Skip to main content
Springvanta
All posts
AI Security & GovernanceJun 19, 2026 · 7 min read

90% of Agents Run Ungoverned. Three Vendors Built the Stack in 48 Hours.

DeepMind, Snowflake, and Okta each shipped a different layer of agent security in the same 48 hours. Runtime monitoring, data governance, identity control.

By SpringVanta

90% of organizations have no way to govern what their AI agents are actually doing in production. 54% have already had a security incident from an agent acting unexpectedly. These numbers come from a 2026 survey of senior technology leaders cited by Okta, and they track with what Gravitee found independently: 88% of organizations experienced a confirmed or suspected agent security incident in the past year, while agent estates doubled in four months.

In the same 48-hour window, three infrastructure companies published frameworks that each address a different layer of this problem. Google DeepMind released an AI Control Roadmap that treats agents as potential insider threats. Snowflake published a Data-Model-Agent security framework that starts at the data layer. Okta shipped identity governance for agent handoffs, tools, and kill switches.

None covers the full problem alone. Together they describe the three layers every enterprise needs before putting agents into production.

Runtime control: DeepMind treats agents as insider threats

Google DeepMind published its AI Control Roadmap on June 18. The assumption is deliberately uncomfortable: what if a highly capable agent isn't aligned with your goals and acts against them?

The framework borrows directly from cybersecurity. DeepMind adapted MITRE ATT&CK, a standard catalog of adversary tactics and techniques, to model what a misaligned agent might do. They treat untrusted agents the same way a company would treat a rogue employee who already has building access. Build a threat model. Track risks systematically. Run drills to test whether defenses hold.

The system scales on two axes. Detection tiers (D1 through D4) move from monitoring visible chain-of-thought reasoning up to inspecting opaque internal model states. Prevention and Response tiers (R1 through R3) move from asynchronous transcript review to real-time action blocking. Lower-risk actions get reviewed after the fact. Higher-risk actions, like major cyber operations, require synchronous blocking before they execute.

DeepMind already analyzed one million internal coding-agent tasks using this system. Most flagged events did not come from adversarial intent. They came from agents misinterpreting instructions or pursuing goals too aggressively. A coding agent that deletes data because it misunderstood a cleanup request is not malicious. It is still dangerous.

This analysis informed a live monitor for Gemini Spark, DeepMind's coding agent. The monitor watches agent trajectories in real time and intervenes when it detects actions like unintended data deletion.

There is a weak point, and DeepMind acknowledges it. The system uses other AI models as "supervisors" to watch agent reasoning. UC Berkeley professor Dawn Song identified the risk: if the monitor model won't flag failures because it is protecting its peer, the oversight architecture breaks. DeepMind's position is that monitoring only works as long as the monitored models do not learn to game it. The roadmap is built for systems that may get harder to oversee.

Alongside the technical roadmap, DeepMind published a companion policy paper called "Three Layers of Agent Security" covering individual agents, multi-agent systems, and ecosystem-level resilience.

Data governance: Snowflake's Data-Model-Agent framework

Also on June 18, Snowflake's Chief Security and Trust Officer Mayank Upadhyay published a framework built on a straightforward principle: agentic AI must be governed where enterprise data already lives.

The Data-Model-Agent framework organizes security into three layers. The data layer enforces least privilege, masking, data movement controls, and compliance at the storage level. The model layer protects against prompt injection and keeps execution inside the customer's security boundary. The agent layer governs identity, tools, approvals, and auditability.

The data layer argument is the most useful part for buyers. Most agent security conversations focus on the model or the runtime. Snowflake's position: if your data foundations have weaknesses, AI will expose them. The same controls that matter for analytics (role-based access, masking, encryption, network policies) become more critical when agents can act autonomously, not less.

Snowflake's zero-copy architecture matters here for a practical reason. Every copy of data you create for AI is another place sensitive information can leak. Fewer copies mean fewer policies to reconcile and fewer attack surfaces to monitor.

