Skip to content
All writing
Agentic AINov 6, 2025 · 9 min read

Underwriting Autonomy: Risk in Agentic Systems

An agent that can read, plan, and act is a new kind of principal inside the enterprise, one with credentials, judgment, and no clear line of accountability. The security question is shifting from what a model can output to what an agent is permitted to do. We examine identity, scoped authority, and revocation as the primitives that matter, and why the companies solving containment for autonomous systems will look more like access infrastructure than like model tooling.

A model that only produces text is bounded by its output channel. The worst it can do is say the wrong thing. An agent that can read systems, form a plan, and take actions is a different kind of object entirely: it holds credentials, exercises judgment, and changes state in the world. It is, functionally, a new principal inside the enterprise — one that no identity system was designed to govern.

This shifts the security question. For a long time the field has focused on what a model can output: can it be jailbroken, can it be made to say something harmful, can it leak its prompt. Those questions still matter, but they are no longer the ones that keep a CISO up at night. The operative question for an agent is what it is permitted to do — which systems it can touch, which actions it can take, and under whose authority it acts when it strings together a plan no human explicitly approved.

The primitives that matter here are borrowed from access infrastructure, not from model tooling. Every agent needs a distinct, attestable identity — not a shared service account. Its authority must be scoped to the narrowest set of actions its task requires, and that scope must be enforced at the boundary, not requested politely in a prompt. And there must be revocation: a fast, reliable way to withdraw an agent's authority when it misbehaves, without taking down the systems it touches. Identity, scoped authority, and revocation are the containment triad.

That is why we believe the winning companies in agentic security will resemble access-control and identity platforms more than they resemble LLM observability tools. The hard part is not watching what the agent says; it is governing what it can reach, proving what it did, and being able to pull the plug in seconds. Containment for autonomous systems is an infrastructure problem, and we are actively backing the teams treating it as one.

The views above are those of Sentinel Ventures and are for informational purposes only — not investment, legal, or tax advice.

Apply

Ready to raise on institutional terms?

Start with an Investor Ready Audit. We'll show you exactly how an investor sees your company today — and what to fix before you go to market.