Editorial
Research Report
The AI Transformation 100: Concrete Ideas for Fixing How We Work
Key Takeaways
- Organizations can't secure AI agents with traditional role-based access control (RBAC).
- AgenticOps requires a zero-trust autonomous pipeline to be in place, which decouples AI's reasoning layer from its execution layer.
- Having governance in place will allow teams to stop treating AI as an experiment and reach enterprise scale.
Enterprise AI has officially left the chat window.
In generative AI's first wave, risk was contained: a hallucinating model might generate broken Python or mis-summarize a document, but output still required human copy-paste-execute. We operated in a read-only paradigm.
That era ended in 2025. We've entered Agentic Ops: AI agents now hold direct write access to production environments. Modern autonomous pipelines don't just detect anomalies — they formulate remediation plans, scale node pools and execute infrastructure changes without human intervention.
Agentic Ops delivers undeniable value: bursty workload optimization, sovereign AI infrastructure management and MTTR reduction by orders of magnitude. But the risk profile has fundamentally shifted. We're no longer defending against bad code — we're defending against a live, executing entity.
Granting an AI agent write permissions to the Kubernetes API introduces a critical new risk metric: the hallucination blast radius.
The Failure of Traditional RBAC
Most infrastructure teams' first instinct: secure AI agents with traditional Role-Based Access Control (RBAC). They assign the agent a service account and restrict its permissions.
RBAC is fundamentally blind to intent and context. If an AI agent is tasked with autonomously scaling down idle compute resources, it legitimately needs permission to terminate pods or scale deployments. RBAC grants that permission. When the agent misinterprets a telemetry spike, hallucinates a state change and scales down the wrong production cluster during peak traffic — what then?
RBAC authorizes the command: the agent has the correct role. The cluster goes down. The blast radius is catastrophic. The AI did exactly what it was authorized to do.
You cannot secure autonomous AI by restricting identity. You must secure it by evaluating actions in real-time.
Related Article: Macro-Reasoning Isn't Yet Here for AI Thinking
Policy-as-Code: The Enforcement Layer
Surviving Agentic Ops requires a Zero-Trust Autonomous Pipeline. This architecture assumes the AI agent will eventually make a catastrophic mistake.
Security shifts from RBAC to infrastructure-layer Policy-as-Code. In Kubernetes, this means admission controllers: Kyverno or Open Policy Agent (OPA).
These engines act as enforcement points at the API server — intercepting every request before execution. Every AI-generated command is intercepted and evaluated against organizational guardrails before execution.
Even with valid RBAC permissions, Kyverno evaluates every action's payload. Is the agent trying to expose a database to the public internet? Is it trying to provision instances that lack required internal compliance labels? Is it attempting to scale a deployment below the minimum high-availability threshold?
Policy violations are blocked instantly; alerts trigger automatically. The blast radius is contained to the policy violation itself — no unauthorized change reaches production.
Critical operational note: Admission webhooks must be highly available and respond within 1-2 seconds, or the entire control plane stalls. This is why policy engines like Kyverno are deployed as clustered, horizontally-scaled services with circuit-breaker patterns.
The Zero-Trust Autonomous Blueprint
A Zero-Trust Autonomous Pipeline decouples the AI's reasoning engine from the execution layer. A modern architecture follows this flow:
-
Event Trigger: An observability platform detects a state anomaly (e.g., memory pressure on a GPU node).
-
Agentic Reasoning: The AI agent analyzes telemetry and formulates a remediation plan. For GPU-backed inference workloads, that can be executed through a KEDA external scaler such as keda-gpu-scaler, which reads NVIDIA GPU metrics directly and feeds them into KEDA for event-driven autoscaling.
-
The Intercept: The agent submits the request to the Kubernetes API.
-
Policy Evaluation: Kyverno intercepts the request. It evaluates the proposed changes against all security, compliance and resource quota policies.
-
Execution or Rejection: If the policy evaluates cleanly, the change is applied. If it fails, the AI is blocked, and the failure is logged for human review.
Related Article: Trusted AI Is the New Enterprise Differentiator
The Hidden Cost of Fragmented Customer Communication
Register
How Modern Marketing Is Exposing the Limits of Legacy CMS
Register
Why Some Dealers Are Pulling Ahead With AI
Register
Content Leaders Collective: Proving Content’s Business Impact
Register
Governance Is the Enabler of Speed
A persistent misconception: strict infrastructure guardrails slow AI adoption. The opposite is true.
When infrastructure teams know the blast radius is contained — when they have cryptographic proof that an agent cannot delete a production database or violate data sovereignty laws — they stop treating AI as a delicate experiment.
Zero-Trust guardrails are what allow enterprises to finally run Agentic Ops at enterprise scale. You don't build better brakes to drive slower. You build them to drive faster safely.
Learn how you can join our contributor community.