Most vendors policing AI agents are using an LLM as the core component of their intent analysis. We think that's the wrong architectural choice - and here's the more nuanced picture of what actually works at production scale.
Gartner's 2026 Hype Cycle for Digital Identity just named Intent-Based Access Control as an emerging authorization framework for agentic AI. Their analysis is sharp: the two most common ways enterprises authorize AI agents today, granting the agent the human user's access or giving agents persistent long-lived access, both result in over-permissioning. The answer is intent-based access control that downscopes access per session and per transaction, based on the captured intent of the user and the agent.
They also identified the obstacles. The one that matters most for how you build the system:
"Translating ambiguous, unstructured natural language instructions into precise, machine-readable authorization policies is highly complex and never 100% achievable at high quality. This error rate will discourage some organizations from adopting this approach."
That obstacle is real. And it is exactly the problem we set out to solve when we designed aizome's intent analysis architecture.
The obvious approach, the one most of the market is shipping, is to throw an LLM at the problem. Feed it the prompt, the context, the agent's history, and ask it to flag anything that looks wrong. It's flexible, fast to prototype, and general-purpose enough to handle the variety of inputs enterprise AI agents produce.
We built something more nuanced. Here's why the architecture matters.
Why an LLM Can't Be the Core Component of Intent Analysis
Three issues show up fast at production scale.
Latency. LLM inference runs in seconds. Intent analysis has to run inline, on every tool call, without becoming the bottleneck in an agent's execution path. An agent operating at machine speed cannot wait for a general-purpose model to reason about whether its next action is safe. The control layer has to be faster than the thing it's controlling.
Cost. Running a large model as a real-time control layer on top of every agent action doesn't scale economically once you're governing thousands of agents making constant tool calls. The math breaks down quickly. Intent analysis that costs like the agent operations it's governing isn't a governance model - it's a tax that kills adoption.
Deployment footprint. Enterprises increasingly want controls that can run locally, on workstations, in air-gapped environments, in deployments where data cannot leave the perimeter. General-purpose frontier LLMs aren't built for that footprint. They require a hosted API call, which means the control layer itself introduces data exposure risk in environments where it is most critical.
This doesn't mean LLMs have no role in intent analysis. It means they cannot be the core component, the primary enforcement layer that makes real-time authorization decisions on every agent action. The architecture that actually works at production scale uses LLMs selectively, for the specific judgments where their generative reasoning adds value, while relying on purpose-trained models for the latency-sensitive, cost-sensitive, deployment-sensitive decisions that happen inline on every tool call.
There is a fourth problem that is subtler but arguably more important than the first three: shared blast radius.
Most frontier LLMs are trained on overlapping data and share significant architectural lineage. If an attacker can manipulate one model's reasoning through prompt injection, adversarial inputs, or context poisoning, there is a meaningful chance the same technique will work against other large models.
Using an LLM to guard against LLM-driven risk means your control layer can inherit the same blind spots as the thing it's supposed to be watching. That is not a theoretical concern. Gartner's Hype Cycle analysis notes that malicious attacks, such as indirect prompt injection, can manipulate AI agents into executing unauthorized actions. If the defense layer uses the same type of model as the attack vector, you have structural fragility.
What We Built at aizome Instead
aizome's intent analysis runs on a mesh of small, purpose-trained models. Not one general model, but many narrow ones, each trained for a single, specific judgment.
One assesses whether a prompt aligns with the user's actual job function based on their organizational role and historical behavior. Another determines whether a request is work-related at all. Another evaluates whether the data being accessed matches the data types the agent was provisioned to handle. Another flag indicates whether the tool call sequence deviates from the agent's established behavioral baseline. Each model is dedicated to one dimension of "does this look normal" - and their outputs combine in real time to produce a continuous read on whether an agent's behavior is drifting from its organizational intent.
This architecture directly addresses the Gartner obstacle. The error rate concern with intent-based access control stems from using AI to interpret natural language intent, a probabilistic, general-purpose problem that inherits all the limitations of the model doing the interpreting. Our mesh evaluates structured behavioral signals.
In practice, this gives us three capabilities that matter at enterprise scale:
Speed. Milliseconds, not seconds - small, dedicated models that operate within the agent's execution window, not after it.
Local deployment. Lightweight enough to run on-prem or in air-gapped environments. The data stays where it needs to stay.
Independence from shared training bias. Each component is purpose-built for a specific judgment. A weakness in one doesn't cascade into the others.
The Determinism Argument
Gartner makes a point worth dwelling on: organizations that require strong risk and compliance controls will, by necessity, implement deterministic access controls based on roles, attributes, and relationships. Intent-based approaches built on probabilistic interpretation trade determinism for flexibility, and for compliance-sensitive enterprise environments, that trade-off is frequently unacceptable.
This is the core architectural tension in the intent-based access control space. Here is how aizome addresses it.
In addition to the speed, deployment, and bias-independence features described above, aizome expands the context used for intent analysis to yield a more deterministic outcome. The mesh doesn't just evaluate the current prompt and tool call in isolation. It incorporates the organizational structure, the role this user holds, the team they belong to, and the systems their function typically accesses. It will incorporate over-time agent behavior - how this agent has operated historically, what its established patterns look like. It incorporates user activity context - what the invoking human has been doing, what their recent interactions with the agent suggest about their intent.
aizome replaces vague, prompt-level AI filtering with a deterministic, structured governance mesh. Instead of using natural language, we map an agent's permissions to rigid enterprise constructs: business roles, data classes, and behavioral boundaries.
By evaluating actions against this machine-readable baseline alongside full organizational context, the mesh provides auditable, rule-based compliance without killing agent flexibility.
The Result: A Live Picture of Agent Intent
This architecture is what powers what we call the Guardian Agent view, a real-time visualization of every agent's prompts and actions flowing through the system, scored against the organizational intent policies configured for that agent.
Data sensitivity thresholds. Behavioral drift signals. Role boundary evaluations. Tool call sequence analysis. Each classifier's output is visible, individually and in combination, giving security and IAM teams a live picture of what every agent is actually doing, and whether that matches what it is supposed to be doing.
Where a policy would trigger, you see it, whether or not enforcement is active. This matters enormously for the organizations that Gartner identifies as facing the balancing act between strict security boundaries and operational usability. You can observe intent drift before committing to enforcement, tune thresholds against real behavioral data, and build the organizational confidence that makes enforcement at scale sustainable rather than disruptive.
What Survives Production at Scale
Gartner rates intent-based access control as high-benefit and embryonic, with less than 1% market penetration and a 5-10-year timeframe to mainstream adoption. The obstacles they identify are real, and they will slow the market. The latency problem, the cost problem, the determinism problem, the shared blast radius problem- these are not theoretical concerns. They are the reasons most of the intent-based access control approaches being prototyped today will not survive contact with production enterprise environments.
The architecture that does survive production at scale will be the one that addresses these obstacles directly. Not general-purpose LLM inference. Not probabilistic natural language interpretation. Structured intent capture, purpose-trained mesh components, deterministic evaluation, local deployment capability, and a control layer with a fundamentally different attack surface than the agents it governs.
That is the architecture we built. And it is the architecture the enterprise market will converge on as the embryonic phase of intent-based access control matures into something that compliance teams, auditors, and boards can rely on.
Chen Pipek is CPO and Co-Founder of aizome, an Enterprise AI Agent Identity Fabric Platform. He previously co-founded and led AxoniusX within Axonius and has held product and security leadership positions for over 20 years.