Chen Pipek· CPO, Co-founder of aizome8 min readIf you were working in enterprise security in the early 2010s, you remember the BYOD moment.
Employees started showing up with iPhones and Android devices, connecting them to corporate email, accessing sensitive data, and conducting business entirely outside the device management infrastructure the security team had spent years building. IT didn't authorize it. Security didn't govern it. It just happened because the productivity benefit was immediate and obvious, and the risk was invisible until it wasn't.
The industry eventually caught up. MDM platforms emerged. Policies were written. Acceptable use frameworks were established. It took years, cost real money, and required a fundamental rethinking of the enterprise perimeter. Some organizations learned the hard way.
We are at that moment again. But this time, the thing employees are bringing into the enterprise isn't a device. It's an agent. And the governance gap is significantly larger.
Welcome to BYOA - Bring Your Own Agents.
BYOA isn't a future risk. It's a current operational reality in most enterprises, whether security teams know it or not.
A Finance analyst builds an agent to automate the monthly reconciliation process. It connects to the ERP, pulls from accounts payable, and writes outputs to a shared drive. It took an afternoon to build and saves hours every week. Nobody submitted a security review request.
A Sales Operations manager deploys an agent to enrich CRM records by querying external data sources and internal databases. It has broad read access to the CRM, connectivity to three external APIs, and nobody has mapped its data access paths.
An IT engineer spins up an agent to automate ticket triage and escalation. It reads from the service desk platform, writes to multiple systems, and sends communications on behalf of the IT team. Its credentials are hardcoded. Its owner is whoever built it.
None of these are malicious deployments. All of them represent real security exposure. And all of them are happening right now, at scale, in enterprises that believe their AI governance programs are in reasonable shape.
A 2026 survey found that only 24% of organizations have full visibility into which AI agents are communicating with each other. More than half of all agents run without any security oversight or logging. The average enterprise now manages 37 deployed agents, a number growing every quarter as individual teams spin up automation without central review.
The BYOD problem was fundamentally a device management problem. A device is a physical artifact. It has a MAC address, an operating system, and a hardware profile. You can detect it on the network, classify it, apply policy to it, and if necessary, wipe it.
BYOA is a different class of problem entirely, and harder in almost every dimension.
Agents are invisible until they act. A rogue device shows up on the network. An unauthorized agent shows up nowhere until it starts executing workflows, accessing data, and invoking tools. By the time most security teams would detect a BYOA agent, it has already been operating in the environment for weeks or months.
Agents don't have a fixed footprint. A device has a defined set of capabilities and a stable identity. An enterprise AI agent's footprint shifts with every task. The data it accesses, the tools it invokes, the systems it touches, all of it is contextually determined at runtime. You cannot map the attack surface of an agent the way you map the attack surface of a device.
Agents act autonomously. A BYOD device is passive until a human uses it. A BYOA agent acts on its own, executing workflows, making decisions, and accessing sensitive data, with no human in the loop. The blast radius of a misconfigured or compromised agent is not bounded by what a human operator would do with it. It's bound by whatever permissions were provisioned and whatever workflows it can reach.
Agents connect to everything. A BYOD device connects to the corporate network. A BYOA agent connects to your ERP, your CRM, your HR platform, your financial systems, your cloud storage, your external APIs, and potentially other agents. Each connection is an access path. Most of those access paths were never reviewed, scoped, or approved by security.
Agents leave complicated trails. A device access log tells you when a device connected and what it accessed. An agent execution log tells you what actions were taken, but not whether those actions were consistent with the intent of the workflow that initiated them, who is accountable for the outcome, or whether the behavior drifted from what was expected. The audit challenge is fundamentally different.
When BYOD emerged, the enterprise security response followed a predictable pattern: detect devices, classify them, apply policy, enforce compliance, and, where necessary, block access. MDM platforms were purpose-built for exactly this workflow.
The temptation with BYOA is to reach for the same playbook. Detect agents, classify them, apply policy, enforce compliance. The NHI governance frameworks that many enterprises are extending to cover AI agents are essentially attempting this, treating BYOA agents as a new category of non-human identity to be governed with existing tools.
It won't work. Not because the instinct is wrong, but because the underlying assumptions don't hold. MDM works because devices are deterministic. You know what a compliant iPhone is supposed to look like, how it's supposed to behave, and what it's supposed to have access to. Policy enforcement is straightforward because the compliance state is static and verifiable.
Enterprise AI agents are not deterministic. Their behavior is contextually driven. Their access patterns shift with every workflow. A governance model built on static policy enforcement cannot keep pace with systems that reason and adapt in real time.
What you need for BYOA takes inspiration from MDM - the instinct to discover, classify, govern, and enforce policy across a sprawling population of autonomous actors is exactly right. But MDM was built for passive devices. The architecture for BYOA needs to go further: an orchestration layer designed specifically for autonomous actors that discovers agents automatically, understands their behavior dynamically, and enforces controls at the intent layer, not just the permission layer. Same spirit. Fundamentally different infrastructure.
