Pattern · 2026
Making agent deployments pass security review
A five-layer architecture distilled from shipping three agent systems in regulated environments.
A five-layer architecture distilled from shipping three agent systems in regulated environments.
Most agent projects hit the same wall. The demo looks great. The pilot works. Then it meets security review, and every layer of the system turns out to be wrong: one service account with god-mode, secrets in environment variables, no audit trail, no way to tell if the agent did something it shouldn't have. The project either ships with a risk exception that auto-expires, or dies quietly on a compliance spreadsheet.
The pattern that actually ships is a five-layer separation of concerns. Each layer exists because it maps directly to a compliance control an enterprise InfoSec team will ask about. Skip any layer and the review fails.
The five layers — identity, credential broker, scoped tool access, policy and approval gating, and structured audit — are the minimum architecture an enterprise InfoSec team will accept for a production AI agent. Each layer maps directly to a compliance control reviewers already know how to evaluate. Skip any one and the review fails on the missing control; ship all five and the conversation moves from "is this allowed?" to "let's tune the thresholds."
Every agent action is attributed to a specific actor — a machine account for autonomous runs, an on-behalf-of delegation for user-triggered actions. "The agent did it" is not an answer. Entra ID, Okta, Google Workspace all support workload identities; use them. The audit log has to answer who.
Deep dive on this layer for Microsoft tenants: Entra ID workload identities for agent systems — the four-way decision matrix between app-only, on-behalf-of, federated credentials, and managed identity, plus the gotchas the wizard doesn't surface.
Agents never hold long-lived secrets. They request short-lived, scoped tokens from a broker (Vault, Key Vault, cloud-native secret manager) on each call. The broker knows which tools the agent is authorized to call, mints a narrow token, and logs the request. Compromising the agent's runtime doesn't compromise the kingdom.
Tools expose the smallest surface the agent needs. Read-only views of production databases. Action-specific API wrappers instead of admin SDKs. Model Context Protocol servers with per-server auth boundaries. When the agent goes off-rails — and sometimes it will — the blast radius is bounded by design, not by hope.
Every action goes through a policy check before execution. Safe, reversible operations (read a record, propose an update) auto-execute. Irreversible or high-risk operations (issue a refund, modify production config, delete data) queue for human approval. Confidence thresholds decide the line. Humans own the risky calls; the pattern is explicit about which calls those are.
Every suggestion, every approval, every override, every failure produces a structured event. Logs are not enough — logs are for debugging. An audit layer is structured, queryable, retained, and reviewable. Compliance, incident response, and post-mortem all run against the same surface. This is the layer that turns a legal conversation into a technical one.
None of these layers are exotic. They are how authentication, secrets management, least-privilege access, change control, and audit logging have worked in enterprise infrastructure for decades. The novelty of agent systems is not that they require new controls — it is that they require the same controls applied to a new kind of actor. Treating the agent as a first-class identity with scoped access, reviewable actions, and complete audit is what moves a project from demo to deployment.
The five layers are the minimum. Everything else — orchestration frameworks, prompt engineering, model selection — is downstream of this foundation.
user / scheduler ↓ Identity — who is asking? machine acct or on-behalf-of? ↓ Credential broker — mint short-lived, scoped token ↓ Scoped tool — narrow API wrapper, read-only by default ↓ Policy gate — auto-apply if safe, queue if risky ↓ Audit event — structured, queryable, retained
Build the layers once and every new agent gets them for free. Skip them and the next agent re-litigates the same security review.