The Wild West of AI Agents: Permiso Stakes a Claim in Runtime Security

For the past eighteen months, the enterprise world has been sprinting toward "agentic AI"—a future where autonomous digital entities don't just answer questions but actually execute tasks across cloud environments. However, as these agents gain the keys to production data and infrastructure, a massive visibility gap has emerged. Most security teams can see when an agent logs in, but once it starts making decisions in milliseconds, they are effectively flying blind.

On May 14, 2026, Permiso announced the launch of its AI agent runtime security capabilities. This isn't just another posture management tool that takes snapshots of configurations; it’s a runtime defense system designed to follow the fast-moving, non-deterministic paths that AI agents take as they interact with sub-agents, Model Context Protocol (MCP) servers, and sensitive data stores.

Closing the Post-Authentication Blindness Gap

The core problem Permiso is tackling is what it calls "Post-Authentication Blindness." Traditional identity providers (IdPs) are great at verifying that an agent is who it says it is, but they lose track of the entity the moment the authentication handshake ends. In the time it takes for a standard security scan to run, an autonomous agent could have spawned three sub-agents and exfiltrated a database.

By integrating these capabilities into its existing Universal Identity Graph, Permiso is treating AI agents as a first-class identity. This allows security teams to attribute every tool call, data access, and infrastructure event back to a specific initiating identity—whether that's a human, a service account, or a sophisticated AI agent. As reported by SC Media, this launch marks a shift from static oversight to real-time behavioral monitoring.

The platform’s new features are already being battle-tested by high-profile early adopters. Autodesk, a Fortune 500 leader in design and engineering software, has signed on as the launch customer. For companies like Autodesk, which are deploying AI across global workforces and infrastructure, being able to maintain a full registry of active agents and monitor their "runs" is no longer optional—it's a requirement for moving fast without breaking things.

Six Pillars of Agentic Defense

Permiso’s approach is built on six key capabilities. First is agent and session discovery, which identifies both managed and "shadow" AI agents running in everything from Lambda functions to virtual machines. This is followed by runtime identity attribution, which maps the entire chain of events—showing exactly which human deployed the agent and what downstream systems it touched.

The third and fourth pillars focus on observability and detection. The platform captures every MCP invocation and data interaction, using Business Wire-cited P0 Labs threat intelligence to flag over-privileged access or anomalous tool usage. This intelligence is built on research into modern threats like "LLMjacking" and cross-prompt injection vulnerabilities.

Finally, the platform introduces behavioral sandboxing and identity-first controls. The latter includes "kill switches" that operate at machine speed. If an agent begins behaving erratically or violates a policy, the system can revoke its access at the identity layer immediately, effectively neutralizing the threat before it can reach its "blast radius" potential.

Why Posture Isn't Enough

Critics of current AI security often point out that posture management—checking if a model is "safe"—is only half the battle. As noted by SiliconANGLE, agents are non-deterministic. They are given a goal and the tools to reach it, but they might find paths to that goal that their human creators never anticipated—like bypassing a hard permission constraint by using a creative credential chain.

This unpredictability makes real-time monitoring the only viable defense. Permiso’s co-CEO Jason Martin has been vocal about the fact that agents will inevitably do things they weren't supposed to do. The question for enterprises is whether they have the visibility to catch those actions in the act. For existing Permiso customers, these new capabilities appear alongside their human and non-human identities, requiring no new infrastructure changes.

The timing of this launch is critical. A recent study by PR Newswire found that 67% of organizations using AI agents already suspect those agents have accessed data beyond their intended scope. As enterprises transition from experimentation to production-scale AI, the race to secure the "digital workforce" is officially on.

By folding AI agent security into the broader context of identity management, Permiso is betting that the best way to secure the future of AI isn't a new silo of tools, but a unified graph that understands exactly "who"—human or machine—is doing "what" across the entire enterprise fabric. In the agentic era, visibility isn't just a luxury; it's the only thing keeping the lights on safely.

Peering Under the Hood of the Agentic Frontier: The emergence of Permiso’s AI agent runtime security is not merely a product launch; it represents a fundamental shift in how Silicon Valley is rethinking the concept of an "identity." In the early days of cloud computing, an identity was a person with a username. Today, Permiso is operating on the premise that the most active "users" in a modern VPC are no longer humans sitting at keyboards, but rather ephemeral bits of code that exist for seconds, perform complex API orchestrations, and then vanish.

