Original article published on Substack here.
Why user intent, execution surface, and control visibility are drifting apart
Over the past decade, security teams have made real progress in visibility. Logging is richer. Detection is faster. Data classification has improved. In many environments, we are better than ever at answering a familiar question:
What happened?
And yet, in a growing number of AI-enabled workflows, a more uncomfortable question is becoming harder to answer with confidence:
Who actually caused it — and where did the action really execute?
This is the emerging challenge behind what can be described as the out-of-body execution problem in modern agent-driven environments.
When User Intent and Execution No Longer Coincide
Historically, enterprise workflows were relatively straightforward from an attribution and control standpoint. A user clicked, a process ran, a file moved, and the chain of responsibility was usually clear enough for both investigation and enforcement.
Security architectures implicitly relied on a tight coupling between:
- user intent
- execution location
- and data movement
AI agents and copilots are beginning to loosen that coupling.
Today, a simple user prompt can trigger multi-step workflows spanning retrieval systems, orchestration layers, external tools, and downstream services. The user still initiates the interaction, but the actual execution path may unfold across environments the user never directly touches.
The result is subtle but important: user intent and system execution begin to drift apart.
The Execution Surface Is Moving
One of the more structural shifts is where sensitive actions now occur.
In traditional models, many meaningful operations happened either on the endpoint or within well-understood SaaS boundaries. With modern agent frameworks, however, large portions of the workflow increasingly execute inside cloud copilot backplanes, agent runtimes, orchestration services, or tool environments.
In practical terms, the user sits in one place, while the work happens somewhere else.
This displacement has architectural consequences. Controls that were designed around the user device or a single application boundary may now see only part of the workflow, or miss it entirely.
When Inspection Paths No Longer Align
The challenge extends beyond the endpoint.
Many existing security controls were built around predictable inspection points: network egress, CASB proxies, email gateways, or application APIs. These approaches worked reasonably well when most sensitive data movement followed user-driven paths.
Agentic workflows do not always behave that way.
Service-to-service calls, retrieval pipelines, and tool invocations may occur entirely within cloud control planes or between back-end services. In these scenarios, traditional inspection points often observe fragments of activity while lacking full transactional context.
The result is not a complete loss of visibility, but something more nuanced and harder to manage: visibility fragmentation.
Security teams can often see pieces of the story without having a coherent view of the whole.
Control Planes Are Still Maturing
Complicating matters further, agent ecosystems are evolving - and not uniformly.
Across emerging frameworks, the depth of identity propagation, authorization controls, audit telemetry, and policy insertion points varies meaningfully. Some environments expose relatively mature hooks for governance and monitoring, while others are still developing toward enterprise-grade control surfaces.
For security teams, this creates an additional layer of uncertainty. Even when organizations understand the new risk patterns, the underlying platforms may expose different levels of controllability and observability.
In other words, the gap is not purely architectural. In many environments, it is also a control-plane maturity issue.
Why This Matters Now
Individually, each of these shifts is manageable. Together, they represent a meaningful change in the operating model for data security.
When user intent, execution location, and data movement no longer align cleanly:
- policy enforcement becomes harder to scope precisely
- incident investigations require deeper cross-system correlation
- ownership and responsibility can become ambiguous
- traditional control placement becomes less reliable
As AI agents, AI workspaces, and copilots become more deeply embedded in enterprise workflows, these gaps are likely to become more visible, not less.
Where the Gaps Are Emerging
Taken together, agent-driven workflows introduce several structural blind spots:
- Attribution gap — the initiating user is no longer the full story behind the action, and in some agent workflows attribution becomes less explicit
- Execution surface gap — sensitive operations increasingly run outside the user environment
- Inspection path gap — some agent interactions occur beyond traditional inline controls (e.g., endpoint security, CASB, SWG, SEG)
- Control-plane maturity gap — governance hooks and identity propagation remain uneven across frameworks
Individually, each might be manageable. Together, they mark a meaningful shift in how data risk must be understood and controlled.
Looking Ahead
None of this diminishes the value of existing controls. They will still be needed in the foreseeable future.
But the center of gravity is shifting.
In agent-driven environments, effective data protection increasingly depends on maintaining clear entity context and authority tracking across workflows that span multiple execution surfaces and control planes.
That shift sets the stage for a broader rethink of how security architectures must evolve for the age of AI agents.
More on that in the next piece.
%20(3).png?width=200&height=200&name=Bonfy-YB-Icon%20(200%20x%20200%20px)%20(3).png)