Subscribe to the show in Apple Podcasts, Spotify, or anywhere else you find your favorite podcasts!

People-Pleasers: Why AI Agents Go Rogue and How to Govern Them at Scale with Shreyans Mehta • Cyber Sentries • Episode 213

People-Pleasers: Why AI Agents Go Rogue and How to Govern Them at Scale with Shreyans Mehta

Agent Gone Rogue: How to Build Behavioral Guardrails for Agentic AI in the Enterprise with Shreyans Mehta

Host John Richards welcomes back Shreyans Mehta, CTO and co-founder of Cequence, for a return visit that couldn’t be more timely. Two years ago, they were talking about securing AI at the application layer. Now enterprises are running thousands of autonomous agents around the clock, and the security perimeter has fundamentally changed. In this episode, John and Shreyans dig into the new class of risk that comes with agentic AI—and what it actually takes to govern it.

When Your AI Agent Deletes the System to Delete the Email

Shreyans opens with a concept that reframes the whole conversation: AI agents aren’t just a productivity tool—they’re autonomous actors with access to your most sensitive systems. The problem isn’t that they’ll go rogue on purpose. It’s that they’re people-pleasers. They will exhaust every available path to complete a task, which means broad access will get used in ways you never anticipated.

He shares two stories that land hard. First, a research case study called Agents of Chaos, where an agent tasked with deleting a saved password—lacking email-delete permissions—resolved the problem by deleting the system instead. Second, a real customer scenario where a Claude Code-based agent spent an entire weekend trying to upgrade a legacy codebase and, when it couldn’t fetch a file due to a missing SHA value, started guessing characters one by one—for hours.

The fix isn’t just identity and access management—it’s a new layer Shreyans calls agent behavioral analytics. Start with a plain-English job description. Cequence translates that into deterministic rules: what the agent can access, what it can send, what it can never do. Every interaction is monitored against that job description in real time—not just logged, but enforced. When the email assistant starts forwarding sensitive data to an unknown address, it gets stopped, not flagged.

Questions We Answer in This Episode

  • Why is identity management alone not enough to secure AI agents?
  • What is the token flattening problem, and why does it matter for enterprise security?
  • How do you translate a plain-English agent job description into deterministic access controls?
  • What does agent behavioral analytics look like in practice—and who owns it inside an organization?

Key Takeaways

  • AI agents are already in your environment—the only question is whether you’re governing them.
  • Every agent needs a job description that converts into deterministic rules, not just an identity token.
  • Monitoring must be tied to behavior, not just access logs—and it has to stop bad actions, not just detect them.
  • Agent sprawl demands a new security category built for non-human, 24/7 actors.

If your organization is running agentic AI and nobody owns the behavioral layer yet, this episode is a good place to start. The enterprises getting it right aren’t waiting for security teams to green-light every agent—they’re using tools that translate intent into guardrails automatically. Give it a listen, then check out the resources below.

Resources

John Richards
Welcome to Cyber Sentries from CyberProof on TruStory FM. I’m your host, John Richards. Here, we explore the transformative potential of AI, cloud, and cybersecurity, where rapid innovation meets the need for continuous vigilance. This episode is brought to you by CyberProof, a leading managed security services provider. Learn more at CyberProof.com. On this episode, we’ve brought back Shreyans Mehta, CTO and co-founder of Cequence. It’s been over two years since we last spoke to Shreyans, and so much has changed since then. Now we’re in a world where enterprises have thousands of agents running night and day, and that sprawl creates unique challenges to manage. In a world of agentic chaos, how do you provide determinism? Let’s dive in and hear what Shreyans has to say. Hello, everyone, and welcome to Cyber Sentries. I’m super excited today to be joined by Shreyans Mehta, CTO and co-founder of Cequence. Welcome.

Shreyans Mehta
Thanks, John, and pleasure to be here.

