We’ve seen this before with enterprise technology — many times. A new technology arrives surrounded by hype and promise, organizations move quickly to deploy it, and security teams are left trying to understand exactly what has been introduced into the environment and what threats it creates. It happened with the cloud, it happened with mobile, and it’s happening now with agentic AI.
AI agents are no longer confined to experiments and proofs of concept. They are actually writing code, querying internal systems, using tools, triggering workflows, and interacting with other agents to complete tasks that, until recently, were entirely human-coordinated. Adoption is accelerating but in many organizations, the security controls around AI are not.
The issue is that it’s hard to safely deploy and scale agentic AI without proper visibility into what the agents are actually doing, what tools they can access, which MCP servers they’re reaching, and how their actions align with corporate policy and regulatory requirements.
Legacy security tools were largely built based on human behavior. They could tell who accessed a file, who sent data outside the network, who logged in from an unusual device or geography, and so forth. They were not designed to inspect communication between an AI agent and an MCP server, or to determine whether AI invoking a specific tool is expected, anomalous, or dangerous. The fact is that a compromised or overly permissive agent operating through an approved application can be effectively invisible to a security stack that was never built to watch for that kind of activity.
WitnessAI is positioning its Agentic Control as a response to that problem by delivering a single governance control plane that spans both human and agentic AI activity. The platform is designed to discover agents operating across enterprise environments, including chat applications, IDEs, agent frameworks, and custom agents running in public cloud environments. It also identifies the specific MCP servers, tools, and downstream systems those agents can reach. That visibility brings new insight many organizations currently don’t have — which means they cannot have a clear inventory of where agentic behavior is actually happening.
Maybe more important is the governance piece. WitnessAI says organizations can define a single, enterprise-wide allow list of approved MCP servers and tools, then enforce that policy consistently across all approved agentic environments. That means the same control can apply regardless of which application, model provider, or custom-built agent is involved. That’s an improvement on the fragmented governance model many enterprises have today, where controls vary by surface and different AI environments are managed in isolation.
That fragmentation is a challenge. Different AI agents are adopted through different teams, at different times, and for different use cases. Then security gets layered on afterward (assuming that happened, of course). That can easily result in inconsistent governance. For example, a human user may be tightly restricted in one interface, while an agent with broad tool permissions can operate with far less scrutiny in another. As agents take on more significant tasks and has access to more substantial data, applications, and servers, that gap becomes less justifiable.
That’s why the governance consistency piece is so important.
“Enterprises are moving fast to deploy AI agents that can code, access internal data, and execute complex workflows. However, security teams cannot protect what they cannot see, let alone control,” said Rick Caccia, CEO and co-founder at WitnessAI. “We are providing a single control plane to protect all AI activity. A CISO can write a rule once, and it holds across every human user, IDE, chat application, and custom agent.”
There’s another important piece in this, though — runtime enforcement. WitnessAI says its platform inspects and governs conversations in agentic applications to restrict unauthorized prompts and responses and enforce policies while the interaction is happening. Combined with the company’s AI firewall capabilities, that includes protection against prompt injection, jailbreaks, and unsafe responses. Because a compromised agent may have access to tools, systems, and workflows that let it act, this is an important piece to securing agentic environment.
WitnessAI also introduced an MCP Catalog that scores known tools against OWASP and CVE risk classes, giving security teams a way to assess risk before approving access. In other words., security teams get a tool to help them more effectively define the policies they are trying to enforce, making enforcement more effective.
As enterprises move into an era where AI is not just generating content and answering questions, but taking meaningful action inside production environments. While it’s a game-changer for efficiency, it also changes the governance mandate. AI governance is no longer a narrow chatbot policy issue, but a much broader infrastructure issue. As enterprises deploy more and more AI agents, single-application guardrails are insufficient — they need a control plane capable of seeing and governing AI activity across surfaces, identities, tools, and runtimes, because AI agents are becoming a viable attack surface.
If enterprises can’t see what their agents are doing, they will not be able to control what their agents are allowed to do, and will open themselves up to greater risk.
Edited by
Erik Linask
