If you’re building operations workflows with AI agents (automating candidate screening in your ATS, updating deal stages in your CRM, or routing requests across your team’s tools), you’ve probably asked: is this actually safe? Can I give an AI agent access to Salesforce without worrying about what it might do?
That’s the right instinct. But it’s the wrong question.
The better question: how do we manage this responsibly?
Agents Are a New Type of Actor
Think of your current security setup like a theater production. You have actors (employees), stagehands (automated services), and a director (IT administrators). Everyone has a defined role. The security team knows how each type of participant behaves.
Now introduce an improvisation artist who can play multiple roles, make decisions on the fly, and interact with both actors and stagehands. That’s what an AI agent is. Not quite a user, not quite a service, but something that reasons, plans, and takes actions autonomously.
This creates a fundamental tension: the more access an agent has, the more useful it becomes, but also the more risk it introduces. Security frameworks now identify critical threats specific to autonomous systems: scenarios where agents can be manipulated into performing unauthorized actions, or where their decision-making is hijacked to serve someone else’s goals.
The question isn’t “Is it safe?” It’s “How do we manage this responsibly?”
The Broader Security Landscape
The AI cybersecurity market is projected to reach $93.75 billion by 2030, a 24.4% annual growth rate (Grand View Research). Organizations can’t hire their way out of the problem, which is exactly why AI augmentation is accelerating.
Meanwhile, attackers are moving faster than ever. Median dwell time (the window between breach and detection) fell to 10 days in 2023, down from 16 days the year before (Mandiant M-Trends 2024). The fastest 25% of intrusions now reach data exfiltration in under 1.2 hours. CrowdStrike’s 2024 Global Threat Report clocked average lateral movement at 62 minutes, with the fastest recorded case completing in 2 minutes and 7 seconds.
Defensive applications include automated security operations, continuous monitoring, and adaptive threat hunting. Offensive applications include autonomous penetration testing and accelerated attack campaigns. The same technology, pointed in opposite directions.
Organizations can’t afford to treat agent security as an afterthought. The question isn’t whether AI agents will be part of your security landscape. It’s how you’ll manage them responsibly.
What Changes When AI Becomes Autonomous
Traditional AI tools generate text or analyze data, but they don’t act. Agentic AI is different. These systems have both a “brain” (the language model that reasons) and “hands” (the tools they use to take action). This combination means that mistakes or manipulations can result in irreversible actions with real business consequences.
Consider the difference between asking an AI to draft an email versus having an agent that can send emails, schedule meetings, and update databases based on its understanding of your goals. The second scenario is far more powerful. But if something goes wrong, the impact is immediate and tangible.
The security challenge intensifies because agents operate with characteristics traditional systems don’t have.
Persistent memory. Agents remember context across multiple interactions, which makes them more effective but also creates new vulnerabilities. If an attacker manages to inject false information into an agent’s memory, those corrupted “memories” can influence decisions across many future interactions and potentially affect multiple users.
Tool orchestration. Agents don’t just use one tool. They chain multiple tools together to accomplish complex tasks. Think of it like giving someone access to your workshop: they can use the saw, the drill, and the paint, combining them in creative ways. But if one tool is compromised, the problem can cascade through the entire workflow.
Self-directed behavior. Higher-autonomy agents can initiate actions based on monitoring patterns or learned behaviors, not just explicit commands. This makes them incredibly efficient but also harder to predict and control.
These aren’t theoretical risks. In mid-2025, security researchers demonstrated EchoLeak (CVE-2025-32711) against Microsoft 365 Copilot: a zero-click attack where a malicious email with hidden instructions could cause Copilot to silently exfiltrate OneDrive files, SharePoint documents, and Teams conversations to attacker-controlled servers. The user doesn’t click anything. The agent acts autonomously, following injected instructions it can’t distinguish from legitimate ones. Microsoft patched it in May 2025.
Later that year, ZombieAgent demonstrated the same principle against ChatGPT agents: malicious rules implanted into the agent’s long-term memory persisted across sessions, executing hidden actions without any ongoing attacker engagement, and leaving no traces in corporate security logs.
