What ‘Deny by Default’ Means for AI Agent Security
Deny by default in AI agent security is a design approach where autonomous AI agents start with zero permissions, and every action, data source, or system access they need must be explicitly approved, monitored, and revoked through clear governance controls before it occurs. Enterprises are embracing AI agents that can browse the web, query internal knowledge, and write code, but without explicit limits those capabilities run far ahead of existing oversight. This gap between AI capability and governance is what makes zero-permission defaults so important. Instead of launching agents with broad access and trying to restrict them later, deny by default flips the model: agents begin fully blocked, and security teams add tightly scoped permissions one by one. That shift is turning from a best practice into a prerequisite for serious AI deployment in large organizations.
The Lethal Trifecta: Capability Without Governance
Vendors and security leaders describe a “lethal trifecta” when an AI agent gets unfettered internet access, an internal knowledge base, and a coding terminal at the same time. Humans use these tools every day, but an autonomous system that can combine them at machine speed, without moral judgment, can create an attack path few governance frameworks are ready to handle. Computer-use agents popularized by tools like Claude showed the upside: “mini engineers” that can read the web, inspect private data, and update code in one workflow. The risk is that many early deployments gave these agents wide access by default, with controls added only after incidents or near misses. Deny-by-default architectures respond by placing a secure runtime between agents and infrastructure, so every attempted action is checked against tightly defined permissions before it touches real systems.
Zero Permissions by Default: From Theory to Practice
Zero permissions default takes the deny-by-default idea and pushes it to its logical end: new AI agents start with no ability to act on anything. Open Shell, an open-source secure runtime from NVIDIA’s agentic AI division working with ServiceNow, demonstrates how this can work. When an agent spins up in Open Shell, the runtime answers every permission request with “no” unless that specific process or action has been pre-approved. Each agent receives an identity, like a user account, that defines exactly which APIs, systems, or records it can touch. The agent’s reasoning may be probabilistic, but its actions are constrained by deterministic checks at runtime. If an AI decides it wants to update a salary record in a HR system, that request only proceeds if its identity includes that permission; otherwise the runtime blocks it and logs the attempt.
Why Enterprises Want Instant Kill Switches
Even with tight permissions, enterprises want a way to shut down misbehaving or compromised agents immediately. Okta calls this a kill switch: the ability to sever access tokens and logical connections at the authorization layer the moment an AI agent steps outside policy. According to Okta, 92 percent of executives report moderate or widespread use of autonomous AI agents, but only 22 percent say those agents have identities tied to them. That lack of identity-aware control leaves security teams with no clean way to disable a rogue AI. ServiceNow has been pushing vendors for this capability as it rolls out its AI Control Tower, which monitors agent behavior for policy violations and then triggers remediation actions. In that model, Okta revokes tokens while tools like Veza manage the permissions graph and can strip an agent’s rights from within the ServiceNow platform itself.
Closing the Gap Between AI Capability and Governance
The rapid rise of AI agents has exposed an uncomfortable truth: development teams can wire powerful agents into tools like GitHub and Jira faster than security and governance teams can catch up. Okta leaders describe common patterns where agents run with static tokens on local machines, outside modern identity and access controls. Deny-by-default design with zero-permission defaults directly targets this gap. By giving every agent an identity, starting from no access, and layering on fine-grained permissions plus a kill switch, enterprises can align AI capability with their existing zero-trust models. ServiceNow’s work with Open Shell, Okta, and Veza shows how this stack might look: a secure runtime to enforce decisions, a governance layer to spot risky behavior, and identity systems to cut access instantly. Without these controls, AI agents will remain powerful but untrusted guests in the enterprise.