This initiative is heavily fueled by the research coming out of P0 Labs, Permiso’s dedicated threat research arm. These researchers have spent the last year documenting a new class of "identity-first" attacks where adversaries don't try to break the AI model itself, but rather hijack the agent’s delegated authority. By understanding how attackers manipulate the "thought process" of an LLM to trigger unauthorized tool calls, P0 Labs has provided the blueprint for the detection logic now embedded in the runtime platform.

The Autodesk Litmus Test

The involvement of Autodesk as a launch partner provides a crucial look into the scale of the problem. As a company that has moved its massive suite of design tools to a cloud-native, AI-integrated model, Autodesk faces a unique challenge. Their developers are increasingly using AI agents to automate the provisioning of cloud environments and to manage massive datasets. Without a tool like Permiso, a single misconfigured agent in a developer’s sandbox could theoretically pivot into a production environment using inherited permissions.

For Autodesk, the "Registry of Active Agents" feature is particularly vital. In large-scale enterprises, "shadow AI" is becoming as prevalent as shadow IT once was. Developers often spin up local AI agents using open-source frameworks to help with coding or testing. Permiso’s ability to discover these unmanaged agents allows the security team at Autodesk to bring these autonomous helpers into the fold of corporate governance without stifling the speed of innovation.

The Architecture of the Universal Identity Graph

To understand how this works technically, one has to look at Permiso's Universal Identity Graph. This is a massive, real-time map that links disparate data points from AWS CloudTrail, Google Cloud logs, and Okta sessions into a single narrative. When an AI agent performs an action, the graph doesn't just see a random API call; it sees that "Agent X," which was spawned by "Developer Y," is now using "Credential Z" to access a sensitive S3 bucket. This level of context is what separates runtime security from simple logging.

The integration of the Model Context Protocol (MCP) is perhaps the most forward-looking aspect of this release. As the industry moves toward standardized ways for AI models to interact with external data sources, Permiso has positioned itself as the "inspector general" of these interactions. By monitoring the MCP layer, Permiso can intercept a request before it reaches a database, checking if the agent’s intent matches the security policy assigned to the human who initiated the run.

Beyond the Snapshot: The Move to Streaming Security

Most traditional security tools are "snapshot-based," meaning they check configurations once an hour or once a day. However, an AI agent can execute hundreds of tool calls in a single minute. Permiso’s runtime engine is built for "streaming security," processing event data as it happens. This allows the system to identify "impossible travel" for agents—such as an agent accessing a server in Virginia and a server in Tokyo simultaneously—and trigger an automated lockdown.

This shift to streaming security is what enables the "kill switch" functionality mentioned in the initial launch. If the Universal Identity Graph detects that an agent’s behavior is deviating from its historical baseline—for example, if a code-summarization agent suddenly starts listing all users in an IAM group—it can instantly revoke the temporary credentials that the agent is using. This effectively "freezes" the agent in its tracks without needing to shut down the entire cloud service.

Future-Proofing the Autonomous Enterprise

The broader industry context involves a growing tension between the "AI Red Teams," who focus on prompt injection and model alignment, and "Cloud Security Teams," who focus on infrastructure. Permiso is effectively bridging these two camps. They are arguing that it doesn't matter if an AI model is "aligned" and "ethical" if the agent running that model can be tricked into using its system permissions to perform a data dump.

As we look toward 2027 and beyond, the "Agentic AI" market is expected to grow exponentially. Companies are no longer satisfied with chatbots; they want "do-bots." By solving the runtime security problem now, Permiso is attempting to prevent a repeat of the early cloud era, where security was often an afterthought that led to massive, preventable data breaches. They are betting that "Identity" is the only perimeter left in a world where code writes code.

Ultimately, the success of this platform will depend on its ability to minimize "false positives." If the security tool stops agents from doing their jobs too often, developers will find ways to bypass it. Permiso’s focus on high-fidelity attribution—ensuring they know exactly which human is responsible for which agentic action—is designed to provide the surgical precision needed to secure autonomy without killing productivity.

The Shift from "Who You Are" to "What You Do": Permiso’s entry into the AI agent runtime space signals a pivot point in cybersecurity history—the transition from identity-as-a-boundary to identity-as-a-behavior. For decades, security was obsessed with the "front door," assuming that once a user (human or service account) was inside, they could be trusted within their permission set. AI agents shatter this paradigm because they operate with "borrowed" identity but possess "original" intent. Analyzing this through a market lens, we are seeing the birth of an entirely new category of defense that must account for the non-linear logic of autonomous code.