This is what “persistent memory creates new vulnerabilities” looks like in practice.
Three Essential Questions for Data Access
When evaluating whether to give an agent access to corporate data, start here.
What data does the agent see?
Agents use context to make decisions, so they need access to information. The principle of least privilege is the foundation: grant access only to what the agent needs for its specific mission.
Think of it like giving a contractor access to your building. You provide a key to the rooms they need to work in, not a master key to every door.
In practice: if you’re deploying an agent to screen candidates in Greenhouse, it needs read access to applications, not write access to offer letters or salary data. If your Sales Ops agent updates deal stages in Salesforce, it needs access to the pipeline view, not to pricing tables or contract templates. One of the most common risks in agentic systems is agents being tricked into accessing data outside their intended scope, a problem that grows quickly when permissions are set too broadly from the start.
Without proper scoping, agents see too much. Narrow the lens.
What actions can it perform?
Tools are the agent’s “hands”: the mechanisms through which it interacts with your systems. Define clear boundaries: granular authorization policies that constrain which interfaces and functions the agent can access. If an agent’s job is to schedule meetings, it shouldn’t have the ability to delete files or modify financial records.
Without explicit boundaries, agents do too much. Limit the hands.
How are its actions logged?
Accountability requires visibility. When an agent acts, there should be a detailed audit trail showing what it did, why it made that decision, and what information it used. This is especially important because agents can make dozens or hundreds of decisions in rapid succession. Understanding the chain of reasoning becomes critical when reviewing outcomes.
Without audit trails, agents act in the dark. Demand visibility.
The Hybrid Security Approach
Traditional security relies heavily on deterministic rules: if X happens, do Y. But agents operate in a more fluid environment where rigid rules can be too restrictive or easily circumvented.
The emerging best practice combines deterministic rules with AI-based monitoring. Think of it like having both traffic lights (fixed rules) and traffic police (adaptive judgment) working together. Specialized monitoring systems examine an agent’s proposed plans before execution to prevent manipulation or hijacking of its behavior.
A fair question: if AI agents can be manipulated, why would an AI monitoring system be more trustworthy? The answer is that monitoring systems use different models with different attack surfaces. More importantly, the monitoring layer isn’t the last line of defense. It’s one of several. The final layer is always human: for high-risk actions (sending emails, modifying financial records, updating contracts), require explicit human approval regardless of what the monitoring system says.
When anomalies are detected, the system doesn’t fail. It forces human review. The agent pauses, flags the action, and waits. This is the difference between a security model that assumes perfection and one that assumes failure and plans accordingly.
Agency Versus Autonomy
Two dimensions define how any agent operates:
- Agency refers to what an AI can do. Its scope of actions and permissions.
- Autonomy refers to how independently it acts. The degree of human intervention required before taking action.
These two dimensions can be combined in different ways. An agent might have broad agency (access to many tools and data sources) but low autonomy (requiring human approval for most actions). Or it might have narrow agency (access to only a few specific functions) but high autonomy (operating independently within that limited scope).
For most Operations teams deploying their first agents, the practical starting point is what’s often called the Collaborator level: the agent plans and proposes, the human approves and executes. Your candidate screening agent surfaces the top 5 applicants with reasoning. You decide who moves forward. Your CRM agent drafts the follow-up sequence. You hit send.
This isn’t a limitation. It’s a deliberate design choice that builds the trust baseline you need before expanding autonomy. Organizations that start at this level build confidence incrementally rather than discovering problems at scale.
The key insight: start with lower autonomy and progressively increase it as you build confidence in the agent’s behavior and your security measures. Think of it like teaching someone to drive. You start in an empty parking lot with close supervision before letting them navigate rush-hour traffic independently.
The Balance: Security and Value
An agent locked in a completely isolated environment with no access to data or tools provides no value. The goal isn’t to eliminate risk. It’s to manage it intelligently.
Ask yourself three questions:
- What’s the worst-case scenario? If this agent were completely compromised, what’s the maximum damage it could cause? This helps you understand the stakes.
- What controls can mitigate it? Which security measures would prevent that worst case or significantly reduce its likelihood and impact?
