"Intent" has become the most overloaded word in enterprise AI security.
Every major vendor entering the agentic AI governance space is using it. Intent-based detection. Intent-aware controls. Intent-aligned permissions. Declared intent. The word is everywhere.
And if you've been in this industry long enough, you've seen this movie before. We called it system instructions. Then roles. Then purposes. Then goals. Now it's intent. The term changes with the cycle. The underlying question is: does this agent actually do what it's supposed to do, doesn't.
What "intent" actually means architecturally, mechanically, at the point of enforcement varies enormously across implementations. The difference between a vendor that uses "intent" as a marketing label and one that has built a genuine intent governance architecture is the difference between controls that hold under pressure and controls that look complete on paper and fail in production.
What the Market Means by Intent - And Why It's Incomplete
The dominant interpretation of "intent" in the market today falls into two categories.
The first is declared intent at provisioning time - capturing what an agent was built to do as part of its registration and governance process, expressed either as a natural language description of the agent's purpose or as a role assignment that maps the agent to a defined set of business functions. Both approaches anchor the agent's identity to its intended use. Both are correct and necessary. Neither holds up in practice.
Here is why. Agents must perform a wide array of actions across complex, shifting workflows. To avoid functional bottlenecks, you are forced to use high-level instructions, broad enough to cover the range of what the agent might need to do. But broad instructions are weak instructions. The more you generalize to avoid breaking the agent's function, the less the intent declaration actually constrains its behavior.
Role assignment has a different problem. In theory, mapping an agent to a business role sounds clean and manageable. In reality, agents evolve faster than any role definition can keep pace with. A role defined on day one is outdated by day two: new workflows, new integrations, new use cases that nobody anticipated when the agent was provisioned. Maintaining accurate role definitions across a growing population of fast-moving agents is not scalable. Organizations either accept stale role definitions that no longer reflect what the agent actually does, or they spend more time updating governance records than they do governing agents.
The second is prompt-level intent engineering, inferring what the human user intends from the content of their prompt and using that inference to scope what the agent can access in a given session. Theoretically valuable. Practically limited. Gartner's analyst research is explicit: prompt-level intent cannot be reliably used to drive direct access control decisions because AI-based prompt interpretation introduces unacceptable error rates, both false positives and false negatives, for security-critical authorization decisions.
The third interpretation, and the one I am most concerned about, involves ephemeral access grants. Some vendors are building controls around the idea that an agent's intended actions should determine its access in real time: observe what the agent plans to do next, grant it access to do that, and revoke it immediately after. Ephemeral by design.
The concept is worth naming clearly so it can be put to rest.
The fundamental problem is segregation of duties: no entity should authorize its own access, whether human or autonomous. The moment you let an agent's stated intentions drive its own access grants, you have handed the policy decision to the entity the policy is supposed to govern.
But there is a second problem that makes the ephemeral framing self-defeating. If an agent maintains continuous access to perform its functions, which any production agent must, by definition, it ceases to be truly ephemeral. Continuous access inherently defeats the purpose of an ephemeral design. What you are left with is a governance model that sounds principled in theory and collapses under operational reality. The agent's intended actions are genuinely useful, but for enforcement against an established policy, not as the source of the policy itself.
The Three Intent Types and Why Only One Controls Access
According to a Gartner analyst note on intent-based access control for AI agents (Nathan Harris, May 2026), intent-based access control for AI agents establishes a framework worth building on because it makes the critical distinctions clearly.
There are three types of intent involved in governing enterprise AI agents:
The organization's intent for the agent - what the agent was built to do, captured from the resource owner as part of the agent governance and registration process. This is the primary intent that matters for access control. It is critical, not merely useful. Without it, least privilege is impossible to enforce because you cannot configure the minimum access necessary to perform a function without knowing what that function is.
The human at the prompt's intent - what the user asking the agent to do intends in this specific session. This has theoretical value for further downscoping access within a session, but is not practically ready for driving direct access control decisions. It can inform policy improvement recommendations, but it cannot be the enforcement mechanism.
The agent's intended actions - what the agent plans to do next. Practically achievable. Completely unusable for setting access policy. Useful only for enforcement against a policy set by the organization, not by the agent itself.