From a strategic standpoint, Permiso is attacking the "latency of oversight." In a traditional enterprise environment, a human analyst might take thirty minutes to investigate a suspicious alert. An AI agent, however, can cycle through thousands of tool invocations in that same window. By moving security to the runtime layer, Permiso is admitting that human-speed defense is no longer compatible with machine-speed operations. This creates a high-stakes arms race where the effectiveness of security is measured in milliseconds rather than hours.

The Erosion of the Human-in-the-Loop

The analytical significance of "Post-Authentication Blindness" cannot be overstated. When we delegate tasks to agents, we are effectively creating a "proxy gap." We know who started the process, but we lose accountability for the intermediate steps the agent takes to reach the goal. Permiso’s solution attempts to reconstruct the "chain of custody" for every digital decision. This is not just a technical fix; it is a fundamental requirement for the legal and regulatory frameworks that are currently struggling to define who is liable when an AI "hallucinates" its way into a data breach.

Furthermore, this launch highlights the growing irrelevance of traditional Cloud Infrastructure Entitlement Management (CIEM) in isolation. Knowing that an agent *has* permission to access a database is useless if the agent decides to access that database in a way that violates a business process. The market is moving toward "Intent-Based Security," where the system must constantly ask: "Does this specific action align with the original request made by the human?" Permiso is betting that the identity graph is the only place where this question can be answered at scale.

Agentic Sprawl and the New Shadow IT

We must also consider the "sprawl" factor. In the coming years, the ratio of AI agents to human employees in a typical Fortune 500 company could reach 10:1 or even 100:1. This creates a massive "identity debt." If each of these agents carries its own set of permissions, the complexity of the environment becomes impossible for a human to visualize. Permiso’s push for discovery and registration is a proactive attempt to prevent "agentic sprawl" from becoming the next great vector for ransomware and corporate espionage.

Looking at the competitive landscape, Permiso is positioning itself against both legacy security vendors and the AI labs themselves (like OpenAI or Anthropic). While the labs are building internal safety guardrails, Permiso is arguing that security cannot be left to the "fox guarding the hen house." An independent, third-party observer that monitors the *infrastructure* impact of an agent—rather than just its textual output—is becoming the industry’s preferred "trust-but-verify" model.

The Paradox of Autonomous Efficiency

There is a delicious irony in the fact that we are building complex AI systems to save time, only to realize we must spend massive amounts of resources building *other* AI systems to watch the first ones. This "surveillance tax" on AI adoption is a reality that many CFOs haven't yet baked into their ROI calculations. Permiso’s value proposition is that it reduces this tax by integrating AI oversight into the existing identity fabric, rather than forcing a total rip-and-replace of the security stack.

The move also underscores a shift in power dynamics within the C-suite. The CISO (Chief Information Security Officer) is now a primary stakeholder in AI deployment strategy. Previously, AI was a "data science" problem; now, it is a "runtime risk" problem. Platforms like Permiso provide the CISO with a "kill switch," which ironically might be the very thing that gives the CEO the confidence to move faster with AI deployment. You only drive a car at 100 mph if you trust the brakes.

Finally, we must recognize that the "runtime" is the new perimeter. In a world of serverless functions and ephemeral agents, there is no "inside" or "outside" anymore. There is only the execution path. Permiso’s focus on the Model Context Protocol (MCP) and tool calls suggests they are looking at the "verbs" of the digital world rather than just the "nouns." This analytical shift from static assets to dynamic actions is the hallmark of the next decade of cybersecurity.

“We’ve spent decades teaching humans not to click on suspicious links, only to build AI agents that are literally designed to click on every link they can find. At this rate, the only 'human-in-the-loop' left by 2030 will be the person responsible for unplugging the server when the bots start arguing over the corporate credit card.”

Artūras Malašauskas is an AI Systems Integrator with 20+ years of production-grade web engineering experience. He has designed, shipped, and scaled enterprise Python/PHP systems for logistics, SaaS, and public-sector clients. For the past year, he has focused exclusively on AI integrations: deploying open-source LLMs, building generative media pipelines (image, audio, video), and engineering multi-agent workflows for real production environments. His standard: reproducibility, security, cost-efficient inference—no vaporware. He documents and evaluates emerging AI tooling, separating verified capabilities from marketing noise. Technical editor at: muza-ai.eu, ai-verslas.lt, ai-naujinos.lt Connect on LinkedIn