TL;DR: Claude Code agents can already read files, run commands, and chain tool calls, but local hooks alone leave no central audit trail or enforceable policy layer, according to Cerbos. The real governance gap is assumption collapse: access review and IAM controls were built for stable identities, not per-tool decisions made at runtime by agentic workflows.
NHIMG editorial — based on content published by Cerbos: Claude Code hooks, policy enforcement, and AI agent governance
By the numbers:
- Only 13% of organisations feel extremely prepared for the reality of agentic AI despite the majority racing toward autonomous adoption.
- Systems with least-privileged AI access had a 17% incident rate vs 76% for over-privileged systems.
Questions worth separating out
Q: How should security teams govern AI agent tool calls in development environments?
A: Treat each tool call as an authorisation event, not a generic automation step.
Q: What breaks when Claude Code hooks are left as local developer settings?
A: Governance becomes optional and uneven.
Q: How do you know if AI agent access controls are actually working?
A: Look for complete decision logs, central policy distribution, and consistent enforcement across every managed device.
Practitioner guidance
- Map agent tool calls to policy decisions Classify every Claude Code action that can read, write, or execute as an authorisation request with a principal, resource, and action.
- Enforce hooks through managed settings Push hook configuration through MDM or managed config so developers cannot remove or bypass the policy check locally.
- Start with an observe-only rollout Collect allow, deny, and no-match telemetry before writing enforcement rules.
What's in the full article
Cerbos's full article covers the operational detail this post intentionally leaves for the source:
- The exact Synapse hook configuration and route extension setup for Claude Code.
- Step-by-step examples of managed settings delivered through Jamf, Intune, or managed config files.
- Policy examples for file-path denial, role-based tool access, and command-level guardrails.
- The observe-then-enforce rollout pattern with audit logging and policy distribution through Hub.
👉 Read Cerbos's analysis of Claude Code hook enforcement and AI agent governance →
Claude Code hooks and AI agent governance: what teams are missing?
Explore further
Central policy enforcement is now the missing control plane for agent tool use. Claude Code can already chain reads, writes, and shell execution in ways that create real security decisions at runtime. Local hooks provide interception, but they do not create a governing boundary unless policy is applied centrally and consistently. The implication is that identity teams must stop treating agent tools as developer ergonomics and start treating them as policy-enforced execution points.
A few things that frame the scale:
- Only 13% of organisations feel extremely prepared for the reality of agentic AI despite the majority racing toward autonomous adoption, according to The 2026 Infrastructure Identity Survey.
- 69% of security leaders agree identity management must fundamentally shift to address agentic AI systems.
A question worth separating out:
Q: What should teams do when an AI agent tries to access sensitive files or destructive commands?
A: Deny the action at the policy layer and return a clear reason that can be logged and reviewed. Then use the denial data to refine the policy set around file paths, command patterns, and role scope. The goal is to stop risky execution before it happens and preserve a traceable record.
👉 Read our full editorial: Policy controls for Claude Code agents need central enforcement