Most vendors claiming "intent-based" governance are either conflating these three types or building primarily on the second and third, the ones with the lowest usefulness for actual access control. The result is a governance model that is more sophisticated than static RBAC but still structurally insufficient for the failure modes that matter most in enterprise AI deployments.
What aizome Means by Intent
aizome's intent model was designed from the ground up to address all three intent types correctly, using each one for what it is actually good for, and not asking it to do what it cannot reliably do.
Here is how the architecture works in practice.
Layer 1: Organizational Intent at Provisioning
When an agent is onboarded into the aizome platform, whether it was built internally, deployed through a SaaS platform, or discovered through our endpoint or connector infrastructure, it goes through an intent registration process that captures the organizational intent for the agent in structured form.
The starting point is a simple but powerful framing: an agent operates either on behalf of a specific user or to fulfill a distinct business function. These two modes of operation provide the critical organizational context that makes intent inference meaningful. From that context, we can determine with precision what enterprise systems the agent should be able to interact with, what data types it should exchange, and most importantly, whether it should be able to read, write, or delete.
We do not rely primarily on natural language descriptions of intent. Natural language is expressive and flexible, but as Gartner notes, it requires an additional AI layer to translate into access policies, and that translation comes with error rates that degrade access control quality. Instead, we map agents to business roles, the same roles that would be assigned to the humans performing equivalent functions, supplemented by explicit scope definitions that constrain the agent's data access, tool invocations, and system connectivity.
This organizational intent becomes the authorization baseline. Every subsequent evaluation of the agent's behavior, at runtime, in drift detection, in incident analysis, is measured against it. It is the source of truth for what this agent is supposed to do, established by the humans accountable for it, not inferred from the agent's own behavior.
Layer 2: Runtime Intent Observation
This is the layer most intent-based approaches do not have, and the one that matters most for governing enterprise AI agents in production.
aizome deploys as an inline identity broker at the point of agent operation. Every tool call the agent makes, every API invocation, every data access, every interaction with another agent or system passes through aizome's enforcement layer in real time. This gives us something most governance approaches lack: continuous visibility into what the agent is doing at the moment it is doing it.
But Layer 2 goes further than observation. By capturing the entire interaction, not just the isolated prompt, but the full context of what the agent is doing and why, we can deduce the appropriate access level dynamically. This mapping extends beyond broad system access to encompass granular permissions and the specific data types expected during the exchange. An agent that is mid-workflow in a Finance reconciliation task should have precisely the access that workflow requires, not the broadest access its role permits, and not a static permission set defined weeks ago when the agent was first provisioned.
The agent's prompt and reasoning chain. When an enterprise AI agent is given a task, it generates a reasoning trace, the chain of thought that leads from the input to the planned sequence of actions. This trace is the most direct observable signal of what the agent believes it is supposed to be doing. We capture it, structure it, and use it as the basis for intent inference at runtime.
This is not the same as using the agent's intended actions to set policy, the segregation of duties violation I described earlier. The reasoning chain doesn't set the policy. It provides a real-time signal that we evaluate against the organizational intent baseline established at provisioning. The question we're asking is: does this agent's current reasoning indicate behavior consistent with what it was built to do? If the agent was provisioned to process vendor invoices and its reasoning chain indicates it is planning to access the employee directory, that discrepancy is detectable before the action executes.
The tool call sequence. Every tool invocation is evaluated against the agent's established intent profile - not just "is this tool permitted" but "is invoking this tool, in this sequence, in this context, consistent with the intent that provisioned this agent?" An agent with permission to access accounts payable data may have legitimate reasons to query the vendor database and the ERP. If it begins chaining those tools in a sequence that doesn't match any expected workflow pattern for its defined purpose, that's a behavioral signal that warrants evaluation.
The data access pattern. What data the agent is touching, in what volume, in what combination, compared to what it has historically accessed within its defined intent scope. Data access patterns are one of the most reliable intent drift signals because they reflect what the agent is actually working with, not just what it was permitted to touch.
These three signals are combined in real time into an intent consistency score for each agent session. Sessions that fall outside the expected intent envelope trigger dynamic responses, from additional logging and human-in-the-loop escalation for borderline cases to hard blocks for actions that clearly exceed the agent's established intent scope.
Layer 3: Intent Drift Detection
This is the capability that I believe is the most underinvested area in the market, and the one that matters most as enterprise AI deployments mature.
