TL;DR: AI is moving from chat interfaces into code, APIs, customer workflows, and production systems, and Orca Security argues that once it can execute actions it must be governed like an operator, with defined permissions, human verification for sensitive actions, and auditable behavior. The identity lesson is that control boundaries built for passive tools break when the system starts acting inside the environment.
NHIMG editorial — based on content published by Orca Security: The Tool Becomes the Operator
Questions worth separating out
Q: How should security teams govern AI agents that can act inside production systems?
A: Security teams should govern them as operator identities with bounded authority, not as passive tools.
Q: Why do AI agents change traditional IAM assumptions?
A: They change IAM assumptions because identity is no longer only about authentication and access.
Q: What do security teams get wrong about prompt injection?
A: Teams often treat prompt injection as a content problem, when it is also an execution problem.
Practitioner guidance
- Classify AI systems by action authority Map each agent to the exact systems, APIs, and workflows it can affect.
- Gate sensitive actions with human verification Require a human checkpoint before any AI-driven change that can impact customers, infrastructure, or security settings.
- Instrument agent behaviour for auditability Log prompts, tool calls, outputs, and state-changing actions in a durable format that security teams can review after the fact.
What's in the full article
Orca Security's full research covers the operational detail this post intentionally leaves for the source:
- Examples of AI systems writing code, calling APIs, and taking customer-facing actions inside live environments.
- The article's framing of how prompt injection works when instructions and data share the same prompt space.
- Practical guidance on applying boundaries, human verification, and observability to AI operators in production.
- The security reasoning behind treating AI as an actor inside the environment rather than a passive assistant.
👉 Read Orca Security's analysis of AI agents as operators in infrastructure →
AI agents in infrastructure: are your identity controls keeping up?
Explore further
AI agents are becoming operator identities, not just application features. The security model changes the moment a system can write code, call APIs, or alter workflows in live environments. That shifts the governance burden from content safety to operational authority. Practitioners should classify the agent by the actions it can take, not the interface it uses.
A few things that frame the scale:
- 70% of organisations grant AI systems more access than they would give a human employee performing the exact same job, according to The 2026 Infrastructure Identity Survey.
- Only 13% of organisations feel extremely prepared for the reality of agentic AI, according to the same survey.
A question worth separating out:
Q: How can organisations tell whether an AI operator is staying within scope?
A: They should look for durable evidence of prompts, tool calls, sensitive actions, and approvals. If the organisation cannot reconstruct what the system did and why, scope control is not working. Auditability is the difference between a governed operator and an unaccountable one.
👉 Read our full editorial: AI agents in infrastructure need operator-grade identity controls
AI agents are becoming operator identities, not just application features. The security model changes the moment a system can write code, call APIs, or alter workflows in live environments. That shifts the governance burden from content safety to operational authority. Practitioners should classify the agent by the actions it can take, not the interface it uses.
A few things that frame the scale:
- 70% of organisations grant AI systems more access than they would give a human employee performing the exact same job, according to The 2026 Infrastructure Identity Survey.
- Only 13% of organisations feel extremely prepared for the reality of agentic AI, according to the same survey.
A question worth separating out:
Q: How can organisations tell whether an AI operator is staying within scope?
A: They should look for durable evidence of prompts, tool calls, sensitive actions, and approvals. If the organisation cannot reconstruct what the system did and why, scope control is not working. Auditability is the difference between a governed operator and an unaccountable one.
👉 Read our full editorial: AI agents in infrastructure need operator-grade identity controls