We Gave AI Agents Hands. We Forgot the Permissions Layer. aka What Happens When Cursor Writes to Prod
14:25 - 14:55, 20th of May (Wednesday) 2026 / AI & Architecture
Your engineers are running AI agents right now - Cursor, Claude Code, Copilot - and those agents have hands. They execute shell commands, edit production code, hit databases, invoke MCP servers, run scripts. Each is a different path for an agent to act on the world, and your security stack governs none of them.
Here's what we don't have yet: a permissions model for AI agents. OAuth gave us user authorization. IAM gave us service-to-service authorization. The agent layer - where "the LLM decided" becomes "it happened in production" - has nothing. Agents inherit your engineers' full credentials and operate with the union of every access path that engineer ever had.
We've spent the last year building governance for this layer at enterprise scale, and it's not just an MCP problem. MCP is one transport. CLIs, Skills, file system access, raw HTTP — each is a different way for agents to act, and none have a standard pattern for "this agent, in this context, is allowed to do X but not Y."
In this talk: what breaks when agents run ungoverned, why agentic security is a category being invented in real time, and what a permissions layer for AI agents actually looks like in practice.
