Claude Code auto mode shows why agentic security needs runtime intent checks

At a glance

What this is: This is an analysis of Claude Code auto mode and Lasso Security’s Intent Security comparison, with the key finding that agentic systems need runtime intent checks rather than constant human approval.

Why it matters: It matters because IAM, PAM, and NHI teams now have to govern tool-using agents as runtime decision-makers, not just as automated workloads or human proxies.

By the numbers:

• Anthropic’s data from their Claude Code auto mode post says users approve 93% of permission prompts.

👉 Read Lasso Security’s analysis of Claude Code auto mode and Intent Security

Context

Claude Code auto mode is an agentic security pattern that replaces per-action human approval with runtime evaluation of what the agent is allowed to do. The governance problem is not whether the model can act, but whether the system can distinguish authorised behaviour from scope drift quickly enough to matter.

For identity teams, the issue sits at the boundary between NHI controls and agentic autonomy. A tool-using agent may inherit workload-style credentials, but the decision problem changes once the system is expected to approve, block, or redirect its own actions at runtime.

Lasso Security uses Anthropic’s auto mode as a comparison point for its own Intent Security framework. That makes the article less about a feature announcement and more about the operating model gap between conventional guardrails and runtime identity governance for agentic systems.

Key questions

Q: How should security teams govern AI agents that can act without constant approval?

A: Security teams should treat autonomous agent behaviour as a runtime authorisation problem, not a ticketing or review problem. The control objective is to keep tool use, data access, and action timing inside explicit mission boundaries while separating content inspection from action approval. The safest programmes define what the agent may do before execution begins and enforce that boundary continuously.

Q: Why do AI agents complicate least privilege and blast-radius control?

A: AI agents complicate least privilege because their exact action sequence is not fully knowable at provisioning time. Traditional access models assume a stable task, stable tools, and a human operator who can be reviewed after the fact. Once an agent is deciding in session, the blast radius can change mid-execution, which makes static entitlement review incomplete.

Q: What do teams get wrong when they rely on human approval for every agent action?

A: They assume that more human checkpoints always equal more security. In practice, repeated prompts create approval fatigue, and the review step becomes less discriminating as volume rises. That means routine actions are rubber-stamped while risky ones can slip through. The governance failure is not the agent alone, but the control design around it.

Q: What should organisations do when system scope changes for an AI agent?

A: They should update the agent’s operational boundaries as a security-controlled artifact, not as an informal prompt change. If the intended mission changes, the runtime policy should change with it, or the system will continue enforcing an outdated definition of safe behaviour. Scope provenance matters because stale policy creates misalignment even without an attack.

Technical breakdown

Two-layer agent protection at the input and action boundaries

Claude Code auto mode uses two distinct checkpoints. One inspects what enters the agent’s context, including file contents, web fetches, shell output, and tool responses, to catch prompt injection before it can shape behaviour. The second evaluates the action the model is about to take, comparing the user’s request and the planned tool call against policy. The important architectural point is separation: the classifier that decides whether an action is safe does not rely on the agent’s own reasoning or outputs. That prevents the model from arguing its way past the guardrail and keeps evaluation independent.

Practical implication: Practitioners should separate content-risk inspection from action authorisation instead of collapsing both into one classifier.

Why approval fatigue breaks human-in-the-loop control

The article’s core risk argument is that human approval becomes less protective as prompt volume rises. If users approve most requests, the review step stops functioning as a discriminating security control and becomes a throughput bottleneck. That creates a dangerous pattern: routine actions get rubber-stamped, while rare high-risk actions hide inside the flow. For agentic systems, the security question shifts from whether a human can validate every step to whether the runtime can preserve policy intent without demanding constant manual intervention. This is a governance problem, not just a UX problem.

Practical implication: Teams should treat approval fatigue as a control failure mode, not a training issue for end users.

System intent is the policy boundary for agent behaviour

The article describes configurable decision criteria that define what the agent is supposed to do in a given environment. In practice, this is the policy boundary that separates intended autonomy from unsafe improvisation. The model may remain capable of using tools, but the runtime layer decides whether that capability stays inside the authorised mission. That matters because agentic systems do not fail only when they are attacked. They also fail when their own behaviour gradually stops matching the operational boundaries the developer intended. Intent-based enforcement is therefore about preserving behavioural alignment across the session, not just blocking obvious malicious inputs.

Practical implication: Define mission boundaries per agent and per environment, then enforce them at runtime instead of relying on static allowlists alone.

Threat narrative

Attacker objective: The attacker’s objective is to push the agent into taking unauthorised actions while appearing to operate within normal workflow boundaries.

1. Entry occurs when external content such as web pages, file contents, or tool output is pulled into the agent’s context and can attempt to influence subsequent decisions.
2. Escalation happens when the model starts to act beyond the user’s original request or beyond the system’s intended boundaries, either through overreach, prompt injection, or misaligned planning.
3. Impact is achieved when the agent executes an unauthorised tool action, leaks sensitive data, or compounds the error through repeated autonomous steps without effective review.

