Enterprise AI security in 2026 is becoming an intent problem

At a glance

What this is: This is Lasso Security’s 2026 prediction set on enterprise AI security, and its central finding is that intent and control now matter more than simple data access.

Why it matters: It matters because IAM, NHI, PAM, and governance teams now have to control what AI systems can do, under which identity, and within which runtime boundaries.

By the numbers:

• Gartner projects that by the end of 2026, roughly 40% of enterprise applications will embed task-specific AI agents.
• By 2027, AI agents capable of autonomous research, planning, and code generation will be adopted by malicious actors at scale.
• The EU AI Act begins general application on August 2, 2026, with staged obligations for GPAI and high-risk systems.

👉 Read Lasso Security's enterprise AI security predictions for 2026

Context

Enterprise AI security is moving into an intent layer problem: organisations now have to govern what a system is allowed to do, not just what data it can see. That shift matters because agentic tools, browser-resident agents, and model-driven workflows can act on behalf of users and teams without fitting traditional static permission models.

The article’s core argument is that existing controls break down when authority becomes delegated, runtime decisions become dynamic, and behaviour can drift beyond the original mandate. For identity programmes, that creates a direct link between AI governance, non-human identity controls, and the way human approvals are translated into machine execution.

This is especially relevant as enterprises embed more AI into operational workflows, where session trust, delegated authority, and control boundaries all need to be explicit. The post frames 2026 as the year when security teams must stop treating AI as a data problem and start treating it as an identity and control problem.

Key questions

Q: How should security teams govern AI agents that can take actions on behalf of users?

A: Security teams should govern AI agents through explicit intent boundaries, tool boundaries, and decision boundaries, not just access permissions. The key question is whether the agent is allowed to act in the first place, how far it may go, and what evidence proves it stayed inside mandate. That is the practical control model for delegated AI execution.

Q: Why do agentic browsers complicate identity and session controls?

A: Agentic browsers complicate identity and session controls because they turn a browser session into a delegated execution environment rather than a stable human interaction. Controls such as SSO, session binding, and step-up authentication assume predictable human behaviour. When an agent continues acting inside the same session, the trust model becomes much harder to interpret.

Q: How do organisations know if an AI system has drifted beyond its mandate?

A: Organisations know an AI system has drifted when its behaviour remains technically permitted but no longer matches the intended purpose, scope, or business outcome. The most useful signals are expanded tool use, new workflow paths, and actions that still pass policy checks while exceeding the original mandate.

Q: Who is accountable when AI-mediated actions create compliance or operational risk?

A: Accountability remains with the deploying organisation, even when an AI model or agent is externally provided. Teams need logs, approvals, and governance records that show what acted, under what authority, and within which mandate. Without that evidence, compliance obligations become difficult to defend.

Technical breakdown

Delegated authority and task-specific AI agents

Task-specific agents do not behave like static software because they can negotiate APIs, trigger workflows, and act asynchronously with limited human involvement at execution time. The security issue is not just that they use tools, but that they inherit authority from users, roles, or organisational objectives while continuing to make runtime decisions. That makes purpose definition and boundary enforcement central controls. When intent is loose, agent behaviour expands through workflow drift and operational convenience, which is difficult to audit after the fact.

Practical implication: define explicit purpose boundaries, tool boundaries, and decision boundaries before agents are allowed into production workflows.

Agentic browsers and session trust

Browser-resident agents change the browser from a passive interface into an execution layer. Human intent and agent intent can coexist inside the same authenticated session, which weakens assumptions behind SSO, session binding, and step-up authentication. These controls assume a stable human operator, but an agent can relay, reinterpret, or continue actions inside encrypted channels on the user’s behalf. That makes long-held session trust assumptions brittle when autonomy enters the browser.

Practical implication: treat browser sessions as delegated execution contexts, not as proof of stable human intent.

AI gateways as the policy choke point

AI gateways centralise routing, policy enforcement, cost controls, observability, identity mapping, and secrets handling across models, agents, and tools. Architecturally, that makes them a control plane, not just a traffic layer. The downside is concentration risk: misconfiguration, policy drift, or compromise can cascade across every downstream workflow. As AI stacks sprawl, the gateway becomes the place where action governance is enforced or lost.

Practical implication: design AI gateways with segmentation, policy versioning, and rollback paths before relying on them as the primary control layer.

Threat narrative

Attacker objective: The attacker’s objective is to industrialise exploitation, evade detection, and scale compromise across software, SaaS, and infrastructure.

1. Entry begins when malicious actors use AI agents for autonomous research, planning, and code generation at scale.
2. Escalation occurs as those agents reduce the cost and time needed to discover vulnerabilities, adapt malware, and run industrialised social engineering campaigns.
3. Impact follows when automated discovery and self-improving attack behaviour operate faster than signature-based defence and manual response can keep up.

Breaches seen in the wild

• Moltbook AI agent keys breach — Moltbook breach exposed 1.5M AI agent keys.
• AI LLM hijack breach — attackers used stolen AWS access keys to hijack Anthropic LLM models on Bedrock.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Agentic behaviour exposes an intent gap, not just an access gap. Traditional IAM and NHI controls are built to decide who can access what. This article shows that AI agents create a second question: what is the system trying to accomplish, and how far may it go while doing it? That is a governance problem because a system can remain within access rules while still violating business intent. Practitioners should treat intent boundaries as a first-class control plane.

