Field notes · Read all posts
SOC 2 Type II·HIPAA·ISO 27001
Field notes / GOVERNANCE

How to Use AI Agents Safely at Your Company

Why enterprises are hesitant to deploy Claude Mythos agents, and how Arxsec.io makes it safe to use them in production.

By Mershard J.B. Frierson · Founder, ARX 8 min read

The Story: Why Sarah Said "No" to AI Agents

Sarah is the Chief Information Security Officer at a mid-size insurance company. Her boss came to her excited about Claude Mythos—a system that uses AI to automate work. "Sarah," he said, "imagine an agent that reads our customer requests, finds the right policy info, talks to our claims system, and sends responses. We could handle twice as many cases!"

Sarah understood. This could save the company millions of dollars.

But then she had a question: "What if the agent gets confused and sends confidential policy details to the wrong customer? What if it approves a claim it's not supposed to? What if it breaks our insurance regulations? And if something goes wrong... how do we prove to auditors that we were in control?"

Her boss didn't have good answers. So Sarah said, "Not yet. It's too risky."

This happens at hundreds of companies right now. They want the benefits of AI agents. But they're worried. They're not being cautious—they're being smart.

The good news? This problem is solvable.

The Problem: What Companies Are Really Worried About

Here's what keeps security leaders awake at night:

1. "What's the agent allowed to do?"

Think of it like giving your teenager a credit card. You want to say, "Go grocery shopping for dinner." But you also need to say, "Only grocery shopping. Not video games. Not clothes shopping."

With regular computer programs, we can set clear rules: Alice can see reports, Bob can approve payments. But with AI agents, it's trickier.

Let's say you deploy an agent to research your competitors' prices. It should look at public websites and news articles. It should never look at your employees' salary data or secret cost information.

The problem? Most AI agent systems don't actually know what they're supposed to do or not do. There's no official list. So how do you stop a well-meaning agent from accidentally doing something it shouldn't?

2. "Is the agent actually doing what we said it would do?"

Imagine you tell an agent: "You're allowed to approve expenses under $5,000, but not over."

Everything works great... until one day your CEO approves a new tool for the agent to use. Suddenly, the agent gets creative. It finds a loophole. It starts approving expenses using a method that technically follows the rule but violates the spirit of it.

Or imagine the agent starts getting 10 times more requests than normal. It speeds up. Does it still follow the rules? Who knows?

Most companies only catch problems after they happen. They see a big mistake and think, "Oops!" But at that point, damage is done.

3. "Who said this was okay, and what exactly did they approve?"

Here's a scary scenario: An agent goes wrong. It causes a problem. Then a lawyer asks, "Who approved this agent? What were they approving? When? How do we know?"

If you don't have clear answers written down, you're in trouble.

Companies dealing with regulations (banks, insurance companies, hospitals) have to write everything down. They need to prove to auditors that they made smart decisions and stayed in control.

Most agent systems don't keep good records. They just run. They don't write down "Sarah deployed Agent X at 2pm on Tuesday" or "Agent X was supposed to only read data, not change it."

4. "Can we prove we're following the rules?"

If you work in healthcare, finance, or insurance, the government has rules you must follow. Auditors come and ask, "Prove you're following these rules."

You need to show:

If you don't have this proof, the government or auditors can say, "You can't use this agent. You're taking too much risk."

This is the gap. Companies want to use agents. But they need proof they're doing it safely.

The Solution: Arxsec.io Makes It Simple

Arxsec.io is built to answer those four questions. It's like a supervisor for your AI agents. And the best part? It doesn't make your agents less useful. It makes them safe enough to actually use.

Here's how it works:

1. Tell the Agent What It Can Do (Before It Goes Live)

Before you turn on an agent, you fill out a simple form that says:

"This agent can touch these systems: Our ticket system (Jira), our messaging tool (Slack), and our customer database (Salesforce)."

"This agent is allowed to do these things: Look up tickets, read customer info, send messages."

"This agent can see this type of information: Public customer contact info and public notes."

"This agent can only do 1,000 things per hour. Not more."

Think of it like a job description. You're telling the agent its boundaries before it starts work.

The smart part: We're not actually forcing the agent to follow these rules with a computer lock. Instead, we're recording what the agent said it would do. Then we watch it carefully to see if it actually does what it promised.

2. Watch the Agent Closely for Anything Weird

Every second the agent is working, Arxsec.io watches it. It checks: "Is this agent doing what it said it would do?"

If something weird happens, Arxsec.io catches it:

Agent tries to touch something it shouldn't

Agent does something it wasn't supposed to do

Agent starts working way too much

Agent accesses the wrong type of information

When something weird happens, Arxsec.io can:

3. Rules for Extra Safety

Sometimes you want even more control. You can create rules like:

"If the agent tries to approve a big discount (over $1,000), an actual person has to say 'yes' first via Slack."

or

"The agent should never change anything in the database. Ever."

or

"The agent can look up customer costs, but only if the cost is under $1,000."

These are like extra guardrails. The agent runs, but if it hits one of these situations, it either asks for permission or just stops.

4. Create a Report for the Auditors

When government or auditors come to check that you're running safely, Arxsec.io creates a report that shows:

You don't have to write this by hand. Arxsec.io does it for you. It's like having perfect notes the whole time.

