Authenticated, Authorized, and Still Unsafe: The Missing Layer in Agent Security

Most agent security starts with the same two questions: Who is this agent? What is it allowed to do? Those are necessary questions. But they are no longer sufficient. In testing agent systems, some of the most interesting failures do not come from unauthorized access. They come from agents that are fully authenticated, correctly authorized, and still surprisingly easy to push into unsafe behavior. The pattern is familiar. An agent has valid credentials. It has approved tool access. The policy layer says it is allowed to operate. Then a tool returns poisoned output, a trusted context window picks up subtle drift, or a multi-step task gradually reframes what “reasonable” looks like. No auth boundary is broken. No role is obviously violated. But the agent still ends up taking an action it should not take. That is the gap. Identity governance governs access. It does not fully govern judgment. That missing layer is what I mean by decision governance . Identity governance is necessary, but i