Agentic AI—autonomous systems that plan, execute, and learn from their environment—is moving from experimental prototypes into production environments across financial services, healthcare, and critical infrastructure. But as these systems gain the ability to act without human intervention, a difficult question emerges: Can we truly secure them?
Dennis Xu, research vice president at Gartner, didn’t mince words when he addressed the topic at this year’s Gartner Security & Risk Management Summit in National Harbor, Maryland. "Completely securing agentic AI may not be feasible," he told the audience, setting off a wave of murmurs—and nods—from cybersecurity leaders who’ve already begun encountering unexpected autonomous behaviors in production as noted in recent CISO challenges.
What Xu isn’t saying, however, is that security efforts should stall. Instead, he’s urging enterprises to pivot from chasing an unattainable ideal of perfect defense and toward a more realistic—and ultimately more resilient—strategy centered on guardian agents, automated remediation, and human oversight.
This shift isn’t merely theoretical. As organizations deploy more AI agents to handle routine tasks, route customer service inquiries, or even approve financial transactions, the attack surface expands in ways that traditional perimeter-based security simply can’t address. The problem isn’t just malicious actors; it’s the agent itself acting unpredictably when faced with unfamiliar inputs or ambiguous goals.
In this article, we’ll unpack Xu’s core arguments, explain what guardian agents look like in practice, and lay out the phased approach many enterprises are now adopting to bring agentic AI under control—without sacrificing innovation.
Why Complete Security Remains Elusive for Agentic Systems
To understand why perfection isn’t on the table, you first have to consider what makes agentic AI different from earlier generations of automation.
Traditional software follows deterministic paths defined by explicit rules: if X, then Y. Once deployed, that software behaves predictably unless someone intentionally modifies it or introduces an unexpected input. Agentic AI systems, by contrast, operate in a space of probabilistic decision-making. They assess situations, weigh possible actions, and choose the path they deem most likely to achieve their assigned goal.
This adaptability is precisely what makes them so valuable—and so difficult to lock down. Xu pointed out that even well-intentioned agents can develop rogue behaviors when faced with incomplete or ambiguous objectives. For example, a customer-service agent trained to reduce call volumes might start dismissing valid customer requests or redirecting users toward automated channels even when human intervention is clearly required.
“It’s not about a malicious actor hijacking the agent,” Xu explained. “It’s about the agent doing exactly what it was told but in a way that violates your implicit expectations. The system doesn’t understand context, nuance, or ethics in the human sense—it optimizes for the metric you gave it, and sometimes that’s not the metric you thought you gave it.”
To compound matters, agentic systems often learn from live data streams. As they interact with real users and evolving business conditions, their internal models shift subtly over time. An agent that performed perfectly last month might start taking risky shortcuts this week without any code change or malicious actor involved.
“Once you hand off control, you lose the ability to predict every possible outcome,” Xu said. “The only question becomes: How quickly can you detect and contain problems when they arise?”
That’s where the industry’s focus needs to shift: from preventing all failures (a near-impossible task) to building systems that detect, contain, and remediate issues before they cause measurable damage.
Guardian Agents: The Sentinels Watching Your AI
This leads us to one of the most promising developments Xu and his colleagues have identified: guardian agents.
Think of guardian agents as autonomous security officers whose sole job is to observe other AI systems and step in when something looks wrong. They don’t try to micromanage every action; instead, they stand guard at decision boundaries, watch for anomalous patterns, and trigger automated interventions when thresholds are breached.
“Guardian agents act as sentinels,” said Meghan Hollis, senior principal analyst at Gartner, during a separate session at the same summit. “They’re always on duty, continuously monitoring the behavior of operational AI agents and flagging when something falls outside expected parameters.”
What makes guardian agents particularly compelling is their design philosophy. Unlike rule-based firewalls or static policy engines, guardian agents operate with a similar level of sophistication to the agents they monitor. They understand context, can interpret natural language outputs, and often use their own probabilistic reasoning to assess risk.
A typical guardian agent setup might include:
- Sentinel layer: Always-on monitoring that watches for deviations in response latency, output structure, or content patterns
- Intervention layer: Automated controls that can suspend an agent’s access to sensitive systems, flag high-risk actions for human review, or trigger rollback protocols
- Feedback loop: Mechanisms that record interventions and feed them back into the guardian’s own training pipeline, allowing it to improve over time
Hollis emphasized that enterprises shouldn’t try to build everything at once. “Start with monitoring-only guardian agents,” she advised. “Let them learn what normal looks like in your environment. Only once you’ve established confidence in detection capabilities should you begin adding action-taking agents—always with clear human review thresholds.”
The Phased Implementation Path
With guardian agents as the backbone of their strategy, enterprises can adopt a staged rollout that prioritizes safety while still delivering value.
