Part 2 of "Trust the Machine" — a series on building AI infrastructure that is secure, compliant, and governable by design.

The shift from model-as-function to model-as-actor

For most of the current wave of AI adoption, the model has been a source of answers. It generated text, summarized documents, and drafted code, but a person remained in the loop to review and act on its output. That arrangement kept the security model familiar: the model was, in effect, a sophisticated function called by trusted code.

Agentic systems break that arrangement. An agent does not merely respond. It plans, decides, and acts. It calls tools, queries systems, writes to databases, sends messages, and increasingly initiates transactions, often across multiple steps without human review. The industry consensus entering 2026 is direct: securing AI agents is among the defining challenges of the year. The OWASP GenAI Security Project published a dedicated Top 10 for agentic AI in late 2025, and major analyst and vendor guidance has followed.

The reason is structural. When a model begins to act, the trust boundary moves inside its reasoning loop. Controls positioned at the network perimeter or the API gateway no longer suffice, because the adversary's objective is not to breach the perimeter but to influence the agent's decisions. And the agent already sits inside the perimeter, holding legitimate credentials. This post examines how agents fail and how to contain them.