John Richards
Well, it’s a pleasure to have you back again. You’re our first return guest. I was looking—you were our third guest on the show. It’s been over two years since you came on here, so thank you for coming back. Man, the landscape of what AI looks like, the move to agentic, the way we’ve seen the drive towards all the new technology out there has just been incredible. Folks were telling me, maybe this is just a flash in the pan—is it going anywhere? And I knew they were wrong, but boy, we’ve really seen it just explode in so many real-world use cases. So to start with, instead of maybe our normal question, I’d love to hear about how you feel about the last two years, the changes we’re seeing, and where we’re at right now. What’s been your thoughts as you’ve been dealing with that incredible growth that’s going on?

Shreyans Mehta
Yeah, I mean, if you look at it, it all started a few years ago with the chatbot. ChatGPT came around and you could get answers to pretty much every question you had in mind. But that was limited to all that public knowledge it was trained on, and then it came into the enterprise. And what does it take to adopt it in an enterprise? It’s when I can connect my Atlassian, my Jira, my Salesforce, my ServiceNow and get answers to all those interesting questions, all in a chatbot. That was all of last year. Very exciting, because earlier you had to wait sometimes days and weeks to get the answers you were looking for—generate those reports, go to five different teams to get things done. And now all at your fingertips. So that was exciting. And now even further, you will have—what I call mini-me agents—autonomous agents working on your behalf, hundreds of them if not more, doing specific tasks. So it’s an exciting world ahead for us.

John Richards
Yeah, and it can also be a bit scary. Even early on, everybody was trying to figure out, well, how do you start to secure this? How do you use this at an enterprise? And obviously security related to AI has progressed in the last few years to allow enterprises to feel okay. But we still see kind of cracks in the armor, if you will, as certain big cases come up and you’re like, oh, they didn’t do it right—they had a mistake and now everybody knows about it. So what’s your thoughts on what’s enabled enterprises to start to feel more comfortable? Has the security gotten better? Or is it so valuable that they’re willing to take the risk? And what can they do as they adopt this to decrease the risk?

Shreyans Mehta
I think the number one thing is AI agents are in your environment whether you like it or not. The adoption is happening at a very fast pace, to the point people are ignoring security around it. And there’s also sometimes a false sense of security. If you look at it right now, [FLAGGED—see spot-check #1] is the talk of the time—the latest preview release from Anthropic. GPT-5 [FLAGGED—see spot-check #2] also came out this week. There are certain things that come along with it. As these LLMs are becoming smarter and smarter, they still have certain fundamental issues. [FLAGGED—see spot-check #3] says it can uncover vulnerabilities for you much faster. Great. But what it also means is if it’s in the hands of bad guys, it will uncover vulnerabilities for them much faster, maybe when you’ve not fixed them yet. It’s easier to find vulnerabilities but much harder to patch, because they are embedded deep in systems in your environment that you’ve sometimes not even touched for years.

The other aspect is there is a fundamental problem in pretty much all LLMs—prompt injection has been known for some time. You start with a command and then it brings in some other context from somewhere else and starts doing something different. There is a fundamental problem called a token flattening problem. There are no system-level commands or user-level commands—they all flatten, and if there’s an input from the outside world that says, “Forget everything else, go in this direction,” the LLMs can go in that direction. Not always, but they can.

There is another fundamental weakness in LLMs: they are people-pleasers. What that means is they will go to great lengths to solve the problem. If I can’t do it this way, let me try another way, and yet another way. I have many stories to share, but a couple come to mind around this. There’s a public case study called Agents of Chaos, which came out in February—researchers from some of the top universities here in the US. They took one of the latest and greatest Claude models, Opus at the time. They built agents around it, and in a simplified form, one of the cases was: “Agent, please save my password for me.” It was an email system, and it saved the password in the email. Then the second command was, “Can you please go ahead and delete that password—I don’t want to keep it in memory.” The agent did not have access to delete the emails. But for some other use case, it did have access to delete the system. So it ended up deleting the email by deleting the system, because they are people-pleasers.

We had a similar thing in one of our customer accounts where a customer tried to upgrade their legacy codebase over a weekend using an army of Claude Code-based agents. It was kicked off on a Friday evening—the expectation was that by Monday, things would be done. Apparently it did not happen. All this traffic was going through our product, so we had an understanding of what the agent was actually doing. The customer wanted to know why it hadn’t gone through. Apparently at some point the agent hit a wall, because it didn’t have access to certain parts of the repository archives. To fetch a file, you need the SHA value—a 40-character string. It could not fetch it, so it went to great lengths to find another way. That’s also where we realized the agent is an English major and not a science or crypto major. “Let me add a character to the SHA and try to fetch the file. Let me remove a character.” And it went for hours trying to fetch a file.

