Synopsis: The shift from contained enterprise automation to fully autonomous AI agents has outpaced the security infrastructure around it. Inside the perimeter, where bots are scoped to a workflow and an identity team controls what they can touch, the risk is manageable. The chaos lives outside that perimeter โ in the consumer market, where individuals are handing AI agents direct access to their email, calendar, banking and accounting software with no real governance behind any of it.
Valentin Vasilyev, CTO of Fingerprint, sits down with Mike Vizard to map out what that delegation actually looks like in practice. Every time a user grants an agent permission to act on their behalf, a new identity chain gets created — one traditional IAM systems weren’t designed to model. Multiply that by millions of consumers running open-source agents, and the resulting traffic mix becomes nearly impossible to distinguish from legitimate human activity.
Vasilyev gets into the harder problem underneath: prompt-injection attacks, AI-to-AI negotiations and whether intent can be reliably inferred from a sequence of agent actions. His argument is that classical bot detection — signatures, behavioral heuristics, CAPTCHA — falls apart against autonomous agents that change tactics on the fly. What replaces it has to be built around continuous observability and intent classification at the request level, not the session level.
The forward-looking thread is that the asymmetry is only going to widen. Defenders have to assume an environment where most of the entities hitting their systems are autonomous, where those entities can collaborate against them, and where the human in the loop is increasingly the agent’s principal rather than the attacker. Organizations that don’t start actively managing their agent ecosystem now will end up with one running without them.
