The day the chatbot asked for sudo

Early enterprise AI systems were mostly read-only. Chat over documents, search, and summarization. The blast radius was small. As soon as agents can take actions, issue refunds, change limits, modify data, or trigger workflows, the risk profile changes completely. At that point, prompts and guardrails are no longer enough. You are no longer evaluating whether an answer sounds reasonable. You are responsible for justifying why an action was allowed, under audit, during an incident, or in front of a regulator. This session introduces a practical way to secure agentic systems by drawing a hard boundary between probabilistic reasoning and deterministic execution. Instead of trusting the model to behave, every proposed action is treated as a structured intent, evaluated against explicit policy, and enforced at runtime close to the protected system. We will walk through a reference architecture for “shift down” security, where authorization decisions live below the AI layer. The focus is on preserving developer velocity and system performance while making agent behavior reviewable, explainable, and safe to operate in production. Attendees will leave with a clear framework for integrating AI agents into real systems without turning them into ungovernable sources of risk.