Enterprises Deploy Outcome-Based Security To Govern Autonomous AI Agents At Scale

Autonomous AI agents are introducing a new class of security risk inside the enterprise. Built on modular frameworks and multistep workflows, these systems can trigger actions across APIs and internal platforms from a single prompt. They reason across steps, dynamically connect services, and execute tasks that unfold across complex chains of activity. The result is software that behaves less like a tool and more like an actor inside the organization, expanding the attack surface in ways that are difficult to trace or control.

Yotam Perkal, Director of Security Research at Pluto Security, is a cybersecurity researcher with deep experience across vulnerability research, cloud security, threat intelligence, and insider threat detection. His career spans senior roles at companies including Zscaler, Rezilion, and PayPal, where he worked on everything from large-scale vulnerability management and cloud asset modeling to insider threat detection systems and AI-driven security analytics. Perkal argues that the rapid growth of modular AI ecosystems is introducing a new category of security risk, as agents, frameworks, and plug-in skills multiply faster than organizations can effectively govern them.

"I look at it as a new branch of insider threat. You're giving an agent a mission and permission, and once it's misdirected, intentionally or not, it can create real risk inside your organization," Perkal says. Autonomous agents with authorized access and granted privileges can behave unpredictably, introducing serious organizational risk.

• Ecosystem multiplication: "Because of the democratization of coding, there are now so many platforms and frameworks, and agents can come in many different forms. Just governing that variety and gaining visibility into all of it is a challenge on its own," he says. AI agents built from interchangeable parts move quickly, but their complexity leaves defenders struggling to monitor activity and enforce controls.

• Scripts gone wild: "Skills are often just text files, easy to create but difficult to assess. It’s very hard to determine if a skill is malicious, and can turn into a successful rug-pull or multi-turn type of attack. We're seeing vulnerabilities like SSRF or cross-site scripting. Each step on its own looks benign, but when you combine them, they create a malicious outcome," Perkal explains. Researchers observed this new supply chain risk dynamic during the widely discussed OpenClaw and ClawHub marketplace saga.

As enterprises adapt to these systems, security validation is shifting from testing code to validating outcomes. "To evaluate these systems properly, teams need to define the desired outcome of the workflow and then build validation test sets they can use during development and in production," Perkal adds. Explicit pentesting of nondeterministic systems is also critical to anticipate and mitigate unexpected multi-step behaviors.

• Active participation: "It's very tempting to leave the thinking to the model because the capabilities are so strong. But if you don’t design the system properly, provide the right context, and validate the results, that’s where problems start to surface," Perkal emphasizes. Over time, the habit of deferring to the model can erode the human judgment needed to recognize when something has gone wrong.

• System imploding: Frameworks can pass on unseen vulnerabilities to developers. "Many of the security decisions in these systems aren’t explicit, they’re implicit and made by the platform. In some cases, MCP servers bind to the local network by default, which means anyone on that network can interact with them, not just the person who created them. When you write text in a coding agent, there are hidden decisions about what packages get imported and what logic gets implemented," says Perkal.

Autonomous AI agents are making decisions that ripple across an organization's entire digital ecosystem. Organizations must monitor trust chains, validate outcomes, and use cross-agent governance to stop small misalignments from cascading into major breaches. "Autonomous agents don’t just execute commands, they make decisions in ways that can be surprising. The question isn’t whether they’ll do something wrong, it’s how fast you can detect it and respond," Perkal concludes.