Why Traditional Security Breaks Down for Enterprise AI Agents
The enterprise software stack was built for humans: people log in, hold credentials, and perform actions at human speed under human oversight. Autonomous AI agents shatter these assumptions. They operate continuously, make decisions in milliseconds, and increasingly act without a human in the loop. Applying user-centric identity and access models to these systems creates blind spots, from over-privileged API keys to opaque agent-to-agent delegation. As enterprises move from single-agent pilots to complex multi-agent architectures, the risks grow from isolated misuse to systemic failure—an unsupervised agent can delete a database or leak sensitive records before anyone notices. This shift is forcing security and platform teams to rethink identity, access control, and runtime isolation around agents themselves, not human users. The new priority is clear: preserve the speed and autonomy that make agents valuable while enforcing strict, machine-enforceable guardrails on what they can touch, when, and on whose behalf.
Keycard’s Scoped Access and Delegated Sessions for Multi-Agent Apps
Keycard is positioning itself as an identity and access layer purpose-built for autonomous AI agents, with a new offering focused on multi-agent applications. Instead of shared API keys or inherited credentials, every agent receives a verifiable identity and operates with no standing privileges or static secrets on disk. Access is granted per task and per session: when a user or another agent initiates work, the system delegates just enough access for that specific operation, then revokes it when the session ends. This scoped access delegation lets specialized agents collaborate—across development, operations, sales, or finance workflows—without any one component holding broad, persistent permissions. Crucially, every action remains attributable across agents, users, and systems, satisfying audit and compliance demands. Early adopters report that engineers can ship agents into production quickly, without becoming security or identity specialists, because access control is embedded in the platform rather than bolted on late.
OpenShell’s Secure Runtime: Sandboxed Autonomy at Machine Speed
Where Keycard focuses on who an agent is and what it can access, OpenShell tackles where and how that agent runs. Developed as part of Nvidia’s Agent Toolkit, OpenShell is an open-source secure runtime designed as a sandbox-first foundation for autonomous agents. Each agent—including its harness and model—executes inside its own sandbox, isolated from the underlying operating system, network, and host infrastructure. A gateway layer outside the sandbox manages credentials and session state; the agent never directly holds keys. When the agent needs to call systems like ServiceNow, Salesforce, or Workday, the gateway authenticates and passes a tightly scoped session into the sandbox. Security policies are enforced below the application layer using Linux kernel mechanisms such as seccomp, eBPF, and Landlock, providing consistent, horizontal control that agents cannot bypass. This architecture lets enterprises safely grant higher autonomy, while containing the blast radius of prompt injection or arbitrary command attempts.
Balancing Autonomy and Governance in Multi-Agent Architectures
As multi-agent architectures become the standard pattern for enterprise AI applications, the central challenge is no longer just model quality but operational control. General-purpose agents now orchestrate specialized counterparts to carry out complex workflows, from code changes to customer support triage. Without agent-native governance, this web of machine-to-machine interactions can quickly become unmanageable. Keycard and OpenShell represent complementary layers of a new enterprise AI security stack: Keycard provides fine-grained, session-based multi-agent access control and scoped access delegation, while OpenShell delivers an autonomous agent runtime that sandboxes execution and enforces policy beneath the application layer. Together, they illustrate how enterprises can move beyond crude all-or-nothing permissions toward precise, revocable capabilities. The emerging consensus is that successful deployments will treat agents as first-class identities and untrusted workloads simultaneously—free to operate at machine speed, but only within clearly defined guardrails aligned to business and compliance requirements.