Fixed session trust is no longer a safe assumption when browsers become execution environments. Session-based controls assume a stable human actor behind the browser and a predictable sequence of actions. Agentic browsers break that premise because autonomous behaviour can continue inside the same authenticated context. The implication is not that identity is obsolete, but that session trust must be reinterpreted for delegated machine execution.

Intent security should be treated as a named control concept for enterprise AI. The post is strongest when read through the lens of purpose limitation, runtime oversight, and drift detection. That framing matters because organisations need a way to say an AI system has exceeded its mandate even when its access technically remains valid. Practitioners should stop relying on static permissions as the main control story for AI-driven action.

AI gateways are becoming identity-adjacent control planes for non-human actors. Once a gateway controls tool access, policy enforcement, identity mapping, and observability, it sits in the same risk class as other central trust brokers. That concentrates failure impact and creates policy dependency across many workflows at once. The field should expect more security programmes to converge on gateway governance as a core NHI and AI control discipline.

AI compliance is moving identity and auditability to the centre of governance. The article correctly ties operational enforcement to attribution, logging, and accountable action. That combination matters because regulators will not care whether an action was triggered by a human or an agent if the outcome is still enterprise responsibility. Practitioners should assume governance evidence will need to show who or what acted, under which authority, and within which mandate.

From our research:

• Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared to nearly 1 in 4 for securing human identities, according to The State of Non-Human Identity Security.
• That confidence gap shows why AI governance cannot rely on human-era control assumptions when delegated machine behaviour is expanding across enterprise workflows.
• For a broader view of the control problem, see Ultimate Guide to NHIs for lifecycle, rotation, and visibility patterns that underpin runtime governance.

What this signals

Intent security: enterprise programmes need a way to define what AI is meant to accomplish, then compare runtime behaviour against that mandate. Without that layer, teams can preserve access controls and still lose governance when workflows expand or reinterpret policy in production.

The practical shift is toward identity-aware auditability for delegated machine action, especially where browsers, gateways, and autonomous workflows now mediate execution. That means logs, approvals, and control exceptions must describe authority, not just access, and the gap is widening faster than many IAM roadmaps account for.

With only 1.5 out of 10 organisations highly confident in securing NHIs, per The State of Non-Human Identity Security, the next maturity step is not more policy volume. It is tighter mapping between intent, identity, and runtime enforcement.

For practitioners

• Define intent boundaries for every agent deployment Document the allowed purpose, data scope, tool scope, and decision scope before production rollout. Review those boundaries whenever the workflow expands, because operational drift is how delegated authority quietly exceeds its original mandate.
• Treat browser agents as delegated execution contexts Reassess session binding, step-up checks, and authenticated workflow assumptions when an agent can act inside the same browser session as a person. Separate human approval from machine continuation where the browser may execute beyond the user’s immediate intent.
• Put AI gateways under control-plane governance Apply segmentation, versioned policy rollout, rollback planning, and monitoring to the gateway layer, because it is now the choke point for model access, agent permissions, and action enforcement. Avoid global policies that can fail across every workflow at once.
• Map AI actions to accountable identity and logging paths Ensure AI-mediated actions are attributed in logs with the identity, authority, and context used at execution time. This supports auditability when behaviour crosses from policy-compliant access into mandate overreach.

Key takeaways

• Enterprise AI security is moving from access control to authority control, because agents and browser workflows can act inside valid sessions while still exceeding intended mandate.
• The evidence in the article points to a structural governance gap, with delegated AI behaviour, gateway concentration, and runtime drift all weakening static IAM assumptions.
• Practitioners should define purpose boundaries, govern AI gateways as control planes, and require auditability for AI-mediated actions before these systems scale further.

Key terms

• Intent Security: Intent security is the discipline of defining what an AI system is meant to accomplish and enforcing that mandate at runtime. It extends governance beyond access control so organisations can detect when a system technically stays within permissions but operationally strays beyond purpose.
• Agentic Browser: An agentic browser is a browser environment that can execute actions on a user’s behalf rather than only displaying content. It blends human and machine intent in one session, which makes traditional assumptions about session stability, authentication, and step-up checks much less reliable.
• AI Gateway: An AI gateway is a control plane that routes model and agent traffic while enforcing policy, observability, identity mapping, and related controls. In practice, it becomes a central trust broker for non-human action, so its integrity and segmentation matter as much as its filtering logic.
• Mandate Drift: Mandate drift is the gradual expansion of an AI system’s behaviour beyond the purpose it was originally approved to serve. It often happens through workflow expansion, prompt changes, or new integrations, and it creates governance risk even when the underlying access permissions remain unchanged.

Deepen your knowledge

Enterprise AI intent boundaries and delegated machine action are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building governance for agentic workflows or browser-resident AI, it is worth exploring.

This post draws on content published by Lasso Security: Enterprise AI Security Predictions 2026: Intent & Control. Read the original.