- What’s the upside? What business value does the agent provide? How much efficiency, insight, or capability do you gain?
The answer isn’t the same for every organization or every use case. An agent that schedules internal meetings has a very different risk profile than one that processes customer payments or manages infrastructure. Tailor your security posture to the specific context.
What to Look For in a Platform
Beyond how you configure and deploy agents, the platform you choose matters enormously. When evaluating an AI agent platform for your Operations stack:
- Defined reasoning boundaries. Agent instructions explicitly define what the agent should and shouldn’t do. Ask the vendor: can I see the system prompt? Can I modify it? This is your primary control over agent behavior.
- Explicit capability grants. Tools and data access are explicitly granted, not assumed. Red flag: platforms where agents have implicit access to “everything the user can see.” You want granular, auditable permission grants.
- Comprehensive audit logs. Every action logged with full context: what it did, when, why, and based on what information. Ask: can I replay an agent’s decision chain from 30 days ago? For compliance purposes, logs need to be immutable and queryable.
- Data encryption. At rest and in transit, using industry-standard protocols. Verify this applies to agent memory and tool call payloads, not just stored files.
- Zero-retention AI endpoints. When agents use external AI services for reasoning, the platform should use endpoints that don’t retain or train on your data. Non-negotiable for any data touching candidates, customers, or financials.
- Access control. You control who can create agents, what data they can access, and what actions they can perform. Look for role-based agent permissions, not just user-level access controls.
No single measure is perfect. Together they significantly reduce risk while preserving the agent’s ability to deliver value.
A Phased Approach
A concrete starting framework for Operations teams:
Phase 1: Read-Only Pilot (Weeks 1-2). Deploy agents with read-only access to one system. No write permissions. Human approval required for every action. Goal: understand how the agent reasons and what it accesses. Example: an agent reads candidate profiles in Greenhouse and surfaces summaries. You decide next steps.
Phase 2: Supervised Write Access (Weeks 3-6). Grant write access to low-stakes fields. Automated logging of every action. Human approval still required for sends, emails, or external-facing actions. Example: an agent updates deal stages in HubSpot based on activity. You approve before any outreach.
Phase 3: Monitored Autonomy (Weeks 7-12). Expand to higher-autonomy actions with anomaly detection in place. Define clear kill-switch criteria: what behavior triggers immediate human review? Example: an agent handles initial candidate outreach autonomously, but any action involving salary, offers, or rejections requires human sign-off.
The entry criterion for each phase: clean audit logs, no unexpected access patterns, and a clear answer to “what’s the worst case if this goes wrong?”
Security isn’t a one-time decision. It’s an ongoing process. As agents evolve, as threats change, and as your organization’s needs shift, your security posture should adapt accordingly.
The Bottom Line
AI agents are powerful enough to be worth the complexity, and manageable enough that the complexity shouldn’t stop you.
The organizations that will struggle treat security as a binary: either lock everything down or give the agent free rein. The ones that will succeed treat it as a calibration problem.
If you’re an HR Ops or Sales Ops team considering your first agent deployment, the order of priority:
- Start with read-only access and human approval for everything
- Define your kill-switch criteria before you deploy, not after
- Build audit logs from day one. They’re your evidence when something looks wrong
- Expand autonomy incrementally, phase by phase, as confidence grows
AI agents are already part of your competitors’ operations stack. The question is whether you’ll deploy them with the controls that let you sleep at night.
Build and Run Agents Safely with Theona
That’s exactly what Theona was built for.
We kept running into the same problem: Operations teams wanted to work with AI agents, but the available tools either gave agents too much access with too little visibility, or required security expertise most Ops teams don’t have.
Theona is an environment where you build agents, connect them to your tools, and control exactly what they can access. Integrations are explicit and auditable: you decide which systems an agent can reach and what it can do there. Every action is logged with full context. We use zero-retention endpoints where available and ensure no provider uses your data for model training.
We’re currently working toward SOC 2 Type II certification. We started early because the organizations trusting us with their data deserve that level of accountability.
If you’re evaluating options, we’d love to show you how we’ve implemented these principles, and where we still have work to do.