Intent drift is not the same as a behavioral anomaly. Behavioral anomaly detection looks for statistical outliers, actions that fall outside the normal distribution of what an agent has done historically. It is useful and necessary. It is not the same as intent drift.
Intent drift occurs when an agent's behavior progressively moves away from its organizational intent, not in ways that necessarily trigger anomaly detection signals, but in ways that represent a meaningful divergence from what the agent was built to do. It can happen gradually, driven by changes in the workflows that invoke the agent, changes in the data environment, or changes in the agent's model or configuration. It can happen suddenly, driven by prompt injection, model manipulation, or deliberate misuse.
This is where Layer 2 and Layer 1 work together to make drift detection reliable.
Layer 2's runtime observation generates a continuous stream of behavioral signals: the reasoning chain, the tool call sequence, the data access pattern - for every agent session. Those signals are benchmarked in real time against two things simultaneously: the organizational intent baseline established at provisioning in Layer 1, and the agent's historical behavioral profile derived from all prior sessions.
This dual benchmarking is what separates true intent drift from expected adaptation. An agent that begins accessing a new data source may be drifting from its original intent, or it may be legitimately adapting to a workflow change that its owner sanctioned. By correlating the real-time signal against both the stated intent from Layer 1 and the observed behavioral patterns from Layer 2 history, the system can determine whether the variance falls within normal expected boundaries or represents a genuine anomaly that warrants a response.
Drift is measured at the session level and the trend level.
At the session level: is this session's behavior consistent with the agent's intent profile? This catches single-session anomalies, an agent doing something outside its normal scope in a specific invocation.
At the trend level: is the agent's behavior profile evolving in a direction that diverges from its organizational intent over time? This catches the gradual drift cases, an agent whose scope has effectively expanded through accumulated workflow changes without anyone updating the governance record.
When drift is detected, the response is graduated. Minor drift generates an alert and a governance recommendation. Significant drift triggers automatic scope restriction and escalation. Severe drift, behavior that falls clearly outside any plausible interpretation of the agent's organizational intent, triggers session termination and incident logging.
The Slide on Stage at Identiverse
I want to come back to the Identiverse slide I referenced at the opening - "Identity Before Privilege, Declared Intent, Sender-Constrained, Re-evaluate On Signals, Explicit Authority."
These five principles are correct. I agree with all of them. They represent the right framework for thinking about intent at the provisioning layer, and any enterprise AI governance program that doesn't implement them is behind.
But they describe a point-in-time view of intent governance, the moment when the agent is registered, scoped, and authorized. What happens at minute one of production is captured by these guidelines. What happens at week six, in a multi-agent chain, after the workflows that invoke the agent have evolved in ways nobody mapped at provisioning time, that is the question these guidelines don't answer.
The governance infrastructure that actually matches the threat model of enterprise AI agents needs to be continuous, not just periodic. It needs to operate across chains, not just individual agents. It needs to detect drift over time, not just violations at registration. And it needs to maintain the original authorization context across every hop in the chain, not just at the point of entry.
That is the architecture aizome is built around. Not as an alternative to the provisioning-layer principles on that slide, but as the layer that makes them enforceable across the full lifecycle of enterprise AI agent operation.
A Note on What This Means in Practice
I want to be direct about the maturity gap this represents for most enterprises.
Gartner is predicting that by 2027, 40% of enterprises will demote or decommission autonomous AI agents due to governance gaps identified only after production incidents occur. The root cause they identify: treating AI agent governance as binary, either locked down or fully trusted.
Intent governance is the answer to binary thinking. But only if it operates at the right architectural layer, across the full execution chain, continuously, with drift detection that catches what static policy cannot, and not just as a label applied to provisioning-time controls.
The enterprises that build this infrastructure before the production incidents will be the ones that deploy AI agents confidently at scale. The ones that rely on provisioning-time intent capture alone will discover the gaps the hard way.
If you're building or evaluating enterprise AI agent governance infrastructure and want to go deeper on how aizome's intent architecture works in your specific environment, I'd welcome the conversation.
Chen Pipek is CPO and Co-Founder of aizome, an Enterprise AI Agent Control Platform. He previously co-founded and led AxoniusX within Axonius and has held product and security leadership positions for over 20 years.