The constraint is friction, not capability

Enterprise security doesn't usually fail because attackers are too clever. It fails because the secure path is harder to use than the insecure one, so people route around it. That's the argument Mayank Upadhyay, Chief Security & Trust Officer at Snowflake, makes in a sponsored piece for VentureBeat — and it's worth separating the vendor context from the underlying technical claim, because the claim holds up.

Two-factor authentication is the canonical example. The technology existed long before adoption followed. What changed wasn't the security itself; it was the friction. Once authentication collapsed to a fingerprint or face scan, people stopped avoiding it. The secure path became the default path.

AI doesn't change that principle. It accelerates the consequences of ignoring it.

Where AI makes the problem worse: agent permissions

AI agents — software systems that autonomously execute multi-step tasks by calling external tools and APIs — inherit whatever permissions they're assigned. Unlike a human employee who intuitively limits scope to what a task requires, an agent will probe every available path. Assign it access to 12 systems for a two-system job and it may still explore the other ten. That's not a bug in the agent's reasoning; it's a predictable consequence of how agents are built.

The instinct is to add a human approval step for significant actions. Upadhyay's counterargument is practical: when an agent surfaces a deeply technical action for human review, the reviewer typically lacks the context to evaluate it and approves it to keep the workflow moving. The oversight is cosmetic. The friction is real.

The structural fix is a permissioning model built around intent. An agent should carry only the credentials its current task requires, and those credentials should expire when the task completes. The OAuth standard — the authorization protocol that governs how applications request access to resources on a user's behalf — is already evolving in this direction, with extensions designed to support task-scoped agentic identity rather than delegating a user's full permission set.

Visibility before enforcement

Upadhyay's operational sequence is worth noting: monitor first, enforce later. Most enterprises, he argues, operate with roughly 80% visibility into what their systems are doing. The remaining 20% is where risk concentrates — and where AI will find gaps faster than any manual audit.

The practical starting point is instrumentation: map where agents are connecting, what data they're touching, and what permissions they're exercising. Use automated analysis to rank behaviors by risk. Then close the highest-risk gaps systematically rather than trying to lock everything down at once.

On the identity side, the recommendation is to move away from service accounts with static, distributed keys — a model that's hard to audit and easy to compromise — toward workload identity, where a service's credentials are established at deployment time by the cloud environment itself and never exist as a file to be stolen or leaked.

The numbers behind the urgency

CrowdStrike's 2026 Global Threat Report documents that average attacker breakout time — the interval between initial access and lateral movement to other systems — has accelerated by 65% year over year. That compression matters because most enterprise incident response still depends on humans noticing something is wrong and escalating through a ticket queue. The math no longer works.

The answer Upadhyay proposes isn't a new category of tool. It's the same principle that made two-factor authentication stick: embed security into the architecture so it's enforced by default and invisible in practice. Security that requires effort eventually gets bypassed. Security that requires no effort doesn't.