Treat Your AI Agents Like Interns Before You Lose Control

A recent ZDNet article argues that organizations should treat AI agents like interns rather than trusted employees. At first glance, the analogy sounds simplistic. Upon closer inspection, it may be one of the most practical frameworks available for managing agentic AI risk.

Consider what happens when a new intern joins your organization.

You don’t immediately give them administrator privileges. You don’t grant access to every database. You don’t allow them to approve financial transactions. You don’t let them modify production systems without supervision.

Yet many organizations are doing exactly that with AI agents.

The current excitement surrounding agentic AI has created a dangerous tendency to focus on capability while ignoring governance. Teams are deploying agents that can read emails, access documents, execute workflows, interact with APIs, create code, modify records, and even perform financial transactions. In many cases, these agents are operating with broader permissions than many human employees.

The result is predictable: organizations are creating powerful systems with access to critical assets while assuming that intelligence implies trustworthiness.

It does not.

Why the Intern Analogy Works

The intern analogy works because AI agents share many characteristics with inexperienced employees:

• They can perform useful work.
• They require clear instructions.
• They make mistakes.
• They occasionally produce impressive results.
• They sometimes act confidently while being completely wrong.
• They require oversight.

Unlike interns, however, AI agents possess additional risks.

An intern generally understands organizational norms, can ask for clarification, and recognizes uncertainty. AI agents may confidently proceed with incorrect assumptions, follow malicious instructions embedded in data, or execute unintended actions without understanding consequences.

As several industry practitioners have noted, confidence is not accuracy, and governance cannot be added after deployment. It must be designed into the system from the beginning.

Where I Disagree with the Analogy

There is one important limitation.

Interns learn.

AI agents do not develop judgment in the human sense.

Many organizations assume that because a model appears intelligent, it will gradually become trustworthy through use. That assumption is dangerous. While models may improve through vendor updates and tuning, they do not accumulate organizational wisdom the way a human employee does.

An AI agent should never “earn” unrestricted trust.

Instead, organizations should focus on continuously validating behavior while maintaining appropriate controls regardless of how successful the agent appears to be.

The correct model is not:

“An intern who will eventually become a senior employee.”

It is:

“A powerful automation system that will always require governance.”

The Security Problem Nobody Wants to Discuss

The greatest AI-agent risk is not hallucination.

It is excessive privilege.

Most major security incidents involving AI agents can be traced to one of four failures:

1. Excessive Access

Agents receive broad permissions because limiting access is inconvenient.

The agent can access customer records, internal documents, source code repositories, cloud resources, financial systems, and collaboration platforms because “it might need them.”

This violates decades of security best practices.

2. Credential Reuse

Organizations frequently allow multiple agents to share service accounts, API keys, or privileged credentials.

When one agent is compromised, every connected workflow becomes a potential target.

3. Lack of Observability

Security teams often cannot answer:

• What actions did the agent perform?
• Why did it perform them?
• What data influenced the decision?
• What external systems were accessed?

Without auditability, incident response becomes nearly impossible.

4. Unbounded Autonomy

Organizations allow agents to perform irreversible actions without human approval.

Deleting records, modifying infrastructure, approving transactions, changing configurations, or sending external communications should not occur without appropriate controls.

As some practitioners have noted, autonomy should be proportional to reversibility. The more difficult an action is to undo, the greater the level of human oversight required.

Recommendations for Security Leaders

Establish an Agent Identity Program

Every AI agent should receive its own identity.

Treat agents similarly to human employees:

• Unique identity
• Unique credentials
• Defined role
• Defined responsibilities
• Lifecycle management
• Access reviews

Never allow agents to operate under shared administrative accounts.

Apply Zero Trust Principles

Zero Trust should extend to AI agents.

Agents should continuously prove:

• Who they are
• What they are authorized to access
• Why they require access
• Whether the request aligns with their assigned role

An agent should not automatically inherit trust because it operates within your environment.

Create Agent Classification Levels

Not all agents require the same controls.

For example:

Level 1: Advisory Agents

• Read-only
• Recommendations only
• No execution authority

Level 2: Workflow Agents

• Limited execution authority
• Human approval required for sensitive actions

Level 3: Operational Agents

• Autonomous execution within tightly defined boundaries
• Enhanced monitoring

Level 4: Critical Infrastructure Agents

• Production access
• Continuous oversight
• Formal risk assessments
• Executive approval

Build AgentOps into Security Operations

Just as DevOps created new operational disciplines, AgentOps is emerging as a requirement for enterprise AI governance. Organizations need mechanisms for monitoring, auditing, testing, and continuously validating agent behavior throughout the lifecycle.

Test Agents Continuously

Traditional security testing is insufficient.

Security teams should conduct:

• Prompt injection testing
• Data poisoning simulations
• Permission boundary testing
• Adversarial red teaming
• Tool misuse testing
• Escalation path validation

Testing should occur continuously, not only before deployment.

Security Professional Checklist

Governance

☐ Every agent has an owner

☐ Every agent has a documented purpose

☐ Acceptable actions are explicitly defined

☐ Human approval requirements are documented

☐ Risk assessments are completed before deployment

Identity and Access Management

☐ Each agent has a unique identity

☐ Each agent has unique credentials

☐ Least privilege is enforced

☐ Administrative privileges are prohibited by default

☐ Access reviews occur regularly

☐ Secrets are stored in approved vaults

Monitoring and Audit

☐ All agent actions are logged

☐ Decision traces are retained

☐ Data access events are monitored

☐ Anomalous behavior alerts exist

☐ Incident response procedures include AI agents

Security Testing

☐ Prompt injection testing is performed

☐ Privilege escalation testing is performed

☐ Data leakage testing is performed

☐ Red-team exercises include AI agents

☐ Security controls are validated after model updates

Operational Controls

☐ Kill-switch capabilities exist

☐ Rollback procedures are documented

☐ Human override mechanisms exist

☐ High-risk actions require approval

☐ Agent behavior is periodically reviewed