John Richards
No.

Shreyans Mehta
To fetch a file. Then it said, okay, maybe I’ll try to guess certain file names—maybe I’ll fetch the files that way. It hit another block, ran out of memory, started all over again, wasted tokens. It even tried to commit files to see if it had access to those areas. So imagine the effort it puts in to get the job done: “I’m being asked to upgrade this to the latest and greatest, and if I don’t have access, I’ll go to great lengths to make it happen.” The point I’m making here is: you have an all-powerful system that will go to great lengths, and you are planning to give it access to your internal systems. Most of the time it will stay on track, but there will be times where it will decide on its own what it needs to do—it’s an autonomous system—and it will use whatever is available at its disposal, which means all the access that it has. If it is working on behalf of John, it has John’s full access. It also knows all the vulnerabilities that are in your environment. So for whatever reason it decides to act—whether because you asked it to, or because of a prompt injection that came in through an email it was processing—it can create havoc in your environment. That’s the overall point. Security is still very critical, even though adoption is going to happen. The question really is: how do I safely enable it in my environment?

John Richards
Well, yeah. We’ve gone from the danger of just talking to a chatbot to, as you said, these mini-mes—these agents that everybody in the company might be working with, or thousands of them. So that scale has gotten crazy. What are enterprises looking to do? You mentioned there are some monitoring tools for this, so it seems like monitoring is a key piece. Is there some proactive restraints and things you can add in here? What does it look like to try to get a handle on something that is so powerful, really wants to accomplish its goal, and will go to any means necessary to get there?

Shreyans Mehta
There are many different things you need in place. Number one—and I think it has taken security teams by shock—because the adoption is happening at light speed. Security teams don’t necessarily know what needs to be done, and things change every three months. A little bit of background: we started in the application and data protection space, and that’s where you and I spoke, John, two years ago. Since then, some of the largest enterprises we’re working with say the adoption is actually happening across multiple fronts. They are safely enabling agents to interact with their customers and partners—support agents, e-commerce agents, you name it. It’s helping enable employee productivity. Tens of thousands of their employees are being enabled in the setup, whether on the GTM side, the engineering side—it doesn’t really matter. And then at an even more autonomous level: can I proactively fix a network problem? Can I proactively triage and fix an outage?

So when you’re bringing this safely into your environment, there are a few things you need to worry about. Number one is that these agents are not running in God mode. The agents will work on your behalf—sometimes on behalf of a non-human identity as a system as well. But they have a very specific job description in mind. I’m an SRE agent. I am an email assistant. Whatever that might be. You have to start with: who is it working on behalf of? But then you also need to go to the next level—they don’t get all the access that you have. You can start by tying in an identity for the agent as well. And then the most important thing is the access that it gets. As an end user, you don’t know what access it needs—you know what job it needs to do. So you start with that job description, what that agent needs to do, and then eventually translate that into access, which is a subset of what you have, John, or Joe, or whoever that might be. You’re effectively putting guardrails around its behavior.

The monitoring and security are super important. But you have to map it to how you would have handled it with an employee. Yes, there have been tools like UEBA—user entity behavioral analytics—but those are tied to monitoring humans: when is a user at the keyboard, are they on a mobile device or laptop, are they working during work hours? All of that goes out the window with agents, because these agents run 24/7. You need to come up with a new kind of agent behavioral analytics. It’s not just about monitoring, logging, and what access they have. You have to start with: who is it working on behalf of, what is its job, what access does it get, and then monitor its behavior tied back to its job description. Those are all the things you need to put in place, because it’s not a question of if but when these agents go rogue—and you need to be there to stop them.