The Better Way: Watching Instead of Preventing

Here's the key difference between companies that get stuck and companies that move forward:

"We'll only let agents do simple, pre-approved tasks. Everything else? Blocked. We'll wait for permission from 5 different departments. If something goes wrong, we shut down agents completely."

This keeps companies super safe... but also super slow. Teams get frustrated. They say, "Why even use agents if we have to wait 3 weeks for approval and they can barely do anything?"

"Let's let agents do real work. But we'll watch them like a hawk. We'll know exactly what they're supposed to do. We'll catch problems in seconds. And when something weird happens, we'll respond immediately. This way, agents are actually useful AND safe."

Here's what this actually means for your company:

It's the difference between a security guard who says "no" to everything, and a security guard who knows the rules, watches carefully, and only steps in when needed.

What Arxsec.io Actually Does (In Plain English)

Let's look at what Arxsec.io actually gives you:

You Can Create, Update, and Control Agents Easily

Complete Record of Everything That Happens

Every single time an agent does something, Arxsec.io writes it down:

This isn't just for fun—it's your audit trail. It proves you were in control.

Automatic Rule Checking

Before an agent does anything, Arxsec.io checks:

All of this happens in milliseconds. If everything looks good, the action happens. If something looks wrong, the action is blocked or sent for approval.

Continuous Watching for Problems

Arxsec.io never sleeps. It continuously compares what the agent is actually doing to what it said it would do. If something changes:

Easy Reporting for Auditors

When you need to prove you're following the rules:

Connects to Your Tools

Arxsec.io works with the tools you already use:

Is This For You?

Do you work for a company where...

Multiple teams want to use AI agents

Your engineering team wants agents. Your product team wants agents. Your finance team wants agents. Problem: How do you let them all use agents without losing control? Solution: Arxsec.io keeps them all safe using the same rules.

The government watches what you do

You work in healthcare, banking, insurance, or government. You need to prove to auditors that you follow the rules. Solution: Arxsec.io automatically keeps records that auditors want to see.

An agent failure would be really bad

You have agents handling money, customer data, or critical systems. If an agent messes up, it's a big problem. Solution: Arxsec.io catches problems in seconds, not weeks.

The agent touches many systems

Your agent needs to look at your ticket system, customer database, messaging tool, and finance system. The more places an agent touches, the more ways it could go wrong. Solution: Arxsec.io watches all of those touchpoints.

You're just getting started with agents

You're not sure yet how many agents you'll need or what they'll do. You want to start small and grow. Solution: Arxsec.io grows with you.

Getting Started: Three Phases

Here's how to go from "We're scared of agents" to "We use agents safely":

Phase 1: Start Small (1-2 agents)

Phase 2: Grow a Bit (5-10 agents)

Phase 3: Do It Big (20+ agents)

The beautiful part? Arxsec.io grows with you. You don't buy everything upfront. You start with the basics and add power as you need it.

Be Honest With Yourself: What This Requires

Arxsec.io is powerful. But it doesn't work magic. You need to be ready for these things:

Your teams need to think before they deploy

Before you turn on an agent, you need to write down: "This agent can do A, B, and C. It can't do X, Y, and Z." This sounds like extra work, but it's actually a good thing. It makes people think clearly about what they're building.

Someone has to respond to alerts

When Arxsec.io says "Hey, something weird happened," someone needs to look at it and decide: Is this okay? Or do we need to stop the agent? If alerts come in and nobody pays attention, the whole system falls apart. It's like having a security guard. They only work if you actually listen to them.

You have to connect it to your tools

Arxsec.io works better when it's connected to Slack (so you get alerts), your secure vault (so agents get passwords safely), and your other systems. This takes some engineering work, but you do it once and then it works for all future agents.

You might need to hire someone who understands compliance

If you work in healthcare or finance, you need someone who knows the rules and can read the reports Arxsec.io generates. But Arxsec.io does the hard part—keeping records. Your person just needs to understand what the records mean.

None of this is a deal-breaker. These are just organizational things. Any company serious about using agents safely needs to do them anyway.

Back to Sarah (And Your Company)

Remember Sarah, the security leader who said "not yet" to AI agents?

Well, with Arxsec.io, she could say "yes."

She could deploy that insurance claims agent that:

And she could prove she's in control. She could show auditors the records. She could sleep at night.

The companies that will win in the next few years won't be the ones with the smartest AI. They'll be the ones who can deploy AI safely. Who can move fast and stay compliant. Who have workers and robots working together.

That's what Arxsec.io does.

It's not about preventing risk. It's about understanding it and managing it. It's about moving fast because you're safe, not worrying that you're fast.

The question isn't "Should we use AI agents?"

The question is "Are we ready to use them safely?"

If you are, Arxsec.io is here to help.

// More field notes
SECURITY AUTOMATION
Your Security Team's Best Work Is Trapped on a Laptop Somewhere
Read →
CISO PERSPECTIVE
The CISO's AI Agent Problem Nobody Is Talking About
Read →

See what Arx looks like on your agents.

30-minute demo. We'll load one of your Python agents into a sandbox workspace and walk your review board through what they'd see.

Book a demo Read the platform brief