Prevention vs. Observability

Prevention vs. Observability #

The first wave of tooling for AI agents is observability: discover every agent in your estate, map what it connects to, watch what it does, and raise an alert when something looks wrong. This is genuinely useful. You cannot govern what you cannot see, and most organizations cannot yet see their agents at all.

But observability is not control. It is a camera, not a lock.

Why watching is not enough for agents #

Detect-then-respond was built for a world that moved at human speed. A suspicious login, a strange download, an unusual transfer - a person could be paged, a session could be killed, and the window between the act and the response was measured in minutes that mattered.

Agents collapse that window. They act in milliseconds, they act continuously, and they act without a human waiting on the result of any single step. By the time an alert about an anomalous action has fired, the action has already happened: the record has been read, the message has been sent, the transfer has cleared. An agent that has been compromised or has simply misunderstood its task does not pause for the SOC to catch up. Worse, it fans out - one bad decision becomes calls to three tools and two other agents - so the blast radius of a single mistake is unbounded by default.

You cannot retrofit prevention onto a system that sits outside the path and was only ever designed to watch. The control point has to be in the path from the start - though what it enforces can begin at nothing and grow to a full policy set over time.

What prevention actually requires #

Stopping a bad action - rather than reporting it - takes four things that observability tools, by their nature, do not provide:

  • An inline control point. Something the agent’s calls must pass through, where a request can be refused before it reaches the system it targets. Out-of-band monitoring sees the call; an inline gateway can stop it.
  • A decision before the action, not analytics after it. Authorization, not dashboards. “Is this agent, on this authority, allowed to do this specific thing?” answered in the moment.
  • Policy you can reason about. If the rule that allows or denies an action is an opaque score, you cannot prove what the system will and will not permit. Deterministic, inspectable policy lets you reason about the whole space of possible actions, not just the ones you happened to observe.
  • A human checkpoint for the gray zone. Not everything is a clean allow or deny. The actions that warrant a person’s judgment should pause for one - without the agent needing to know it is being supervised.

Both, not either #

This is not an argument against observability. You want both, and they reinforce each other: prevention stops the actions you can specify a rule for; observability surfaces the patterns you didn’t know to write a rule about, which become tomorrow’s rules. A mature posture needs the camera and the lock.

The point is that they are different jobs. The enforcement point cannot be bolted on later - it has to be in the path from the start - even though the rules it carries can be added gradually. A monitor that sits outside the path can be enriched forever and still never stop anything; without a control point in the path, you are left describing breaches instead of preventing them.

The next step beyond “who is acting and what are they allowed to do” is “does this action actually match the purpose it was authorized for” - verifying intent, not just permission. That is where this is heading, and where we think the durable advantage lies.

This is the design choice behind Aegis: an enforcement point in the path of agent traffic, deciding before the action, on policy you can read - with observability as a product of that enforcement, not a substitute for it.