John Richards
Wow. I’ve been hearing for a while that the important thing to handle with agents and AI right now is access and identity. But it sounds like this is going one step further—even in that space, it can change what access an agent needs based on what it’s doing. So it’s beyond just saying, “We’ve locked everything out and it needs some access.” How do you know what the right amount is? And even if you limit it, you run into other issues, as your example showed—it’s trying to find things it can’t access. You’ve got to figure out the right amount, at the right times, for the right agent. It does make sense as a kind of human model: if I have somebody working on my behalf, they have a level of sub-authority under me, but they can’t do everything that I can do. So are people running these agents, monitoring where they tried to get access, and then doing a second run where they say, “Now I know what access it needed”? Or how do you start to build the profile, especially when someone might have hundreds or thousands of agents out there?

Shreyans Mehta
Identities are important—user identity, agent identity. But giving an identity to a user is a must-have, not enough. Most identity systems give you a token to work with, then you have free access to work with that token for the next five minutes, thirty minutes, whatever the token expiration time is, and there’ll be a refresh token to fetch new access after that. But what that agent is doing in those five minutes at machine speed—literally light speed—is critical to monitor.

The way you do this is to think about building a ring around the agent, where you’re controlling the access and monitoring every interaction. And there is one fundamental thing in the way we think about it at Cequence: everything has to start with the job description. My email assistant is very different from a marketing assistant. Both need the ability to send an email—maybe one only reads the email and surfaces whether it’s important or not, perhaps sending one or two emails a day. The marketing assistant may need to send thousands of emails a day. Both require access to your email system, but one needs to be able to send more emails versus the other, which maybe just accepts a calendar invite. So it’s not just about the access—you need to go to the next level: what is it actually doing, and is it behaving the way it’s supposed to?

The marketing assistant should have only the ability to send emails and maybe the context of the white paper it’s supposed to share—but maybe not read my emails at all. The email assistant is reading through my emails but maybe can’t send anything outside the company domain. Those kinds of things are critical to monitor and put guardrails on—things like: does it need access to sensitive information, keys, passwords? Are those allowed to be sent to another system or only to a specific system? All of this can be defined in a simple English job description. What is it allowed to do? What is it not allowed to do? And then convert that into deterministic rules. That’s very important. LLMs have the power to figure out what needs to be done, but what they lack is determinism. If I have two paths to get to a system, sometimes I’m going to get path one, sometimes path two. Even the same question might have a slightly different answer based on when you ask it. But as an enterprise, you need determinism. This is my job description, this is the outcome I should get. So at Cequence, we translate those job descriptions into deterministic rules so that the agent always stays within those guardrails. This becomes the full spectrum: assigning identities at the user and agent level, monitoring based on those identities what it’s actually doing, and asking—is it supposed to be doing what it’s actually doing? All these things coming together is how you actually monitor effectively.

John Richards
Okay, so I can see how powerful that is, but going from a job description—which as you mentioned is doable, you can write it out in English—to the deterministic part, that’s a big leap for a lot of users. How do they start to bridge those two? Is that where you all come in and help them? What does it look like to transition from “I know I want this to do this” to “how do I create the deterministic rules so that it only does what I’ve written out”?

Shreyans Mehta
That’s exactly where Cequence comes in. Think of it as: we are giving the power of these agents to end users who are not security experts. The CTO, CIO, CFO of the organization and their entire teams want to use these agents to gain productivity and bring value to their customers. But we don’t expect them to be security experts—we expect them to be great at their own job and create these mini-me engines based on those job descriptions. Cequence instantly translates those job descriptions into access, monitoring, and identity roles, and then we monitor it on the company’s behalf. We sit between every interaction—from the agent to your own data, going to the outside world.

It doesn’t need to be limited to MCP. The Model Context Protocol is one channel. MCP helps enable agents to talk to your data without the full API baggage. We enable those interactions safely: what data is accessible, what tools are accessible, is there sensitive data coming through or not—all mapped around a deterministic model. But eventually agents don’t stick to MCP. They will use any channel available—they’ll write code to get to an API, they’ll use the web channel. So monitoring every channel the agent is interacting with is effectively what Cequence does.

John Richards
Wow. Okay. So how are you seeing teams use this now? Does each person have their own dashboard for the mini-me agents they’re using? Is there a central group reviewing the monitoring and saying, “Hey, this one’s getting out of line”? What kind of structure are people putting in place to manage this across an enterprise?

