Everyone loves the “rogue agent” story.
But in production, the bigger risk is often more boring and more dangerous: an AI agent trying to do its job with too much access.
In this conversation from Identiverse 2026, Neha Duggal, Chief Product Officer at P0 Security sits with Mike Shema Host for Application Security Weekly discussing why agent security cannot stop at prompt injection, MCP controls or human approvals. The real question is whether the full action chain – user, agent, tool and resource – should be allowed to take that action in that moment. The answer starts with discovery, runtime control and proof. No standing privilege. No blind approvals. No agents with more access than they need.
The discussion starts with a simple but important shift: the agent is not always malicious. Sometimes the agent is just over-permissioned.
Neha explains that while rogue agents and prompt injection get a lot of attention, many real-world failures come from agents trying to complete a task with access they should never have had in the first place. If an agent can delete a database, write to sensitive systems or take destructive action, the problem is not just what prompted the behavior. The problem is why that access existed at all.
From there, the conversation moves into the limits of human approval. For routine agent actions, constant approvals slow down the very productivity agents are meant to create. But for sensitive or destructive actions, escalation still matters. The goal is not to put a human in the loop for everything. The goal is to put the right guardrails in place so agents can move fast without moving outside policy.
Neha also explains why MCP tool access matters, but is not enough on its own.
Security teams need to look beyond the tool layer and understand the full action chain: who invoked the agent, what the agent is trying to do, which tool it is using and what back-end resource it is trying to access. That blended identity should get just-enough access, just-in-time, and only for the specific action being taken.
The conversation closes on a practical point: the old security fundamentals still apply. Discover what exists. Control access at runtime. Prove what happened. But in the agentic world, Zero Standing Privilege becomes even more important because agents operate at speed, volume and scale.