Defining ‘Deny by Default’ for Enterprise AI Agents
Deny by default for enterprise AI agents is a zero-permission design approach in which autonomous systems start with no access to data, tools, or infrastructure, and must be granted every capability explicitly, with tight scope and full auditability, so that AI agent autonomy is always constrained by governance-first enterprise security controls. This design is emerging as enterprises move from chatbots to computer-use and “claw-style” agents that can act like mini engineers, touching file systems, internal apps, and production systems. Traditional deployments often gave agents broad access first and tried to restrict them later, which left serious gaps in enterprise AI governance. Now, security and platform teams are rethinking AI agent security controls from the ground up, treating agents as untrusted entities that must earn each permission, rather than as extensions of already-trusted applications or users.
From OpenShell to EnterpriseClaw: Wrapping Autonomy in Governance
Automation Anywhere’s EnterpriseClaw shows how fast AI autonomy is colliding with security reality. Inspired by Nvidia’s OpenShell runtime for autonomous, self-evolving agents, EnterpriseClaw takes agents that can access devices, create tools at runtime, and interact with the screen and places them under centralized governance. Adi Kuruganti notes that OpenShell “could access pretty much everything, which is not a good thing in enterprise settings,” especially for sectors like healthcare or banking with strict control needs. EnterpriseClaw’s answer is governance-first architecture: identity-aware credential controls, observability, and the ability to run agents close to sensitive data, even behind firewalls or in air-gapped environments. Instead of handing computer-use agents near-human system reach by default, the platform enforces scoped actions and monitored execution. This turns powerful zero trust AI agents into manageable assets, not free-roaming automation that might step outside policy before anyone notices.
The Lethal Trifecta and the Rise of Zero-Permission Design
ServiceNow and Nvidia describe a “lethal trifecta” in enterprise AI: combining unfettered internet access, internal knowledge bases, and coding terminals inside autonomous agents. Any two of these are common in human workflows; all three together, operating at machine speed, create a governance gap most legacy controls cannot cover. The arrival of computer-use agents popularized by Anthropic’s Claude showed both the upside and the structural risk. Their response centers on Open Shell, a secure runtime where the default at runtime for an agent in a sandbox is no. Permissions are additive: every file operation, API call, or system action must be explicitly granted, scoped, and logged. Joe Davis frames this as zero trust applied to AI agents. In effect, zero-permission design becomes the missing layer of autonomous agent oversight, turning probabilistic behavior into something security teams can reason about, monitor, and, when needed, halt.
Okta’s ‘License to Kill’ and the New AI Kill Switch
Identity platforms are now central to AI kill switch capability. Okta reports that 92 percent of executives say their organizations use autonomous AI agents, but only 22 percent have identities tied to those agents. Okta’s Eric Kelleher calls this “a measurable, quantifiable exposure” for enterprises deploying AI faster than they secure it. ServiceNow’s request to Okta highlights the new requirement: a way to shut down agents the moment they violate policy. Okta CEO Todd McKinnon explains that what ServiceNow wanted was “the ability to sever the connections, the access tokens, the actual logical connection at the authorization layer to the backend resources.” ServiceNow’s AI Control Tower monitors agents, while its Veza acquisition maps the permissions graph. When an agent goes rogue, the control tower can trigger remediation across identity and access systems, with Okta cutting the agent’s live access in real time.
Industry Consensus: Governance-First Architectures for Zero Trust AI Agents
Taken together, these moves point to an industry-wide identity and governance reset for enterprise AI. Partnerships across Automation Anywhere, Cisco, Nvidia, Okta, OpenAI, and ServiceNow show that the leading players expect governance-first AI agent architecture to be the norm, not a bolt-on. Computer-use and claw-style agents are no longer treated as experimental tools; they are treated as untrusted actors that require identity, scoped permissions, observability, and a clear AI kill switch. For CISOs and CIOs, deny by default is familiar: it mirrors proven zero trust principles from network and application security. What changes is the target. Instead of humans and endpoints, the focus is on probabilistic systems that can compose tools, write code, and modify infrastructure. Enterprises that adopt zero-permission AI agent security controls now will be better placed to scale autonomous agent oversight without sacrificing operational safety or compliance.