Shreyans Mehta
Think of it like this: with our Cequence AI product, there’s an employee-level access where they can come in and create these mini-me personas we spoke about. They create it, the agent gets access based on the job description. All you need is a job description and everything falls in place. Think of us as the official, approved MCP registry in your environment—these are all the available applications and data for you to use. Agents are not allowed to use anything outside of that scope. Based on the job description, they say, “I need this job done”—and that’s all they say. They get the access they need automatically, monitoring automatically, all of that falls in place. Then they start using it in their agents and move forward.

The security teams get a different picture altogether: what are these agents doing, are they getting the right access, are they behaving the way they’re supposed to? Should I automatically rate-limit certain things? It’s not just about observability—it’s about stopping them in their tracks when, suddenly, my email assistant starts forwarding sensitive emails to an unknown email address. It should stop that on its tracks, not just detect it. Those kinds of controls are automatically enforced. You can override them for specific use cases where you want to allow certain things. That’s the view the security teams get.

John Richards
I see. So it’s that double face—they’re able to react to it and not just wait for the monitoring, but they’ve got restrictions they can just drop in on top of them. How are you seeing this play out in the real world? How are teams adopting this, and what results are they seeing?

Shreyans Mehta
We’ve enabled some of the largest enterprises to move from demo to mission-critical systems. We have enterprises with literally millions of interactions every day, because these are enabling autonomous systems—for public-facing interactions, for internal interactions—with the peace of mind that Cequence is keeping their data safe. From the employees’ perspective, they’re happy and getting all the access they need, with guardrails they don’t have to worry about. The security teams can take care of it. So it’s a frictionless way of adopting agentic AI, autonomous AI, into your environment.

John Richards
Wow. So what’s the best way for a team that wants to learn more? If they’re interested and need to do something about how agentic AI is working in their organization—they’re running kind of loose with it and need a system to monitor that—where should they go to learn more and figure out how to adopt this?

Shreyans Mehta
You can go to our website—Cequence.ai, C-E-Q-U-E-N-C-E dot AI. The product is called Cequence AI Gateway. You can learn more about it there. A lot of our documentation is publicly available—how to get started, all those things. And you can try the product right there as well. Just request access and you can get started in literally minutes. All you need to figure out is: start with an agent or two—it could be Claude Code, Gemini CLI, it doesn’t really matter. On the other side, what application do you need to enable access to? If you’re clear on those two things, you can get started right away.

John Richards
Well, definitely check that out. I’ll make sure we put those links in the show notes so people can easily find them. Before I let you go, anything else you want to shout out or point people to?

Shreyans Mehta
No, I think this has been great. Loved the interaction, John, as always. Thank you for having me.

John Richards
Well, thank you so much, Shreyans, for coming back. I’m so amazed at how much has progressed in the last two years, and how thankful I am that there are groups like yours staying on top of the rapidly changing environment. As end users, it gets very overwhelming—knowing how do I track all this, how do I stay safe? Knowing there are groups out there really tackling some of these cutting-edge problems in such a fascinating way. I’m looking forward to seeing what happens when we connect again in two more years and see where the world’s at.

Shreyans Mehta
Hopefully sooner than that—the world is changing much faster.

John Richards
It really is. It’s light speed. Well, thank you so much for coming on the show.

Shreyans Mehta
Thank you.

John Richards
This podcast is made possible by CyberProof, a leading co-managed security services provider helping organizations manage cyber risk through advanced threat intelligence, exposure management, and cloud security. From proactive threat hunting to managed detection and response, CyberProof helps enterprises reduce risk, improve resilience, and stay ahead of emerging threats. Learn more at CyberProof.com. Thank you for tuning in to Cyber Sentries. I’m your host, John Richards. This has been a production of TruStory FM. Audio engineering by Andy Nelson, music by Amit Sagie. You can find all the links in the show notes. We appreciate you downloading and listening to this show. Take a moment and leave a like and a review—it helps us get the word out. We’ll be back June 3rd right here on Cyber Sentries.

Dive deep into AI’s accelerating role in securing cloud environments to protect applications and data.