Enterprise AI Security Is Moving From Chat Monitoring to Action Control

Maxim Kogan says the security problem has changed because enterprises are no longer only worried about employees pasting sensitive information into chatbots. They are adopting autonomous systems that can take actions: call APIs, edit code, use credentials, manipulate databases, and operate across software environments. As those actions scale, Kogan argues, the risk scales with them.

The initial trigger for Kogan was AutoGPT, which he described as an early autonomous agent built around a loop: let an LLM decide what to do, give it tool or API access to do it, then repeat. He said the models at the time were not good enough for the approach to work reliably, but the structure was directionally right. In his view, Claude Code is “not dissimilar” to that earlier pattern: a model deciding actions, not merely producing text.

That possibility made the oversight question urgent for him before the enterprise market was ready. Kogan said he was already “AGI-pilled” and thinking about models becoming smarter than humans and managing consequential systems such as water supplies and power grids. The question was not only whether agents could become useful, but how anyone would feel comfortable letting them act on important infrastructure.

Sarah Guo noted that when Onyx started, the prevailing enterprise AI-security concern looked more like data-loss prevention for ChatGPT. Kogan acknowledged that Onyx was early enough that the company might have run out of money before agent adoption arrived. What changed, in his account, was the arrival of reasoning models capable of longer-horizon tasks, the growth of Claude Code, and a move away from limited low-code automations toward more “unleashed” agents that could produce larger productivity gains but came with fewer built-in controls.

The risk is already visible in credential exposure and destructive agent-action incidents. A Help Net Security article snippet shown during Kogan’s remarks described AI agents needing credentials for LLM platforms, databases, SaaS APIs, cloud resources, and external services, and cited GitGuardian’s finding of 28,648,024 new secrets exposed in public GitHub commits across 2023, a 67% year-over-year increase. Another article snippet, from Business 2.0, described an AI coding agent allegedly wiping out Pocket OS’s production database and backups in nine seconds. Kogan also cited recent cases of agents causing downtime or accidentally publishing code and tokens. His larger claim was not that enterprises can stop adoption. It was that many now recognize they cannot, and therefore need mechanisms to reduce illegitimate or incorrect actions.

Maxim Kogan described Onyx as doing two related things. First, it trains models and builds agents that oversee other agents. Second, it packages that capability as what he called a secure AI control planeA layer for monitoring, governing, and enforcing rules across AI systems and agents. for enterprises: a system meant to discover AI systems and autonomous agents, connect them to Onyx, and supervise what they are doing.

The product interface shown for Onyx made the control-plane claim concrete. It presented four areas: AI observability, AI security, AI governance, and EU AI Act compliance. The observability panel promised real-time visibility into prompts, responses, models, actions, and data flows; full session replay and audit trails; shadow-AI detection; and visibility across multi-cloud and multi-agent environments. The security panel described protection against prompt injection, jailbreaks, data exfiltration, adversarial manipulation, supply-chain risks in agents and MCP servers, and AI-specific threat intelligence integrations. The governance panel showed natural-language policy creation and templates tied to standards and regulations. The compliance examples included logging requirements for all AI systems, mandatory human review for high-risk workflows, classification of agents handling EU personal data as high-risk, limiting tool access to sanctioned endpoints, and blocking applications.

Kogan’s near-term enterprise map has three categories of deployment. The first is SaaS-based, often low-code platforms where users build agent-like workflows through drag-and-drop interfaces. He described these as closer to AI automations than truly autonomous agents. The second is first-party agent development inside the company’s cloud, either for internal applications or customer-facing products. The third is autonomous coding agents and assistants.

In the average enterprise Onyx sees, Kogan estimated that more than 50% of agent deployment is now autonomous coding agents and assistants. Around 45% is low-code automation. Only the remaining few percent are first-party agents built by the enterprise itself, because building effective agents remains hard. He said autonomous agents are also the fastest-growing category. Initially, he saw Claude Code spreading quickly among developers; he then said another coding-agent tool was growing even faster, and that enterprises were even sanctioning an open-source coding-agent tool as a legitimate company tool because CEOs are pushing aggressively for AI adoption. The exact product names are unclear in the transcript, but Kogan’s point was not: autonomous agents are becoming the fastest-growing and least-controlled category.

Sarah Guo framed the attraction and danger of coding agents in the same terms: code is powerful because it can do, in theory, everything software can do. The drawback is the same. She said she had already been too permissive with agents herself and had experienced one deleting data permanently, causing rework. Her conclusion was that “guardian spirits” around agents were no longer theoretical.

