Artificial intelligence agents are no longer a boardroom abstraction they are executing decisions, handling sensitive data, and quietly going rogue in production environments across finance and healthcare. The question is no longer whether something will go wrong, but whether anyone will notice before the damage is done. Vrajesh Bhavsar, Co-Founder & CEO of Operant AI, has seen the wreckage up close: credentials harvested in minutes, engineers unquestioningly trusting malicious agent outputs, and security teams scanning code while the real threat runs live at runtime. In a candid conversation, Bhavsar explains why the entire premise of traditional cybersecurity is being outpaced and what enterprises scaling agents next quarter are almost certainly getting dangerously wrong.
Co-Founder & CEO
Operant AI
CIO&Leader: The OpenClaw incident showed an agent attacking a developer with zero external trigger. At what point does “unexpected behavior” become a genuine security incident?
Vrajesh Bhavsar: The moment an agent begins taking actions that are unexpectedly irreversible or operates outside its defined scope, it should be treated as a security incident.
Right now, this is still an evolving area. There’s an ongoing debate was OpenClaw malfunctioning, or was it compromised? But that distinction often becomes secondary. If an agent with permissions starts operating beyond its intended boundaries, it effectively becomes an unconstrained system—and that, in itself, is a security failure.
As more real-world incidents emerge from runtime and production environments, definitions will continue to mature. However, across most organizations we work with, the threshold is clear: when an agent operates beyond its intended scope or deviates from its defined purpose, it is classified as a security incident.
Whether the behavior is malicious or accidental is often up for debate—but by that point, the damage may already be done. Once you lose control over the agent’s behavior and its boundaries, it is no longer a question of intent—it is a security incident.
CIO&Leader: Enterprises are rushing to deploy agentic workflows across finance and healthcare. Are they building the plane while it’s already in the air?
Vrajesh Bhavsar: Maybe they’re not completely building the plane, but maybe it’s like they’ve handed the controls to the autopilot while the landing gear isn’t in place, or the radio comms aren’t operating.
The business case for the adoption of AI and agents is very real, right? Often, let’s take an example—we talk to insurance companies, and the CIOs and CTOs are looking at deploying agents. And the use cases are real. Their teams are often fielding policy-related questions from customers, like, “Hey, I have this… is that covered in my insurance?”
Many of these types of questions can be answered by AI and agents with the right knowledge base. There are significant savings and improvements in customer experience when you bring in these technologies.
But if you just put finance and healthcare as industries leading the charge, then that becomes like—that’s not the commercial flight you want to be on, so to speak. The impact on these industries is not trivial. It can result in strained accounts or misconstrued insurance claims, and that type of financial impact is real.
Hence, you need to recognize that agents are probabilistic by nature, and currently, they are not in a state where you can very clearly engineer an outcome from them. So a lot of practitioners are adapting to that new reality—that’s the phase we are in.
You have to set the right boundaries so that any new behavioral consequences don’t become catastrophic for your business.
CIO&Leader: Meta’s engineer followed AI-generated instructions that exposed internal data — the agent never touched a system directly. How do you secure a threat that works through people?
Vrajesh Bhavsar: This is going to be a whole new area for us to get used to the outputs from these agentic systems. Now, obviously, in this example, you are talking about how the agent didn’t need the credentials or access to the system because it had the human to execute it for the agent.
And so, often when you are using some of these systems, you start getting used to them. In this incident, the engineer took the agent’s output, trusted it, and kept operating. By the time this is executed, the incident has already happened.
Because the outputs that are coming from these agent systems are not something that you can trust unquestioningly, and I think that’s the actual shift that is going on. That’s the architectural shift, right? Many security teams have been accustomed to scanning code, networks, and cloud configurations. But being on top of all the actions and outputs from these agents is not something they are used to.
And so that’s kind of what’s happening in these incidents. When you are getting these outputs, you have to see what the live flow of the agent’s thinking was, what that output looks like, and whether it can result in a threat. Can it result in something that shouldn’t be trusted? That’s why you need something real-time.
CIO&Leader: Researchers can socially engineer AI agents just as they manipulate humans. Does that mean our entire security model needs to be rebuilt from scratch?
Vrajesh Bhavsar: It doesn’t need to be built from scratch, but you do need to go back to the systematic first principles in some way.
In the world of agents, much of the model for security and trust is now shifting towards language—the instructions and the way you describe a problem, the goal, or the tasks you are trying to achieve. So it’s no longer programmatic or cryptographic in the way traditional software was written. There is no codified, verified instruction set that passes through a chain of command.
Every time someone inputs a new natural language instruction, it can be misunderstood, or new kinds of language input can be absorbed from the internet or from documents. Sometimes, documents contain hidden zero-click attacks and other potential attack vectors.
Currently, there is a lot of buzz around “skills”—the idea that an agent can have all these different skills. But at the end of the day, these skills are expressed in natural language. If you look out there, there are 100,000 or more open-source skills for all sorts of tasks—connecting to databases, processing Slack, processing engineering backlogs. There is a lot of unverified noise.
And it needs a level of scanning—real-time scanning or real-time trust—to verify whether this is coming from a trusted source. Is there any behavior built in that aligns with what I’m trying to achieve? Is this skill or instruction going beyond the intended scope?
