Secure Agents: Control Policies in the Harness

Secure Agents: Control Policies in the Harness

Alice opens her company's internal HR chat and types: please cancel my contract with vendor X, the one for the Q4 work. The HR chat is built on top of a coding agent her platform team configured for internal workflows. It knows how to look up contracts, ask the procurement system to cancel them, and confirm back what it did. She has used it for months for routine HR things.

This time the agent takes about ten seconds and writes back: sorry, the procurement system isn't responding right now. I have tried three times. Alice waits an hour, asks again, gets the same answer, and files an IT ticket. Her morning becomes an outage report.

The procurement system was responding the entire time. To each of the agent's three attempts it returned the same precise message: this cancellation requires a manager approval because the amount is over ten thousand dollars; please get one and try again. That message never reached the agent. Sitting between the agent and procurement was a policy server doing its job correctly. When it saw the cancellation amount and the missing approval token, it refused the call with HTTP 403 Forbidden, the same numeric status a router might return when a backend is unreachable. The agent has no way to tell a policy refusal from a network glitch when both arrive as 403. It did what any agent does with a flaky tool: retried, gave up, apologised.