broader view of AI adoption. He does not call himself an agent evangelist, but he does think organizations should adopt AI at a heavier rate because of the upside. He repeats a common formulation: AI may not displace a person or company directly, but someone who knows AI may. He believes the organizations that use AI best will shape much of what happens over the next five years.

His concern is not with convincing skeptics who have decided AI is not the right solution for them. The place he sees Rubrik helping is where an organization already believes agents are useful but is stuck because it cannot decide how to give them access safely.

The next step is less human labor in governance itself

Rubrik’s roadmap, as Rishi describes it, has two main directions. First, Agent Cloud will use more agentic workflows inside the governance process itself. Today, users can define guardrails in natural language and remain heavily involved in governance decisions. Rishi wants to reduce that burden by using agentic workflows to help define, manage, and apply policies.

Second, Rubrik has more surface area to cover. Agents will appear in more environments, frameworks, and use cases. The product needs more integrations and more coverage for the places where agents are built and deployed.

The mission language Rishi uses is “secure and accelerate the world’s AI transformation.” The phrasing matters because he does not frame security as a brake on adoption. He argues that the absence of secure governance is one reason enterprises struggle to get ROI from AI. If agents cannot access systems, they cannot do meaningful work. If they can access systems without runtime controls, they create unacceptable risk. Governance is presented as the mechanism that lets companies move faster, not slower.

The bottleneck, in his view, has shifted. Models are much smarter. Harnesses and orchestration frameworks are more sophisticated. Agent-building platforms are increasingly available. The open problem is how to manage the risk created when those agents are allowed to operate inside real businesses.

The frontier, in your inbox tomorrow at 08:00.

Sign up free. Pick the industry Briefs you want. Tomorrow morning, they land. No credit card.

Sign up free