YouTube Review

Observe Everything. Control Nothing.

Observe Everything. Control Nothing. is a Cloud Security Alliance Agentic AI Summit session by Ward Spangenberg, founder and CEO of Behavry. The session's central distinction is blunt and useful: observability explains what happened, but governance decides what is allowed to happen before execution. For AI agents that can plan, call tools, use data, and act across sessions, that difference is not semantic. It is the difference between a control plane and a postmortem.

The talk is strongest when it names the comfort trap. Existing API gateways, SIEM pipelines, anomaly detectors, and logging stacks are familiar, fast to deploy, and easy to show to a board. They can record which agent called which tool and what response came back. But if they sit beside or after the execution path, they cannot stop the tool call that matters. This fits the site's review of AARM runtime security: agent governance has to evaluate the action, the sequence, the intent, and the policy before the irreversible step is taken.

Spangenberg's examples are the right failure modes. In cross-session exfiltration, every single request can be valid while the sequence assembles a sensitive data set below per-request thresholds. In tool-call manipulation, an agent treats hostile content hidden in a document or tool output as instruction, then faithfully logs a successful action that moved in the wrong direction. In intent drift, a system adapts week by week until its baseline has moved away from the original policy. These are not ordinary logging gaps. They are boundary errors: the control model sees isolated requests where the risk exists in a chain.

The independent-attestation claim is the most important part of Behavry's thesis. Behavry's own research page argues that the entity taking action should not be the only entity producing the record of that action. That is directionally right. If the agent, its orchestration layer, or its vendor integration creates the only audit evidence, the organization may have telemetry but not corroboration. The stronger record is produced by something inline and outside the agent's own trust boundary: a decision trace, receipt, or control-plane record that says what was requested, what policy was applied, what context mattered, and why the action was allowed, denied, transformed, or escalated.

This is also why the session pairs well with NIST's work on agent hijacking. NIST's CAISI technical blog describes hijacking as an indirect prompt-injection problem where malicious instructions are embedded in data an agent ingests, and it reports evaluation cases involving remote code execution, database exfiltration, and automated phishing. That evidence supports the talk's architectural point: when an agent can act on untrusted content, post-hoc visibility is not enough. The system needs constrained tools, pre-execution checks, scoped authority, and evidence that survives incident review. That connects directly to Prompt Injection, Confused Deputy Problem, Agent Tool Permission Protocol, AI Agent Observability, AI Audit Trails, and Agent Audit and Incident Review.

Evidence and limits: this is a vendor talk from Behavry's founder, not an independent audit of Behavry's architecture or a comparative benchmark of observability, AARM, guardian-agent, or runtime-governance products. Its value is the question it gives buyers: where do you sit in the execution path? If the answer is "after the call," the tool may still be useful for detection, investigation, and reporting, but it should not be marketed as governance. A credible agent-control story has to show what it can stop before execution, what it can prove afterward, and how its own record is protected from the agent it governs.


Return to YouTube