When it comes to securing AI Agents and Agentic Workflows, if you think “Human in the loop” is the gold standard, well, think again.
Early March 2026, Alexey Grigorev, an AI Teacher and ML Engineer, wiped out his whole AWS production deployment with the help of Claude Code and Terraform; and he approved it himself. Thankfully for him, he was able to restore a backup of the environment after upgrading his AWS business subscription at extra cost.
In March 2026 again, an engineer at Meta posted a technical question to an internal forum. Another engineer picked it up and fed it into an internal AI Agent, which posted an answer directly to the forum. Without asking anyone. The answer was actually wrong, but the first engineer followed the instructions anyway without second thoughts, apparently. This granted full access to confidential user data to all of Meta’s engineers for over two hours, causing a Sev1 issue.
Back in mid December 2025, engineers at AWS allowed Kiro, an internal AI coding tool, to make changes, which resulted in a 13-hours outage for a whole region in China.
And the list goes on.
In all these cases, humans were in the loop, and blindly accepted or approved the AI’s code, recommendations or requests, oblivious of any consequences. It goes to show that if AI’s can’t be trusted, humans can’t either. Therefore insisting on keeping humans in the loop isn’t a guarantee for real safety at all, as both humans and AI alike make errors. Humans are in fact more likely to simply approve the AI’s requests quickly than to perform due diligence and verify the minutiae of the AI-generated solutions. We see this also in more traditional Access Verification programs in Identity Management, where humans simply approve everything to get the chore over with quickly.
We therefore need something else.
Why the system, not the human, needs to enforce safety
The core issue is that most AI systems rely on soft controls rather than enforceable boundaries. Guidelines, prompts, and after-the-fact approvals are treated as safeguards, but they don’t actually prevent unsafe actions.
As agentic systems grow more complex, with multiple agents calling tools and delegating tasks across systems, this becomes a real risk. Problems like prompt injection, confused delegation, misuse of tools, and lack of traceability are expected failure modes, not edge cases.
What’s needed is a shift in mindset.
Instead of asking, “Did a human approve this?”, the better question is, “Was this action allowed by design?”
That means embedding control directly into the workflow. Every request, delegation, and tool call should be validated in real time against explicit policies, known identities, and the full chain of responsibility behind the action.
In other words, safety needs to be enforced within the system itself, not outsourced to the person clicking “approve”.
What secure and controlled AI agent workflows should look like
In a properly controlled agentic environment:
- Agents cannot access tools or data unless explicitly permitted
- Every action is tied to a verifiable initial intent, identity and delegation chain
- Workflows are continuously validated against policy
- Decisions are logged, traceable, and auditable in real time
This introduces determinism into systems that are otherwise probabilistic. It limits what agents can do through enforceable rules, not trust.
How AgentControl introduces real security for AI agents
This kind of control requires dedicated enforcement layers inside the workflow, which is what approaches like AgentControl are designed to provide.
Rather than relying on humans as the final safeguard, AgentControl introduces policy enforcement points directly into agent interactions. These act as control gates that sit between agents, tools, and external systems, ensuring that every message and action is evaluated before it is allowed to proceed.
By grounding decisions in identity, context, and intended use, this model brings structure and accountability to otherwise opaque agent behavior. It also ensures that even as systems scale to dozens or hundreds of interacting agents, control does not degrade.
Moving beyond human-in-the-loop to secure AI agent systems
Human oversight still has a role, but it should not be the primary control mechanism.
Humans are best suited to define goals, intents, policies, design workflows and set boundaries. Enforcement, however, needs to happen automatically, consistently, and without exception. To secure AI systems we need to move from supervision to enforcement, from trust to verification, and from human-in-the-loop to control-by-design.
