AI agent security beyond the perimeter: is your authorization stack ready?

TL;DR: Fortinet’s FortiAI 8.0 underscores that AI security is now a board-level infrastructure issue, but the article argues perimeter visibility still stops short of runtime authorization for agents, according to EnforceAuth. The real failure is assuming authentication and traffic inspection can govern autonomous, always-on identities after the session starts.

NHIMG editorial — based on content published by EnforceAuth: AI security beyond the perimeter and the Authorization Gap

By the numbers:

• Machine identities outnumber human identities 45 to 1 in the average enterprise.
• 86% of CISOs say they don't enforce access policies for AI-specific identities.

Questions worth separating out

Q: How should security teams govern AI agents after authentication?

A: They should govern AI agents with runtime authorization, not just login-time authentication.

Q: Why do perimeter controls fall short for AI agent security?

A: Perimeter controls fall short because they can observe traffic and still leave action-level decisions ungoverned.

Q: What do teams get wrong about AI safety and AI security?

A: They often treat safety controls like content filters and guardrails as if they were security controls.

Practitioner guidance

• Separate visibility from enforcement Map which controls only detect AI or NHI behaviour and which controls can actually deny a specific action in real time.
• Define action-level policy for AI identities Move beyond coarse entitlements and write policies for specific resources, tools, and data classes.
• Build runtime checks into AI and NHI workflows Require every high-risk agent action to pass a runtime decision point that can be logged and audited.

What's in the full article

EnforceAuth's full article covers the operational detail this post intentionally leaves for the source:

• How FortiAI 8.0's perimeter capabilities are positioned across shadow AI visibility, MCF inspection, and DLP.
• The article's explanation of the Authorization Gap and how it differs from AI safety controls.
• Examples of runtime authorization across applications, infrastructure, data, and AI workloads.
• The vendor's compliance mapping for DORA, SOC 2, HIPAA, and ISO 27001.

👉 Read EnforceAuth's analysis of AI security beyond the perimeter →

AI agent security beyond the perimeter: is your authorization stack ready?

Explore further

View Full Forum →  |  NHI Foundation Course →