These are things you can’t manually slow down for, because people are using agents to move fast. And this is where you need a system that tackles these questions.
That’s what Operant is building. With Operant ScopeGuard, for example, we dynamically analyze all instructions, skills, and other natural-language inputs to ensure that these agents do not interact with drifting scope or become rogue.
Most enterprises have not yet adapted to this kind of operating model. So you don’t need to rebuild the whole security model, but you do need to review these first-principle architectural elements. The industry is not there yet—and that’s what we are trying to bring to market.
CIO&Leader: Operant sits in line at runtime — inside the live flow of AI decisions. What does your platform catch that traditional cybersecurity tools cannot see?
Vrajesh Bhavsar: The platform that we have brings real-time defense for AI, agents, MCP, and a lot of the other dimensions that these things operate in. And this is all activated in real environments, real interactions.
A lot of the traditional tools depend on scanning code before things go into production, looking at network traffic or configuration, or making sure cloud access is set up correctly, which is all required. And that’s kind of how we have reached this stage. But as you were saying, the security model around agentic systems needs to be rethought from first principles.
That’s what Operant has done—we are delivering a system that is doing real-time analysis of all sorts of telemetry, whether it’s about intent, access, authorization, or deep prompt injection or data exploitation attempts. That’s the kind of real-time capability you need to keep pace with the speed and scale at which agentic environments operate.
Just take an example. A few weeks ago, there was this whole incident with the Lite LLM package, where PI-type packages were getting downloaded on developer machines. Within minutes, it started harvesting credentials and bringing in persistent packages that would capture and intercept access data—this was an attempt at lateral movement. And none of the traditional tools flagged this. This was all happening in real time without the developer doing anything.
The other example you gave—developers are not taking any action. There is no human actively making these systems go rogue. But it is happening because of the strong interdependence among these agentic coding systems.
To that end, we just launched Code Injection Guard, which is now available with our Agent Protector and runtime defense platform. We can actually intercept these kinds of executions that lead to such malicious behavior. This is something that none of the traditional tools can do.
We can build the full intent graph and see how agents are drifting or developing emergent behaviors. You’ll see this discussed in research like Anthropic’s, where systems are tested to break out and start exhibiting emergent behavior. This will be true in more and more production environments.
You cannot really predict what these agents will do. The only way to control them is to have runtime enforcements, guardrails, and boundaries so that the new behaviors they come up with are still being scanned and contained. Otherwise, these emergent behaviors will result in more catastrophic incidents.
That’s what Operant has brought to market—and it is definitely ahead of what traditional tools could do.
CIO&Leader: You’ve been listed across six Gartner AI security reports in a single year. What does that tell you about how fast enterprises are waking up to this problem?
Vrajesh Bhavsar: That’s a good question. It tells me two very interesting—but also somewhat opposite—things.
As a partner working closely with enterprises, I see what they are doing and how they are operationalizing. It’s great that many enterprises are waking up to this. Obviously, Gartner is not writing these reports in a theoretical sense—they are talking to CIOs, CISOs, CTOs, AI officers, and others to understand how to support their initiatives.
And it’s not just one report—it’s six different areas of AI security. We are really proud to be one of the few vendors covered across so many reports and categories.
At the same time, we are now at a stage where awareness is translating into action. We’re seeing more people absorb this knowledge—what the considerations are, why these systems are different, and why new tools are needed beyond the network layer.
There is also a growing understanding of why you need approaches that can handle emergent behaviors. All of this is critical, and insights from Gartner, along with lessons from real-world incidents, are helping enterprises adopt AI more securely and deliberately.
Instead of adoption being haphazard and insecure, we are now seeing more informed, mature conversations around how to bring innovation into these environments safely. So we are really proud that Gartner has featured Operant in these ways, and that this level of market education is helping the entire industry.
CIO&Leader: If a CISO came to you today and said, “We’re scaling agents next quarter,” what’s the one thing they’re almost certainly not doing that will come back to haunt them?
Vrajesh Bhavsar: I think it’s hard to point to just one thing—there are probably 15. But if I had to pick, it’s the tendency to fall back on the ways people are used to doing things.
That’s the bias that needs to be addressed, because we are fundamentally dealing with very different types of systems now. So if a CISO were to ask, “What should we do differently?”—the answer lies in rethinking everything in the context of emergent behaviors.
What happens if new behaviors emerge? What if unexpected instructions come from somewhere else? What if a model responds in a completely new way that leads to something detrimental?
The common pattern across all these questions is that everything is happening in real time—in production, at runtime. That’s the real mindset shift.
Traditional approaches to security architecture—where behaviors are predictable, and systems are controlled—no longer apply in the same way. You cannot expect agentic systems to behave like traditional systems.
You need something that can handle these behaviors at runtime, enforce boundaries, and ensure the right guardrails are in place.
That’s the real shift. It’s not easy, and it’s something that comes with practice. The entire industry is going through this transition right now.
And it goes back to your earlier analogy—are we building the plane while flying it? You need to ensure your systems are in place, even as new behaviors emerge, because parts of that plane may still be evolving. But you still need to ensure that everything remains safe—and that you can land it. That’s where the conversation is today.