The model layer targets indirect prompt injection, which Snowflake calls the defining threat of agentic AI. This happens when an agent reads an external source (a webpage, PDF, ticket) containing hidden malicious instructions and treats them as legitimate. Snowflake Horizon AI Guardrails add a governance layer between user intent, model reasoning, and execution, configurable at the account level without infrastructure changes.

The agent layer gives AI agents distinct, auditable identities so actions can be attributed to the specific agent that performed them. Snowflake's Natoma integration provides a centralized gateway for MCP tool usage, with over 100 MCP servers and 10,000 tools governed through one control point. For code-generating agents, Snowflake supports sandboxed environments that restrict file system and network access.

Snowflake also published a Well-Architected Framework on June 16 that includes a warning worth quoting directly: "a silent failure in an agentic workflow is the worst kind, no alert, no recovery, just wrong answers."

Identity governance: Okta extends identity to agents

On June 17, Okta published new capabilities for agent identity governance organized around three questions: Where are my agents? What can they connect to? What can they do?

The identity gap is concrete. AI coding assistants like Claude Code, Cursor, and GitHub Copilot connect to internal systems (Jira, ServiceNow, GitHub) through hard-coded tokens, ad hoc credentials, and API keys stored in configuration files. No centralized authorization. No audit trail. Security teams have no visibility into which agents accessed which systems, on whose behalf, or what they did when they got there.

Okta's Agent-to-Agent Connections address the handoff problem. Every time an agent delegates work to another agent, that handoff is an access event. Okta lets enterprises define per-agent connection policies: which agents can invoke which others, with what scope, and for how long. A verifiable chain travels with every token so the audit log captures who authorized what.

The MCP Bridge is an identity-aware proxy that sits between AI coding assistants and the MCP tools they connect to. Every call flows through the bridge. Every agent authenticates through the identity provider. Every action lands in the audit log. The agent does not need rewriting. The developer does not need to change their workflow.

Fine-Grained Authorization goes beyond static roles. Instead of asking "does this agent have access to this system?", it asks "can this agent, acting for this user, take this action on this resource right now?" A procurement agent can approve invoices up to $10,000 but not above. FGA checks the approval limit at runtime, not just the role.

The kill switch is the feature most CISOs will care about. Revoking access cuts off an agent across all connected resources in a single action from the Okta Admin Console. Okta frames it bluntly: when you know you can stop it, you can approve it.

Timeline showing agent security frameworks from DeepMind, Snowflake, and Okta with supporting survey data from Gravitee, Grant Thornton, and IBM IBV

Why this convergence matters

These three frameworks were published independently within 48 hours. They are not coordinated. But they converge on the same conclusion: agent security is not one product or one layer. It is a stack.

Runtime monitoring catches agents going off track, whether through malice or over-eagerness (DeepMind). Data governance ensures agents only see what they need and cannot exfiltrate sensitive information (Snowflake). Identity governance ensures every agent action is attributable, every handoff is authorized, and every rogue agent can be stopped (Okta).

The survey data is stark. Gravitee found that 48% of production agents run unsecured and only 14.4% go live with full security and IT approval. Grant Thornton's 2026 survey found 78% of executives doubt they could pass an independent AI governance audit within 90 days. IBM's Institute for Business Value calculated that a $20 billion enterprise loses roughly $140 million annually to AI irregularities.

What to check

If you are evaluating or deploying AI agents, the questions these frameworks raise are the ones your security team needs answers to:

  • Can you distinguish agent actions from human actions in your logs?
  • Can you limit agents to only the tools and data they need for a specific task?
  • Can you stop sensitive information from leaving approved boundaries?
  • Can you defend against indirect prompt injection?
  • Can you shut down a misbehaving agent in real time, across all its connections?
  • Can you produce an audit trail showing what each agent did, when, and on whose authority?

If the answer to any of these is no, you have a gap. The frameworks published this week map out how to close it.

Sources:

Continue reading

← Previous

The AI Moat Is the Data: Harvey, CoStar, and AdvancedMD Show Why

Next →

Block Ships 15% of Production Code Through AI Agents

Read more

Like this kind of writing?

One email when something good ships — usually once or twice a month.

SubscribeAll posts