Security

AgenticGate: Gartner Expects 40% of AI Agents Decommissioned

Leave a comment

Gartner warns 40% of enterprises could decommission AI agentic projects by next year. The cause it names is not the awful hallucination, not the spiraling cost, not the floundering model quality. It is failure at access control 101, because teams never separated an agent’s ability to act from the scope of access it was granted. That sounds like 100% territory to me, but hey, maybe Gartner knows 60% of enterprises don’t have security setup to tell them they’re doing things wrong.

There are two different things to consider.

  • Capability is some action an agent can attempt.
  • Access is what a runtime allows.

When these aren’t separated there is no agent control. The agent can do anything it can name.

A blanket trust domain has a sad history. Every channel, credential, and tool lives in one space like a single-user system (e.g. Microsoft DOS). A message from any source can drive any action against any credential. No per-channel isolation, no audit chain that survives the process, no credential rotation. Trust is granted once at the boundary, with no mechanism to re-check it.

This is how Microsoft ActiveX ended up on the scrap heap of history. Sign the control, load it, and it runs with the full authority of the host. The web spent a decade getting that dumb mistake out of its veins. And now agent runtimes, ignorant of history, apparently want to re-ship it.

Gartner offers four levels, observe, advise, act with approval, and act autonomously, a permission classifier. The levels are not the interesting part. The classifier is. A control works by forcing everything through it. An action the classifier never sees is not denied, it is a bypass: lowest tier, highest access, a silent breach, because nothing classified it. The permission system sits there looking all happy while the call path walks past it.

I’ve written before how OpenClaw is a disaster with more red flags than a Chinese military parade. Its code makes the point for me. At commit c70ae1c, every model-chosen tool call lands on one wrapper. The only inline guard before execution is a before-tool-call hook at line 152:

const hookOutcome = await runBeforeToolCallHook({ toolName: name, params, toolCallId });

That hook does loop detection and runs optional user hooks, then returns blocked: false when none are registered. It is not a permission control. Ten lines down, the action runs:

const rawResult = await tool.execute(toolCallId, executeParams, signal, onUpdate);

The controls that do exist, owner-only policy and the allowlist, are static filters applied once when the tool set is built, and never consulted again. Once a tool is in the set, every call runs without objection. Capability and access collapse, as Gartner warns.

If you cannot point to the single place every action is classified, and show that an unregistered action fails closed, you do not have governance, let alone a proportional one. That is the decommission time-bomb for 2027: the agent had the capacity to do something it should not, because actions lack control.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.