John Willis is one of the original authors of the DevOps Handbook and has spent decades on the operations side of technology. So when generative AI came along, his first thought, not surprisingly, was: what does this mean for operations, and what role could he play in helping people understand AI’s broader impact? What he soon realized was that AI behaves nothing like traditional deterministic software. It operates probabilistically.
Agents took things to 11
It was the arrival of agents that really caught his attention and raised the urgency.
“When agents entered the conversation, I started to see the potential for chaos,” he told me at SCALE 23 in Pasadena. “With agents you introduce new variables: autonomy, scale, and velocity. When those factors combine, risk increases dramatically. The meta story is that we have to redefine everything we know about security. The old model will not work.”
Agents change the security model because they are autonomous, multi-step actors that interact directly with infrastructure: APIs, databases, cloud environments. A single human mistake might cause one outage. A mistake by an agent that spawns thousands of sub-agents could cause thousands of failures at machine speed. And most organizations already have an army of agents operating without visibility or governance.
It’s not what they are, it’s what they can do
When I asked John how he defines an agent, he pushed back. “You ask 10 people, you get 10 different answers. I don’t care what you call an agent. What I care about is how you classify its authority, its autonomy, and the scope of how you’re going to use it.”
Arguing over the definition is a distraction. What matters is what the thing is allowed to touch. John sorts that into three surfaces:
- Read surface — what data the agent ingests, including the risk of prompt injection and poisoned context
- Write surface — what state it can change: code commits, database updates, configuration
- Execution surface — what tools and environments it can invoke
The answer is embedded governance
John’s fix is structural, not model-level. Govern those surfaces. Assume every agent input may be hostile. Limit authority and autonomy in high-impact systems. And insert a governance fabric between agents and infrastructure, an intermediary layer that enforces policy, tracks tainted data, logs actions, and controls access to enterprise resources.
The organizations that get this right will be the ones that build oversight directly into infrastructure. The goal is to make authority constraints structural, not procedural. If an agent can’t exceed its authority by design, you don’t have to trust that it won’t.
He isn’t saying stop building agents. He’s saying think differently about deploying them.
“The goal isn’t to slow down innovation. It’s to avoid catastrophic failures. The organizations that succeed will be the ones that develop a shared language for autonomy and governance in agent systems. We saw this with cloud. At first everyone rushed in, then we developed better practices. We’ll need a similar shift for agents: clear definitions, boundaries, and governance models.”
Given the autonomy, scale, and velocity of agents, we may need to make that shift a lot faster.
Pau for now…
Leave a Reply