Recently, AWS introduced mandatory peer review for production access following the Cost Explorer incident, which exposed what can go wrong when access controls and governance fail.
Misconfigured access controls and human error gave an AI agent elevated access and contributed to a 13-hour production disruption. They fixed it afterward, and that sequence matters for AI agents. Teams rush to connect AI agents to business infrastructure, running them inside production systems, internal workflows, and operational tools.
The assumption organizations are operating under is that they can connect the agent now and sort out the controls later. That assumption breaks the moment an agent has broad permissions because these systems aren’t fully baked AND they operate on probability( rather than facts and wisdom) in decision making.
Once they get access, they can misunderstand the request, make the wrong decision, and cause damage quickly. To protect your organization, you need guardrails in place before broad access reaches production.
A human with access is only as dangerous as the trust you place in that person. When you give an agent broad permissions, you create a different kind of failure mode.
Recently, OpenClaw started wiping a Meta executive’s inbox after being told to suggest what should be archived or deleted and wait for approval before taking action. Despite being asked to stop, it kept going.
Prompts and approval steps can help to a degree, but they do not solve the core problem. They evaluate actions one at a time, without the full context behind them. On paper, a single deletion may look harmless and so may the next one; however, by the time you realize those small approvals are part of a larger destructive sequence, the agent may have already deleted something important.
Humans judge singular incidents but the system acts in totality. It’s like sparks around a fire pit. One spark doesn’t look like a problem but then another lands. And another. Judge each one in isolation, and you miss the larger fire starting to catch.
Governance can’t depend on the agent or the LLM policing itself. The moment an agent gets production access, it goes beyond a prompt or approval problem to an infrastructure problem. We don’t know how these systems interpret or manipulate their own controls, so the control point has to exist outside the context window of the agent’s thought process.
The broader issue is that there is no single, universally adopted standard for agent security, authorization, auditing, governance, and observability across this space. Everything is still preliminary studies or analysis. And the code ships so fast that even if standards existed, teams would be naive to assume they could be implemented consistently. So architecturally as security professionals, we have to solve this externally.
Kubernetes is the practical way to do it. It gives you an isolated environment and a governed way to control how things flow in and out.
|
What needs to happen |
Why |
|
Put controls outside the agent or LLM |
The runtime cannot be trusted to interpret its own constraints reliably |
|
Bolt security on at the front and back |
Requests coming in and requests going out both need external checks |
|
Monitor internal context from an external injection point |
Front and back controls still do not show the full internal rationale |
Even if security sits on both sides of the model, the hard question remains: how do you monitor internal context? That is where APM-like solutions still need to catch up.
You need to monitor both the immediate action and the full context of what the system is trying to do, much like application performance monitoring of web apps and services today.
|
In Kubernetes |
What it gives you |
|
Pods with cgroups and namespaces underneath |
An isolated space for the workload |
|
Network policies |
Control over what traffic can get in and out |
|
Sidecars |
A way to front-load controls around traffic entering or leaving the workload |
|
Monitoring tools |
The ability to watch behavior and kill, pause, or stop a workload that starts misbehaving |
That’s very different from running an agent flat on a Windows machine or Linux host, where it can end up with access to the whole file system, host ports, and anything else its permissions allow. Still, isolation by itself is not enough because you have to govern how it communicates with other systems.
|
Flat host |
Kubernetes |
|
Can have access to the whole file system and host ports if permissions allow |
Lives inside an isolated environment |
|
Harder to contain without shutting down the source |
Can isolate and shut down the specific pod |
|
No governed standard for managing connectivity across systems |
Network flow can be governed and controlled |
Teams are trying to put agents into real systems, thinking they’re doing it in a controlled environment. They’re not. It’s like lighting a fire on open ground and assuming you can run for water if it gets out of hand.
Kubernetes gives you something closer to a fire pit with a fire extinguisher in your hand. The workload is isolated, traffic is governed, and the kill switch is close to the source.
In enterprise environments, you could use a platform like Red Hat OpenShift. If the system starts doing something it shouldn’t do, you can stop that workload without shutting everything else down.
The same logic applies to service-to-service traffic:
If you’re going to give an agent production access, there has to be a minimum bar; not a vague idea of governance. You need actual controls in place before this goes live. If you accept the earlier point that controls must live outside the runtime, this is the minimum checklist that follows from it.
|
Layer |
What needs to be in place |
|
Supply chain security |
Make sure the model binaries are valid, come from the source you think they come from, and are the only models allowed to run in your environment. |
|
Runtime protection |
Learn what normal behavior looks like, then kill switch, alert, or audit when the workload starts doing things outside that range. |
|
Identity, authorization, auditing, and governance |
Carry identity through the environment, enforce who can talk to what, and audit that whole process along the way. |
|
Human in the loop for advanced actions |
Put a person in the approval path for higher-risk actions and implicitly deny if approval does not come back in time. |
|
Prompt guarding and context observability |
Put protection in front of the model and build toward observability that can show not just what it is doing, but why. |
First, make sure the binaries are the ones you think they are, they come from the source you think they come from, and those are the only models allowed to run. Then, protect the workload at runtime.
What you need to ask:
If it starts doing something outside that range, kill switch it or at least audit log it and alert on it. The goal is to keep individual components from becoming runaway rogues.
Tooling to consider:
Identity has to carry through the environment. Authorization has to decide what can talk to what. The whole process has to be audited along the way. The agent shouldn’t talk directly to whatever it wants. It should have to route through a governed control point.
For higher-risk actions, add human approval. The request context gets sent to a person, the person decides whether to approve it. If approval doesn’t come back in time, it gets denied.
Then, like with web applications, put a context aware firewall (similar to a WAF) that’s responsible for prompt guarding input. It can help catch prompt injection patterns, block unwanted requests, and reduce the chance of sensitive data being exposed.
Tooling:
You need observability for context, not just what the agent is trying to do, but why. Sadly, that part is still developing, but it matters because you need the full context behind the action (not just the action itself).
If something goes wrong, you need an audit trail of every step along the way:
You want the who, what, where, why, and how.
Tooling:
That’s the practical baseline for production access.
Without those pieces, and without a Kubernetes environment that can actually enforce them, you’re just playing with dynamite.
---
Derrick Sutherland - Chief Architect at Shadow-Soft
Derrick is an Enterprise Solutions Architect with 16+ years of experience helping organizations design and govern secure, cloud-native platforms across hybrid and highly regulated environments. His work spans Kubernetes-based architecture, DevSecOps, and enterprise identity and access management, with a growing focus on safely operationalizing AI-driven automation without sacrificing policy enforcement or control.