The question every enterprise technology leader is quietly asking right now isn’t whether to deploy AI agents. That decision, for many, has already been made. The real question is what these agents can actually do.
The answer, at most organizations deploying agentic AI today, is more than anyone has formally approved.
That is the inconvenient reality framed with unusual candor in a recent podcast episode featuring Joe Davis, EVP of AI Engineering and Delivery at ServiceNow, and Adel El Hallak, VP of Product Management at NVIDIA’s Agentic AI division. Their argument centers on a deceptively simple principle: when an AI agent is deployed, the default answer to every permission request should be no.
What Is the “Lethal Trifecta” in Enterprise AI?
Before the solution, the problem. El Hallak describes what he and his colleagues call a “lethal trifecta” in the enterprise AI context: the simultaneous combination of unfettered internet access, access to an internal knowledge base, and a coding terminal.
“Two of those three, no problem. The three of those – that’s when you’ve got to start thinking about it.”
Individually, each capability is unremarkable. Enterprises routinely give employees web access, internal document repositories, and development tools. But combining all three inside an autonomous agent – one that operates at machine speed, without moral judgment, and with an explicit mandate to accomplish goals by whatever means available – creates an attack surface that most governance frameworks were not designed to handle.
The arrival of computer-use agents, popularized by Anthropic’s Claude and the subsequent explosion of open-source equivalents, demonstrated both the extraordinary upside and the structural risk. These agents can, as Davis describes them, act like “mini engineers” – reading the internet, accessing private information, writing and deploying code, all in service of a goal you set once.
Open Claude briefly became the fastest-growing project in GitHub history, surpassing Linux and React within weeks. The excitement was real. So was the governance vacuum…
How Does “Deny by Default” Work in Practice?
The response that ServiceNow and NVIDIA have built centers on Open Shell – an open-source secure runtime that sits between an enterprise’s infrastructure and the AI agents operating on top of it.
El Hallak:
“When you spin up Open Shell, the default at runtime for an agent running in a sandbox is a no. You’re explicitly giving it access to very specific processes or actions that it wants to take.”
This is the inverse of how most early AI deployments are configured. Agents are granted broad access at launch, and restrictions are applied reactively (often after an incident surfaces). Deny-by-default is an additive, not a subtractive, model. Permissions are built up from nothing. Every capability must be explicitly granted, scoped, and logged.
Davis frames it in terms most enterprise architects will immediately recognize: zero trust, applied to AI agents the same way it has been applied to human employees and network endpoints for the better part of a decade.
“You don’t just give them access to your machine and all the systems internally. It depends on their role and their tasks. They’re scoped – what they can see, what APIs they can leverage. And so that’s what we’re doing with Open Shell.”
Does Deny by Default Actually Solve the Probabilistic Problem?
Here is where the sceptic’s question becomes unavoidable. AI agents, at their core, are probabilistic systems – the same input does not always produce the same output. So even if you sandbox an agent’s permissions, how can you be certain it will stay within them?
The answer, according to Davis, is that you solve a different problem. The agent’s reasoning remains probabilistic. But the actions it can take are enforced deterministically at runtime.
“There is an LLM that’s reasoning and planning at the core. But there is a harness around it that provides a lot of determinism. And that determinism is adding in governance, security, trust, integrations, permissions.”
The mechanism is agent identity. Every AI agent in the Open Shell environment is assigned an identity, analogous to a user account, that governs system access. When an agent decides it wants to update a salary record in Workday, it cannot do so freely. Its identity either holds that permission, or it doesn’t.
“An AI might make a decision and say, ‘Hey, I want to go update your salary in Workday.’ Now, that AI has an identity. We provide that identity, and it has permissions. We’re the ones that are allowing it to execute and access other systems. So, we can either block it or prevent it. It’s a deterministic thing that we 100% control.”
El Hallak also makes a point that is easy to overlook: Open Shell does not replace LLM-level guardrails. The two layers are complementary. LLM guardrails prevent unethical outputs; the runtime sandbox controls what actions can be physically executed. Both are necessary; neither is sufficient alone.
What Does This Look Like in Production?
The strongest evidence for this architecture isn’t theoretical – it’s ServiceNow’s own IT service desk. The company has deployed the L1 AI IT Specialist: an ambient agent that monitors incoming support requests, performs deep research, reads documents, analyzes screenshots, and resolves issues autonomously, all within a governed harness.
The result, as stated by ServiceNow CEO Bill McDermott at NVIDIA’s GTC conference: 90% of Level 1 IT support tickets are now automated. Resolution times have been cut by as much as 99% on the issues the agent handles from days to minutes. When the agent cannot resolve an issue with sufficient confidence, it hands off to a human engineer -but it doesn’t hand off a blank ticket. It passes context: its findings, what it ruled out, and what it suspects. The human starts at step seven, not step one.
This is the “harness” concept made concrete. The harness – the full set of tooling, integrations, and permissions surrounding the model – determines what an agent can and cannot do.
It is also, the speakers argue, where real competitive differentiation now lives. The model itself is increasingly commoditized; the governance stack built around it is not.
Is the Deny-by-Default Approach Too Slow for Fast-Moving Enterprises?
This is one of the key criticisms laid at this approach. Building permissions up from zero requires deliberate governance work – someone must define, approve, and maintain what each agent can access, for each task, within each role. For enterprises under pressure to show AI results quickly, that overhead can become a reason to skip the architecture altogether.
Davis and El Hallak do not dismiss this tension, but they reframe it. The upfront investment in governance is not the cost of doing AI safely – it is the cost of doing AI at scale. ServiceNow’s AI Control Tower provides company-wide visibility across every running agent and allows policies to be pushed down centrally rather than configured agent by agent. Attack surfaces become visible in one place. The governance is manageable because it is systematic rather than manual.
The alternative – broad permissions at launch, restrictions after the fact – is not faster. It is just deferred.
The Bottom Line for CX and IT Leaders
The “deny by default” principle is not a new idea. Zero-trust network architecture has been an enterprise IT standard for years. What is new is the application of that principle to AI agents – systems that are autonomous, fast, and entirely capable of accessing, modifying, or exfiltrating data if their permission model is carelessly constructed.
For customer experience leaders specifically, the stakes are high. AI agents are moving from internal IT desks into customer-facing roles: handling complaints, processing refunds, and updating account records. In regulated industries – financial services, healthcare, telecoms – an over permissioned agent interacting with customer data is not merely an operational risk. It is a regulatory one.
Getting the architecture right before deployment scales is significantly easier than retrofitting governance after an incident. The message from the teams who have actually put this into production is unambiguous: start with no and work forward from there.
FAQs
What does “deny by default” mean for AI agents?
It means an AI agent starts with zero permissions at runtime and can only access systems or data it has been explicitly authorized to use.
What is the “lethal trifecta” in enterprise AI?
The dangerous combination of an AI agent simultaneously holding unfettered internet access, an internal knowledge base, and a coding terminal.
What is Open Shell?
An open-source secure runtime from NVIDIA that sandboxes AI agents and enforces access permissions at the moment of execution.
What is a harness in the context of AI agents?
The full layer of tooling, integrations, skills, and permissions surrounding a model at runtime, turning a raw model into a governed, functional agent.
