The old review model is missing the worker.

Security teams know how to review SaaS. They know how to review service accounts. Agents blur that boundary. They can hold credentials, interpret context, choose tools, and create downstream effects across systems that were never designed for autonomous actors.

The CISO needs more than a vendor questionnaire. They need a way to ask: which digital employee is this, who manages it, what job is it hired to do, what access does it hold, and how do we know it stayed inside its job?

Agent risk concentrates in credentials and decisions.

Most practical risk comes from agents that can act with broad credentials, write into production systems, or trigger irreversible workflows. Prompt controls help, but they do not replace external enforcement. The runtime has to hold the credential and decide whether the requested action fits the agent’s role.

When the action is sensitive, the runtime should pause and ask the accountable manager. That creates security control and operating accountability at the same moment.

Audit evidence should be useful before an incident.

Logs become valuable when they are connected to role, policy, approver, credential, and outcome. The CISO should be able to inspect one agent’s personnel record and understand exactly how it was onboarded, supervised, evaluated, and terminated.

The defensible posture is not “we trust the agent.”

It is “the agent cannot act outside its governed role without producing evidence or requiring approval.”