Building security and trust in AI agents

To safely harness the full potential of artificial intelligence (AI) agents, the world needs standardised guardrails, clear human accountability, and a shared language between policymakers and developers, a panel of experts said at a cyber security conference today.

Speaking at Singapore International Cyber Week 2025, the panellists offered their perspectives on how organisations can trust and secure agentic AI systems that can take a near-infinite number of actions with finite human control.

He Ruimin, chief AI officer and deputy government chief digital technology officer at Singapore’s ministry of digital development and information, compared an AI agent to an intern, likening it to someone “who is very enthusiastic, occasionally with flashes of brilliance”.

“But you have no idea what’s going through that intern’s head. How I think about interns is how I want to approach agentic AI, like the kinds of permissions you want to give the agent and the kind of work you want it to do,” he said.

April Chin, co-CEO of AI assurance firm Resaro, observed that most organisations won’t entrust interns with the biggest responsibilities, which explains why only one out of 10 has successfully brought agentic AI into production, despite seven out of 10 having conducted proofs-of-concept.

“You probably won’t entrust an intern to run an enterprise-grade system or project that’s worth millions of dollars,” Chin said, adding that the main obstacle is validating the work of AI agents, similar to how an intern would struggle to provide an in-depth answer around the way they thought through a project.

Royal Hansen, vice-president for security engineering at Google, agreed on the widely accepted need for guardrails to keep AI agents in check but argued against viewing them as something that restricts AI’s potential.

“Brakes on a car aren’t there to stop you from ever doing what you want to do,” Hansen said. “It's there so you can adjust and go at the right speed for the right circumstances.”

One such guardrail is limiting what an AI agent is allowed to do through permissions, he noted, adding that this involves the use of agent authentication and identity certifications that are often the first step in limiting the risks of AI agents.

Hansen added that organisations should also set hard limits on an AI’s actions, much like “on your credit cards, where you say, ‘I want to block transactions of this dollar value or this volume.’”

However, humans cannot watch every move an agent makes. The solution, the panellists said, may be to use other AIs as supervisors.

He proposed several advanced oversight models, including deploying a guardian agent to watch over a worker agent, programming external security protocols to monitor its behaviour, or even making multiple agents compete against each other and vote to get a majority opinion.

The concept of system-level checks is crucial because agents do not function in isolation. “You have to see an agent in the context of the broader system,” he said.

In testing AI agents, Chin said existing software testing methodologies are not enough for complex, unpredictable AI systems. She called for a modular approach to testing, where different components of an AI system – from the engine to its brakes and safety features – are tested individually and as a whole.

A new area, she added, is testing the handover process between humans and AI to determine when an agent can safely automate a task and when it must alert a human to take over.

To ensure safety at scale, these guardrails must be standardised. Hansen pointed out recent efforts to develop common agentic protocols for certain industries, such as Google Cloud’s Agent Payments Protocol (A2P), which would create a universal and secure way for AI to handle financial transactions.

Such protocols, when combined with logging and observability for a clear audit trail, ensures every action an agent takes is traceable to a human-led decision.

“The human being still needs to be accountable,” said Chin, citing the example of clinicians who take ownership of a decision even if it is supported by an AI. “But what’s intriguing is that we’re starting to have conversations around whether clinicians need to buy insurance to indemnify themselves from the use of AI in their practice.

“In the space of accountability and liability, we’re probably going to see innovations arising from the insurance space and how industries are going to weigh the cost and benefits of undertaking the risks of adopting AI,” she added.

Besides establishing guardrails and ensuring human accountability, the experts who develop the technology and the policymakers responsible for regulating it must communicate using a common language.

“I come from a governance perspective, and when I speak to data scientists and engineers, sometimes it almost feels like we’re not speaking English to one another,” Chin said. “The challenge here is that there’s no shared language between all these different parties.”

This creates ambiguity around the question of what good enough AI for real-world use looks like. Until developers, businesses, and regulators can agree on a common definition, Chin argued, “We’ll always be trying to either tackle the never-ending long tail of risk, or pursue the productivity savings and technology benefits, but not thinking about the trade-offs between the two.”