AI agents are moving from demo videos into actual workspaces, which means IT gets the joy of securing them after everyone already connected them to everything.

GM IT pros,

Happy Thursday. Let’s do a longer one today.

The normal Friday-style roundup is good for catching the chaos. But every once in a while a bunch of separate stories point at the same problem, and this week the problem is pretty obvious:

AI agents are becoming infrastructure before most companies have figured out how to manage them.

That sounds dramatic, but look at what is happening at the same time:

Translation for the trenches: this is not just a product trend. This is a future ticket category.

-Stetson

The old version of workplace AI was annoying but relatively contained. Someone pasted a policy into ChatGPT. Someone asked Copilot to summarize a meeting. Someone generated a bad email that sounded like it was written by a LinkedIn growth consultant with a head injury.

Not great. But also not exactly domain-admin-on-fire territory.

The new version is different. The new version connects to workspaces, reads company data, triggers actions, calls APIs, touches workflows, and sits in the middle of tools people already use every day.

That is why the Notion story matters. Not because Notion specifically is evil or because every new AI feature is automatically bad. The important part is the direction: productivity platforms want to become agent platforms. They do not want AI to sit in a side panel. They want it wired into the workspace.

That means the questions change.

It is no longer just:

Now it becomes:

And because this is enterprise software, the answer to that last one is probably “IT,” because apparently we sinned in a past life.

The PraisonAI vulnerability is the kind of story that should make people sit up a little. According to The Hacker News, attackers started targeting an authentication bypass in the open-source multi-agent orchestration framework within hours of public disclosure.

Hours.

That is not theoretical “someday attackers may care about agent frameworks” stuff. That is the normal internet garbage fire moving at normal internet garbage fire speed.

And this is where a lot of companies are going to get caught flat-footed. Developers, data teams, automation people, and random power users are going to stand up agent tools because they are useful. Some will be approved. Some will be experiments. Some will be “temporary.”

You know, temporary. Like that Windows 2012 box that is still running because one vendor app “needs it.”

The agent stack creates a weird blend of familiar risks:

None of those are new categories. The fun part is that AI agents bundle them together, slap “productivity” on the box, and convince leadership it is innovation.

Beautiful. Very normal. Please submit a ticket.

The hallucination story is easy to dismiss because everyone has seen AI make stuff up. It is funny when it invents a fake PowerShell flag. It is less funny when someone uses that fake recommendation in a security workflow, compliance process, or production change.

The real problem is confidence.

A bad search result usually looks like a bad search result. A junior tech saying “I think maybe this is right” at least gives you a signal to verify. AI often gives the wrong answer in the exact same tone it gives the right one. Calm. Structured. Bulleted. Completely full of crap.

That matters when agents move from “answer this question” to “do this workflow.”

If an agent recommends the wrong remediation, misreads a vendor advisory, summarizes a policy incorrectly, or grants access based on a misunderstood request, that is not a cute chatbot mistake. That is a process failure wearing a nicer UI.

This is where IT has to be the boring adult in the room:

Sorry to everyone who wanted the robot to magically fix documentation, access reviews, and change management. The robot is now another thing that needs documentation, access reviews, and change management.

If your company is starting to adopt AI agents — officially or unofficially — I would not begin with a 47-page policy document nobody reads.

I would start with a short inventory and a few hard rules.

Do not limit this to the obvious big-name tools. Look for browser extensions, workspace plugins, Slack/Teams bots, IDE agents, automation platforms, meeting note tools, and random “connect your Google Drive” apps.

If it can read internal data or act on behalf of a user, it belongs on the list.

An agent that can summarize a doc is one thing. An agent that can create tickets, modify records, send messages, update CRM data, run code, or approve requests is a different animal.

Read access can still leak data. Write access can create incidents.

If an agent needs access, it should not be using Bob’s account because Bob “set it up real quick.” Use proper service accounts, scoped tokens, OAuth app review, and whatever your environment supports.

Yes, this is less convenient. So is incident response.

If an agent changes a record, creates a ticket, sends a message, touches production, or modifies access, you need to know:

If the vendor cannot answer basic audit questions, congrats, you found a future postmortem.

Resetting a password? Maybe automate with guardrails.

Changing firewall rules, approving vendor payments, modifying production, granting privileged access, deleting customer data, or sending external communications? Slow down, cowboy.

The goal is not to block automation. The goal is to stop “the AI did it” from becoming the dumbest root cause in your incident report.

This is why IT cannot just be the Department of No.

Some of these tools will be genuinely useful. People are drowning in meetings, messages, tickets, docs, CRM sludge, compliance busywork, and 19 different dashboards that all hate each other. If an AI agent saves them two hours, they are going to use it.

If IT only says no, the tools will not disappear. They will go underground.

The better play is boring but effective:

Basically: make the paved road easier than the sketchy alley.

That is always the job. AI did not change that. It just made the alley faster and gave it a nice landing page.

If your team keeps saying “we need people to learn Linux” but the actual training plan is vibes and a shared Google Doc from 2018, I built Shell Samurai.

It teaches Linux through hands-on practice instead of another passive video course. Useful for help desk folks, junior admins, homelab people, and anyone who keeps pretending they are “going to learn the terminal soon.”

App is here: https://app.shellsamurai.com/

Claude.ai is one thing. Claude Cowork with MCP connections, running agentic workflows, taking actions across your data with ungoverned skills? That is a different conversation entirely, and most security teams are not equipped to govern it.

Harmonic Security is built to secure everything Claude offers. Full browser controls for Claude.ai, deep governance over agentic MCP workflows, and real-time visibility into what Claude is doing across your organization. So your CISO can say yes to the tools your business is already demanding.

Get the guide: Securing Claude Cowork for the enterprise.

Help Security Say Yes

AI agents are going to be useful. They are also going to be messy, over-permissioned, poorly inventoried, and shoved into workflows before anyone writes down who owns them.

So the move is not panic. The move is not blind hype either.

The move is to treat agents like any other real system:

In other words, the future still needs boring IT fundamentals.

Because apparently even the robot revolution needs change control.

Stay paranoid. Stay patched. See you next Friday 🤠