AI Agent Governance
What it is, why it's emerging now, and how it differs from AI security and AI governance. A practitioner's reference for the emerging category.
Anshal Dwivedi
Founder, FirstOps
Founder of FirstOps. Writing about agent governance, identity, and runtime security.
Anshal is the founder of FirstOps, where he's building a governance control plane for AI agents. Before FirstOps, he built security programs and compliance infrastructure at Uber, and led agent-based product decisions at Enterpret.
His writing focuses on the structural security problems that emerge when autonomous software starts acting on real systems — identity, access control, audit, and runtime enforcement for agents in production.
Reference
Claude Code Security
A reference guide to the security model of Claude Code: what it can access, how it can fail, and what controls to put in place before you give it production credentials.
Cursor Security
A reference guide to the security model of Cursor: what it can access, how it can fail, and the controls to put in place before you let it run against sensitive code and production credentials.
MCP Security
A reference guide to the security model of the Model Context Protocol: what MCP servers can do, where they fail, and the controls to put in place before you expose production systems through them.
Writing
·13 min read
Agents Can't Wait for Permission
When an agent spawns a sub-agent mid-task, that sub-agent needs access it was never provisioned for, and at machine speed no human can grant it in time. Hand it the parent's full access and one prompt injection owns everything; hand it nothing and delegation breaks. The fix is a permit: a signed, scoped, time-boxed grant the agent issues itself, one that can only ever narrow.
·13 min read
Identity Is the Foundation for Control
Every layer of human identity (signature, passport, fingerprint, key) was anchored to a body. Agents have none. The infrastructure we use to identify them today gives every answer to 'who acted' simultaneously, and none of them well. What is missing is not a feature. It is an entire ecosystem that recognizes agents as first-class actors.
·14 min read
Access Control Is Missing Its Human
RBAC and ABAC worked for forty years because a second, implicit layer rode on top: a human, slow and suspicious, deciding whether to exercise access. Agents collapse that layer. Every documented agent breach lives in the gap it leaves.
·13 min read
Skills Are the New npm Package
In early 2026, an attacker uploaded 1,184 malicious Skills to a single AI agent marketplace and used one command-and-control IP across all of them. The npm playbook is repeating itself one ecosystem up. Here's what the attacks actually look like, why static scanning isn't enough, and what the runtime defense has to be.
·12 min read
Prompt Injection Is Not the Incident
Prompt injection detection is getting better, but what happens when the exploit doesn't look like an exploit? We split a credential-stealing attack across two normal-looking tickets and watched a coding agent execute both. The fix isn't better detection. It's controlling what agents can do.
·16 min read
Your Agent Passed OAuth. Now What?
OAuth was designed for humans clicking 'Authorize' in a browser. AI agents don't click anything. The protocol's core assumptions (human presence, static scopes, one-time consent, bearer semantics) break in ways that have already caused real breaches. The industry is converging on proof-of-possession. Here's why, and what comes after.
·13 min read
Your Coding Agent Has Your Keys: A Trust Boundary Analysis
When you run a coding agent, it can read every credential on your machine (SSH keys, cloud tokens, API secrets) without asking. It asks before running commands, but the permission is 'allow this command,' not 'allow access to this credential.' The security boundary everyone focuses on is on the wrong side. The real attack surface is the input to the agent's reasoning, not the output.
·13 min read
A Security Scanner Walked Into a Supply Chain: What the LiteLLM Compromise Means for AI Agents
On March 24, 2026, a bug in malware crashed a developer's machine, uncovering a 24-day supply chain attack that turned a security scanner into a weapon against AI infrastructure.