Breaches seen in the wild

• Moltbook AI agent keys breach — Moltbook breach exposed 1.5M AI agent keys.
• AI LLM hijack breach — attackers used stolen AWS access keys to hijack Anthropic LLM models on Bedrock.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Runtime approval is not identity governance when the actor can move faster than the reviewer. The article shows that 93% approval rates turn human review into a pacing problem, not a security boundary. That makes the real control question whether the runtime can decide faster than the agent acts, which is the relevant governance test for agentic systems.

Intent-based enforcement is the right abstraction for agent behaviour, but only if policy boundaries are explicit. The article’s strongest point is that user intent, system intent, model intent, and external content are separate security questions. Conflating them creates blurry controls that are hard to tune and easy to bypass, so practitioners should recognise that boundary clarity, not classifier size, is the governance primitive.

Least privilege was designed for predeclared access, not for autonomous session-time behaviour. That assumption fails when an agent chooses its own sequence of actions, tools, and timing because the privileged path is no longer fully knowable at provisioning time. The implication is that traditional entitlement review cannot describe the actor’s real blast radius once runtime delegation takes over.

Behavioural separation is the named concept this article exposes: intent-dimension drift. The article shows that what matters is not a single safe or unsafe label, but whether user, system, model, and external content remain separable under pressure. When those dimensions bleed into one another, the organisation loses the ability to explain why the agent acted, which makes governance and incident review materially weaker.

Agentic security is converging on oversight layers because the market has reached the limits of static guardrails. The comparison between auto mode and Intent Security suggests the field is moving away from single-pass detection and toward runtime supervision of mission alignment. Practitioners should read that as a signal to rework their control stack around operating boundaries, not just prompt filters.

From our research:

• Anthropic’s data from their Claude Code auto mode post says users approve 93% of permission prompts, according to Analysis of Claude Code Security.
• Our research on AI agent governance also found that 80% of organisations report their AI agents have already performed actions beyond their intended scope.
• That same research shows only 52% of companies can track and audit the data their AI agents access, which leaves 48% with a compliance and investigation blind spot.

What this signals

Intent dimension drift: this post points to a wider shift in agent governance, where organisations must monitor whether user, system, model, and external content remain separable over time. When those boundaries blur, the problem is no longer just prompt injection, it is loss of explainable control over runtime behaviour.

With 80% of organisations reporting agent actions beyond intended scope, the pressure on IAM and security teams is moving from experimentation to containment. That means operational models built for fixed entitlements will need to give way to policy enforcement that follows the agent at runtime, not just at provisioning.

This is where NIST AI Risk Management Framework thinking becomes relevant for agent programmes, especially around governance and monitoring. The practical signal is simple: if a control cannot tell you why the agent acted, it is not yet ready for production use at scale.

For practitioners

• Define separate intent boundaries for each agent Document user intent, system intent, model intent, and external content as distinct governance inputs. That separation prevents one control from being asked to solve every agentic security problem at once.
• Split content screening from action approval Use one control to inspect inbound content and another to authorise outbound tool calls. This reduces cross-contamination and makes it easier to see whether the agent was influenced before it acted.
• Measure approval fatigue as a control signal Track how often users approve agent prompts without review and identify where routine acceptance is masking risk. High approval rates indicate that human review has become a throughput step, not a protective decision.
• Treat system intent as a mutable security artifact Review the boundaries an agent is allowed to operate within whenever the application scope changes. If the mission definition is stale, the runtime layer will faithfully enforce the wrong policy.

Key takeaways

• Agentic security cannot rely on constant human approval once tool-using systems begin to move faster than reviewers can meaningfully inspect.
• The article’s main evidence is the 93% approval rate for Claude Code prompts, which shows why approval-driven control can degrade into throughput rather than protection.
• The key governance move is to enforce explicit runtime intent boundaries so that action approval, content screening, and scope definition remain separate controls.

Key terms

• Intent Security: Intent Security is a runtime control model that checks whether an agent’s actions still match the mission it was given. It evaluates user intent, system intent, model intent, and external content separately so security decisions are based on behavioural alignment, not just on static rules or a single classifier outcome.
• System Intent: System intent is the operational boundary a developer defines for an application or agent. It sets what the system is supposed to do, what it must not do, and which actions are allowed in context. In agentic environments, that boundary must be enforced at runtime because the actor can change course during execution.
• Approval Fatigue: Approval fatigue is the point at which repeated security prompts lose their protective value because users accept them reflexively. For agentic systems, it turns human review into a low-signal checkpoint and increases the chance that risky actions receive approval simply because the interaction volume is too high to inspect carefully.
• Intent-Dimension Drift: Intent-dimension drift is the gradual loss of separation between user, system, model, and external content during agent execution. When those layers bleed into one another, the organisation can no longer explain whether the agent acted on instruction, contamination, or misalignment, which weakens governance and incident response.

Deepen your knowledge

Runtime intent checks, agent boundary governance, and AI agent oversight are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building controls for agentic systems like the one analysed here, it is worth exploring.

This post draws on content published by Lasso Security: Intent Security Through the Lens of Claude Code Auto Mode. Read the original.