Agentic AI pilots and security tensions
Enterprise pilots are shifting from single‑turn assistants to multi‑step, agentic workflows that spawn and coordinate subagents for tasks like code generation and customer operations, and vendors and podcasts are flagging major security and sandboxing questions as these agents gain tool access. The trend shows up in reports of high‑value, bounded pilots (e.g., Klarna) and calls for zero‑trust controls around agent tool calls. (dqindia.com) (theverge.com)
Companies are moving from chatbots that answer one prompt to artificial intelligence systems that plan steps, call software tools, and hand work to specialist subagents. (developers.openai.com) OpenAI’s Agents software development kit says these systems can “use additional context and tools,” hand off work to other agents, and keep a trace of each step. Anthropic has made the same shift in coding, adding a sandboxed command-line tool to Claude Code so an agent can act with tighter controls. (developers.openai.com) (anthropic.com) Enterprises are testing that model in narrow jobs with clear numbers attached. Klarna said on February 27, 2024 that its OpenAI-powered assistant handled 2.3 million conversations in its first month, or about two-thirds of customer service chats, across 23 markets and more than 35 languages. (klarna.com) Klarna said the assistant was doing work equal to 700 full-time agents, cut repeat inquiries by 25%, and reduced average resolution time to under 2 minutes from 11 minutes. The company said the rollout was expected to improve profit by $40 million in 2024. (klarna.com) The pitch to buyers is no longer “ask a model a question.” It is “let the model complete a bounded workflow,” like processing a refund, drafting code, or updating a record after checking several systems. (developers.openai.com) (naviant.com) That change has pushed security from a model-quality problem into an access-control problem. Cisco said in a recent white paper that agentic systems create “a new class of operational risk” because tool, data, and application access can sprawl unless every request is continuously verified. (cisco.com) Anthropic’s answer has been sandboxing, which is a locked room for code an agent wants to run. Its October 20, 2025 engineering post said Claude Code’s sandbox adds filesystem and network isolation so the system can do more work without getting broad, permanent permissions. (anthropic.com) OpenAI’s documentation makes a similar point from the product side: the application, not the model alone, owns orchestration, tool execution, approvals, and state. In practice, that means companies adopting agents also have to decide which actions need a human click, which tools get read-only access, and which traces are stored for audit. (developers.openai.com) Vendors are also selling into a more competitive enterprise market. The Verge reported on April 14, 2026 that an internal memo from OpenAI chief revenue officer Denise Dresser urged staff to build a “moat,” expand enterprise adoption, and answer Anthropic’s safety-focused pitch as switching between models gets easier. (newsbreak.com) Survey data shows why the sales push is intensifying. UiPath said in January 2025 that 90% of surveyed information technology executives saw business processes that could improve with agentic artificial intelligence, 77% were prepared to invest that year, and 37% said they were already using it. (uipath.com) The next test is whether these pilots stay narrow enough to measure and controlled enough to trust. The companies winning contracts are increasingly the ones that can show both a completed workflow and a locked door around every tool call. (cisco.com)