Based on what I see in enterprise AI deployments, BYOA risk concentrates in three specific failure modes that existing governance programs consistently miss:
Failure Mode 1: The Invisible Agent An agent operating in the environment with no inventory entry, no documented owner, no governance policy, and no audit trail. It was built by a business unit, connected to enterprise systems, and never surfaced to the security team. It may have been running for months. Every day it operates undetected is a day of unquantified exposure.
Failure Mode 2: The Scope Creep Agent An agent that was correctly provisioned and initially well-scoped, but whose access has expanded over time as the workflows it supports have evolved. Nobody updated the governance policy because nobody was watching the agent's behavior continuously. Its current access profile looks nothing like what was authorized when it was deployed.
Failure Mode 3: The Inherited Trust Agent. An agent that operates within its own permissions but inherits authorization context from upstream agents or human workflows in ways that effectively expand its functional access beyond what was intended. The permissions are correct. The trust inheritance is not. This is the failure mode that existing governance tools are least equipped to detect.
The enterprises that will handle BYOA well are not the ones that try to prevent it. Employees building agents to solve problems is a feature of a productive workforce, not a bug. The goal is not to stop agents from being deployed; it's to ensure that every agent that gets deployed is visible, governed, and accountable.
That requires four capabilities that most enterprise security programs don't yet have:
Automatic discovery. Every agent operating in the environment, built by IT, built by business units, deployed through enterprise platforms, or spun up by individual employees, needs to be found automatically. Not through a self-registration process that depends on the people building agents to report them. Automatic, continuous discovery that doesn't rely on human compliance.
Behavioral baselines. Every discovered agent needs a behavioral baseline, what it typically accesses, which tools it invokes, and what its normal execution patterns look like. Not a static policy defined at provisioning time, but a dynamic model derived from observed behavior that can detect when an agent starts operating outside its expected pattern.
Identity and ownership mapping. Every agent needs an identity, a boundary, and a documented human owner. Not because ownership alone provides governance, but because accountability requires a clear chain of authority from agent action back to human authorization.
Runtime controls. The ability to enforce governance at the point of operation, validating agent actions in real time against behavioral baselines and authorization context, not just checking permissions at the gate.
BYOD required the industry to build an entirely new category of security infrastructure. BYOA will require the same. The enterprises that start building that infrastructure now, before the incidents that make it undeniable, will be the ones that deploy AI with confidence while their peers are explaining failures to their boards.
BYOD took years to become a recognized enterprise security problem. By the time most organizations had mature mobile device management programs, they had already absorbed the cost of the incidents that made investment unavoidable.
BYOA is moving faster. The productivity case for employee-built agents is stronger than it was for personal devices. The tools for building agents are more accessible. And the systems those agents connect to are more sensitive than a corporate email inbox.
The agents are already in your environment. The question is whether you can see, govern, and control them.
Chen Pipek is CPO and Co-Founder of aizome, an Enterprise AI Agent Control Platform. He previously co-founded and led AxoniusX within Axonius and has held engineering and security leadership positions for over 20 years.
Chen Pipek
CPO, Co-founder of aizome
The latest news, technologies, and resources from our team.
By the end of 2026, most large enterprises will operate a digital workforce of over 1,600 AI agents, according to IBM's Think 2026 survey. That number sounds like progress. It is progress. But it comes with a question most enterprises cannot answer.
Roee Salomon
I've spent a significant part of my career thinking about incident response. Not the playbook version - the real version. The version where something has already gone wrong, the pressure is high, the timeline is compressed, and the team is trying to answer a deceptively simple question: what happened, and how do we stop it from getting worse. With enterprise AI agents, it's about to get categorically harder.
Chris Cochran
OAuth 2.0 is a well-designed protocol. It solved a real problem elegantly, it scaled across the internet, and the patterns it established are genuinely good engineering. It was also designed for a world that no longer describes what enterprise AI agents actually do.
Roee Salomon
SailPoint launched Agentic Fabric. Okta launched its AI Agents blueprint. The message is consistent: extend your existing identity controls to cover AI agents. It's a reasonable instinct. It's also incomplete in a way that matters enormously.
The identity industry has spent the last two years building NHI security programs, extending governance frameworks, and applying non-human identity controls to enterprise AI agents. The vendors are on board. The analysts are aligned. The conference sessions are packed. And we are governing the wrong thing.
Amir Ofek
Static policy cannot see context. It can tell you whether an action is permitted. It cannot tell you whether a permitted action is appropriate, right now, in this workflow, for this data, at this moment in the chain. That gap is not a failure of NemoClaw. It's a structural limitation of policy-based security applied to systems that reason and adapt.
Chen Pipek
Occasional, substance-first notes on making enterprise AI agents accountable. No spam; unsubscribe anytime.