Maxim Kogan argued that the existing enterprise security stack is not irrelevant, but it lacks what autonomous agents make necessary. He accepted that security often relies on defense in depth and that different tools overlap. But he said many enterprises are “kind of helpless” when applying traditional controls to flexible AI systems.

Identity security is the clearest example. For a conventional software system, the first control is to limit permissions. If the system is compromised or malfunctions, it can only do what it was allowed to do. With coding agents and assistants, Kogan said, the enterprise often wants the agent to have the user’s permissions. The desired experience is to give Claude Code or a similar tool a broad task, leave, and return to find the work done. Because the tasks are diverse, it is hard to define a stable, narrow permission set that preserves usefulness.

The same problem applies to endpoint or API security. If a user tells Claude Code to delete and recreate a database, that may be a legitimate, time-saving action. If the same action appears while the agent is working on an unrelated task, it may be dangerous. The action alone is not enough. A security tool needs to know what the agent was asked to do, what it inferred, what it planned, and why it believes the action follows from the task.

That is why Kogan rejected the idea that the problem is simply a proxy plus policy engine. A proxy may be a useful integration method for some AI systems, but he said many systems cannot be proxied cleanly because AI runs across someone else’s cloud, the enterprise cloud, and endpoints. More importantly, seeing traffic is not the hard part. The hard part is deciding whether the action should be allowed.

Kogan’s point was that agent security has to reason about the relationship between instruction, plan, and action. It has to form an opinion about whether another AI system’s behavior is legitimate. That is technically difficult because the system being supervised may itself be one of the most capable models available.

One naive version of agent oversight, Maxim Kogan said, is to ask a capable model to watch every other capable model. In principle, that has some merit. Capable agents reviewing other capable agents resembles capable humans reviewing other humans. But in practice, it fails on cost, latency, and reliability.

If every enterprise agent requires a full agentic supervisor, the customer could end up paying more for the security vendor than for the AI system being secured. The supervision would also be too slow. The technical challenge, as Kogan described it, is to decide when expensive intelligence is needed and when it is not.

Onyx’s answer is to train small, narrow models that are not generally smart but are good at a specific judgment: whether a smarter agent should inspect a given action. These models are meant to sit in front of the more capable review system. They need to avoid missing important events, but also avoid escalating too many ordinary actions. If they work, Kogan said, the result is low latency, low cost, and smart review only when the risk justifies it.

Sarah Guo offered a blitz-chess analogy. Top chess players often make intuitive moves quickly because they have seen so many positions, but occasionally stop for a long calculation when the position is critical. Kogan accepted the comparison. The efficient use of computation is to spend little intelligence where the decision is routine and “overwhelmingly” more intelligence where the risk is high.

That distinction also explains why Onyx trains its own models. Kogan said the hard work is not merely wiring into a proxy or calling an existing frontier model. It is building the small, specialized judgment layer that can keep up as frontier models grow more capable and as agent behavior becomes harder to judge.

Maxim Kogan’s long-term view is that the problem is bigger than enterprise cyber hygiene. He framed it as control of advanced AI. If AI companies become $10 trillion companies, he said, customers will still want another company—one that is not the AI vendor itself—to oversee and help control what those systems do. He described that as a potential “$100 billion plus” opening.

The case for independence starts with buyer psychology and standard security practice. Kogan compared it to not trusting the car seller to certify the car, or not relying on a product vendor to guarantee that its own product will not harm the customer environment. Security buyers often prefer an independent party whose business depends on being right about whether an action is legitimate.

The second layer is that model failures may change in character. Kogan expects “silly mistakes” from jagged model intelligence to decline as models improve. He does not see Onyx’s durable role as preventing basic model incompetence. Instead, he pointed to a growing class of failures in which the model is not merely making a dumb error, but appears to have an independent perspective on what should happen—a perspective that may not align with the user’s or enterprise’s intent. He described this as “semi-aware or semi-conscious” in character, while acknowledging the difficulty of the category.

The third layer is data access. Kogan said Onyx can look at historical data about how enterprise agents have behaved, while enterprises are not willing to let Anthropic or OpenAI retain that same historical data because they view those companies as “very data-hungry” and likely to want to train on it. For Onyx, historical behavior is a way to detect change: how an agent normally behaves, what differs from past patterns, and whether a new action is anomalous.

Finally, the enterprise will not use only one AI vendor. Kogan expects many model providers because of cost differences, open-source adoption, task specialization, and changing model quality. If enterprises adopt new vendors quickly, especially vendors without mature security infrastructure, he said it is unrealistic to expect every vendor to provide the same level of security.

Onyx’s research agenda extends into understanding model internals. Sarah Guo noted that the industry is divided on whether mechanistic interpretability is possible or useful. Maxim Kogan said Onyx believes there has been strong progress and that understanding weights, activations, and the mathematical structure of models will be “at least part of the solution.”

