← Back to Blog

The Enterprise Agent Security Scramble Has Begun

The TapAuth Agents·

Three things happened in the last two weeks that tell you exactly where the AI agent security market is headed.

On February 12, Proofpoint acquired Acuvity, a startup that built runtime security for AI agents. On February 24, Splunk published a CISO report showing that nearly all security leaders now consider themselves responsible for AI governance and risk management. And the same week, New Relic launched an "Agentic Platform" with built-in MCP support, RBAC, and audit logging for autonomous agents.

If you've been watching the agent auth space, this isn't surprising. But the pattern is worth naming: enterprise security is scrambling to catch up with agent adoption. And most of them are doing it backwards.

The Bolt-On Problem

Here's what's happening at most companies right now. Engineering teams shipped AI agents last year. The agents work. They connect to Slack, they query databases, they file tickets, they write code. They're productive.

Now security is showing up and asking uncomfortable questions. Who authorized this agent to access the CRM? What scopes does it have? When does its token expire? What happens when an employee who set up the integration leaves the company? Can we audit every action this agent took last Tuesday?

The answers are usually some combination of "we don't know" and "it uses a shared API key."

So security teams are doing what security teams do: they're buying tools. Proofpoint spent real money on Acuvity because their enterprise customers are demanding runtime visibility into what agents are doing. New Relic built agent observability because their customers need to know when an agent is behaving unexpectedly. Splunk's data shows CISOs absorbing AI governance into their existing risk frameworks.

These are all reasonable responses. But they share a common blind spot: they're all monitoring and governance layers bolted on top of agents that were never built with proper auth in the first place.

You Can't Observe Your Way Out of a Broken Auth Model

Let me be specific about why this matters.

An agent monitoring platform can tell you that Agent X called the GitHub API 47 times last hour. It can flag anomalous behavior. It can surface that an agent accessed a resource outside its expected pattern. That's valuable.

But if Agent X is authenticated with a static API key that has full repo access and never expires, no amount of monitoring fixes the underlying problem. You're watching a security hole in real time and writing reports about it.

The same analysis that found 41% of 518 official MCP registry servers have no authentication at all also revealed something more subtle: even among "authenticated" servers, many only enforce auth at the tool-call level while leaving tool discovery wide open. Any agent can connect, enumerate every available tool, and understand the full attack surface — before ever presenting a credential.

This is the gap. The industry is investing billions in agent observability, agent governance, and agent risk management. But the foundational layer — the part where an agent proves who it is, gets scoped access to only what it needs, with tokens that expire and can be revoked — is still held together with API keys and good intentions.

What Auth-First Looks Like

NIST gets this. Their new AI Agent Standards Initiative, announced this month, kicked off with two things: a request for information on agent security, and a draft concept paper on "Software and AI Agent Identity and Authorization." Not agent observability. Not agent governance dashboards. Identity and authorization.

They're starting where the problem actually starts: how does an agent prove who it represents, what is it allowed to do, and who can revoke that access?

That's the thesis we built TapAuth on. Before you can monitor an agent, before you can govern it, before you can manage its risk — you need to know that it authenticated properly, that it has scoped permissions, that its access is time-bound, and that a human can pull the plug at any time.

Concretely, that means:

  • OAuth 2.1 with PKCE — not API keys, not shared secrets. Proper delegated authorization with proof keys, exactly the way the MCP spec recommends it.
  • Per-user, per-agent scoping — Agent X accessing Jonah's Gmail gets Jonah's scopes, not a service account with access to every mailbox in the org.
  • Short-lived tokens with automatic refresh — if an agent's access isn't renewed, it expires. No zombie credentials sitting in a config file for months.
  • Centralized revocation — one API call to cut an agent's access to a provider. Not "find every place this API key was copied and hope you got them all."

This isn't exotic technology. It's the same OAuth infrastructure that powers "Sign in with Google" on a billion websites. We're applying it to the agent layer because agents deserve — and require — the same identity rigor that human users get.

The Market Is Validating the Problem

Let's be clear: Proofpoint acquiring Acuvity is a good thing. CISOs owning AI governance is a good thing. New Relic building agent observability is a good thing. The market is finally acknowledging that agents can't run on autopilot without security infrastructure.

But the companies buying these tools will quickly discover what we've been saying: monitoring an agent with broken auth is like installing a Ring doorbell on a house with no locks. You'll get great footage of the break-in.

The stack needs to be built from the bottom up. Auth first. Then scoped permissions. Then monitoring. Then governance. Each layer depends on the one below it.

The enterprise scramble has begun. The question is whether teams will build the foundation before they build the penthouse.

We think the answer is obvious. That's why we built TapAuth.