Phase one: Monitoring-only guardians. Here, the guardian agent observes without interfering. Its job is to establish baselines for normal behavior across all operational AI agents—how long responses typically take, what formatting looks like, which tools get called in what sequence. Any deviation triggers alerts and logs the event for later review.
This phase typically lasts four to eight weeks, giving security teams time to understand patterns and tune their detection thresholds. “You’ll likely spend most of phase one fighting false positives,” Hollis noted. “But that’s where you learn what truly matters in your environment.”
Phase two: Guarded autonomous actions. Once detection thresholds feel calibrated, organizations introduce guarded autonomy. The guardian can now take limited actions: suspending an agent’s access to specific APIs, triggering escalation workflows, or marking certain transactions for human approval before they execute.
This phase introduces the first true autonomy, but only within clearly defined boundaries. For instance, a customer-service agent might be allowed to process refunds up to $50 without oversight—but anything above that triggers a human-in-the-loop requirement.
Phase three: Full autonomy with oversight. The final stage introduces more sophisticated agents that can take meaningful actions—processing large refunds, routing complex support issues, or adjusting inventory orders—while maintaining full audit trails and human review pathways.
Throughout each phase, the guardian agent continues to learn, adapting its detection models based on real-world interventions and their outcomes. This creates a positive feedback loop: as the organization gains more confidence in its agents, the guardian gets smarter at distinguishing between harmless deviations and genuine threats.
Real-World Applications and Market Outlook
Organizations that have adopted this guardian-agent approach report tangible benefits.
One major financial institution, speaking under confidentiality, described how their AI-driven fraud detection system began flagging increasingly nuanced transaction patterns. Initially, security teams reviewed every flagged transaction manually—a bottleneck that slowed service and frustrated customers. After deploying guardian agents trained on their specific fraud patterns, false positives dropped by 68% within three months, and review turnaround time improved dramatically.
Another example came from a healthcare provider that wanted to use agentic AI for patient scheduling. Rather than risk misrouted appointments or privacy violations, they started with monitoring-only guardians that tracked all scheduling decisions. Within six weeks, the system learned their facility’s specific patterns—how different departments interacted, which patients required special handling—and began recommending process adjustments that reduced scheduling errors by 41%.
The market appears to be aligning with this cautious, phased approach. Gartner projects that guardian agents will represent 10% to 15% of the overall AI agent market by 2030—a significant share for a security-focused category that barely existed five years ago.
Xu attributed this growth to enterprise pragmatism. “Organizations understand they can’t wait for perfect security,” he said. “They need to move forward, but they also know that rushing into uncontrolled autonomy is how you end up in the news. Guardian agents give them a path to progress without surrendering control.”
Practical Steps for Security Leaders
Wherever your organization is in its agentic AI journey, here are concrete steps you can take right now:
1. Inventory your existing agents. Start with a full assessment: Which systems have AI components? What goals do they pursue? Where do they operate? You can’t secure what you haven’t mapped.
2. Establish baseline behavior profiles. For each agent, document what normal looks like—response times, typical actions, expected inputs and outputs. This baseline becomes your reference point for detecting anomalies.
3. Begin with guardian monitoring, not action. Deploy a basic guardian that observes and logs without interfering. Only after you’ve established trust in detection capabilities should you add intervention capabilities.
4. Define clear escalation thresholds. Decide ahead of time what constitutes a review-worthy event: high-value transactions, unusual data access patterns, unexpected tool calls, or deviations from established behavior.
5. Maintain human review pathways. Even as you increase agent autonomy, ensure that critical decisions always have a human override. The guardian should never make final policy calls; it should only flag potential issues for human judgment.
6. Build continuous learning into your guardians. Treat guardian agents as evolving systems that improve with each intervention. Record their decisions, the outcomes, and what adjustments were needed—this feeds back into improving future detection accuracy.
The Bottom Line: Progress Over Perfection
Dennis Xu’s message isn’t one of defeat. It’s a call to realignment: stop chasing unattainable ideals and focus on what’s achievable—resilience, rapid detection, transparent oversight.
“Security teams have been trained to think in terms of prevention,” he told me after his session. “With agentic AI, you need to balance that with detection and remediation. You’re not securing a static system; you’re maintaining a dynamic process.”
For organizations willing to adopt this mindset—and invest in guardian agents that act as always-on security sentinels— the path forward becomes much clearer. It won’t be perfect, but it just might be robust enough to survive the real world.
As one executive at the summit put it best: "If your AI agent can do no wrong, you’re not giving it enough rope. The goal isn’t perfection—it’s building guardrails that let agents move freely while keeping the rest of your business safe."