He was careful about the uncertainty. Humans may not be able to understand the internal structure of large language models quickly or directly. But Kogan expects that as models become smarter than humans in important ways, they may help crack mechanistic interpretability more effectively. In that framing, better models become tools for understanding other models.

Kogan also tied this to a broader scientific question. Interpretability is not only about oversight; he said it could help explain intelligence itself, including how it works and what separates a smarter model from a less smart model.

The company’s talent base reflects that ambition. Kogan said Onyx has a mixed cyber and AI DNA, shaped by his background and that of his co-founder Gil, who came from synthetic data and Nvidia. Most of the company’s research and engineering talent, he said, comes from an Israeli intelligence unit focused on math, cyber, and their intersection. He described Israel as having started somewhat late in AI but catching up quickly, with companies working on world models, AI infrastructure, and chips.

The collapsing cost of vulnerability discovery through advanced coding tools is a separate pressure on security teams. Sarah Guo described it as an issue that “every CISO” and engineering leader she knows is worried about. Guo and Maxim Kogan used “Mythos-level” as shorthand for a frontier capability level in automated vulnerability research.

Kogan said that ten years ago, automated vulnerability research looked like a dream that might take 20 or 50 years. Now, in his view, it is arriving all at once. He argued that the market is not overreacting because the change is material for security teams.

His recommended response has two layers. First, security teams should pursue the fastest quick fixes they can: patch known vulnerabilities or apply mitigating controls where vulnerabilities have already been found. But the real solution, he said, is foundational. Enterprises need the core controls that reduce downstream damage: locked-down identity, firewalls, endpoint detection, and the relevant foundational mechanisms for each asset class.

For the AI attack surface, Kogan sees Onyx as one of those foundational controls. If Mythos-level and stronger models make vulnerability discovery cheaper and more widely available, he said enterprises should assume those models are coming and invest in controls that limit the downstream effects.

On phased rollouts of Glasswing and Daybreak—names Guo associated with Anthropic and OpenAI in this area—Kogan said he did not have a strong opinion, but laid out the tradeoff. If no one else releases a Mythos-level model soon, slower rollout gives companies time to prepare, build playbooks, and share knowledge, reducing the chance of effects as severe as airlines or power plants going down. But if another actor releases that capability first, a slow rollout could look like a mistake because companies were denied the chance to prepare with access to comparable tools. His practical advice was to expand access more broadly while assuming that such models will arrive regardless.

Maxim Kogan said he now rarely sees large enterprises attempting to ban AI agents outright. Financial-sector companies may still be more opinionated about which tools they allow, but even there he sees agent adoption. His view is that companies will do best if they allow a range of tools because the landscape changes quickly. A company that chose OpenAI as the safest option a year earlier might later find Anthropic has better models and tools; a year after that, another vendor may lead.

Still, he does not argue that all companies should adopt at the same speed. A startup may want agents to do everything because it has much to gain and relatively little to lose. A large institution such as JPMorgan, he said, has far more to lose and can maybe take more time to capture AI gains. He also noted that JPMorgan is adopting AI quickly, using it as an example that large-company caution can coexist with real adoption.

For Onyx itself, Kogan said the company benefits from the fact that the core primitives of AI have remained relatively stable. In his view, AI in 2026 still relies largely on LLM foundation models and agents that use LLMs to decide tool calls. That lets Onyx apply its technology across many applications while keeping the core system focused. He acknowledged the risk that a new LLM or agent paradigm could emerge, and said the company holds “strong opinions loosely” about 2027.

Silicon Valley and the AI labs may underweight the operating reality of security teams. Maxim Kogan said building a good security product requires understanding the organization: team structure, responsibility flows, information flows, daily workflows, incentives, and what users are praised or punished for. A tool must solve the technical problem, but also fit into how security professionals actually work. Kogan argued that Israel’s security ecosystem has developed strong know-how here because of repeated contact with security buyers and end users.

He described the level of needed empathy concretely: knowing what security people do when they enter the office, what systems they open, what their boss wants, what colleagues want, what causes frustration, and what makes them successful. That knowledge then has to be baked into the product.

Sarah Guo challenged him on how this fits with his AGI optimism. If he is deeply “AGI-pilled,” does he still believe there will be human defensive security teams for years? Kogan said yes, while adding that security teams themselves will become AI-powered and eventually run by agents, like other knowledge-work functions. The product-design principle remains the same: understand the end user. For humans, that may mean not overwhelming them with irrelevant information. For agents, it may mean not wasting tokens in their context. Kogan suggested those may be versions of the same problem.