Blog

A CISO's Framework for Agentic AI: What Anthropic's Security Team Learned

July 2026 · 6 min read · Technical

Line illustration of a filing cabinet with an audit trail beside a small robot standing inside a dashed governance boundary, with a terracotta shield watching over it
← Back to all posts

Anthropic's Deputy CISO, Jason Clinton, published a framework this week for how security leaders should evaluate agentic AI use cases inside their organisation. The starting point isn't chasing zero risk. It's making agentic risk legible and bounded, so each new use case gets a deliberate accept or decline instead of a reflexive one in either direction.

The argument cuts against two common instincts. Refusing every agent request just pushes adoption underground: shadow AI running with no telemetry and no off switch, and no way to know what's actually touching company data. Approving requests without controls invites the kind of incident that sets an entire AI programme back months, sometimes permanently, once leadership loses confidence in it. Most agentic AI failures that make headlines aren't cases of an agent behaving unpredictably. They're cases where nobody could reconstruct what happened after the fact, which turns a contained mistake into an unbounded one. Anthropic's security team avoids both failure modes by running every new agentic use case through the same four questions before it goes near production.

The four questions Anthropic's security team asks

Before approving any agentic workflow, the team works through four questions in order. None of them require a dedicated AI security hire to answer properly. They require someone who already understands the system, asking the questions and writing the answers down.

  • What untrusted content does it ingest? Email, the open web, third-party documents, public repos: anything an attacker could plausibly write or alter belongs in this category.

  • What actions can it take, and on whose behalf? This covers read-only versus read/write access, tool calls, code execution, network egress, and which identity each action runs under.

  • What is the blast radius if it's misaligned? An agent that only ever touches one file behaves very differently to one that can act across an entire organisation's systems.

  • What observability exists? The test isn't whether the agent ran. It's whether anyone can reconstruct, after the fact, exactly what it did and why.

Why this matters for Australian businesses already running Claude

Most Australian businesses adopting Claude Code or Claude Cowork are past the question of whether to use AI agents and into the harder one: how do you govern the agents you already have running. A four-question review is something a small compliance or operations team can run without hiring a dedicated AI security specialist, and it maps cleanly onto existing obligations under the Privacy Act. For regulated businesses, it also lines up with APRA and ASIC expectations around third-party and technology risk. Firms already sitting inside APRA's operational risk regime will recognise the shape immediately: know what you're exposed to before something goes wrong, not after. It's also the kind of document a board or an insurer will ask for eventually, and it's far cheaper to have it ready than to build it under pressure during an actual incident.

The cost case is straightforward. An unmanaged agent incident, one where an agent with broad file or system access gets prompt-injected through an email attachment or a scraped web page, can cost an Australian business well beyond the $50,000 to $150,000 AUD range once incident response, client notification and remediation are added up, before legal and reputational costs are even counted. A governance review done properly before agents go into production is a fraction of that figure, and it's the kind of fraction a Sydney or Melbourne CFO can put a number against when the topic comes up at board level.

Practical controls that map to the framework

Each of the four questions turns into a concrete control an operations or IT lead can put in place this quarter:

  • Scope agent tool access to the minimum required for the task. Least-privilege by default, not granted broadly and trimmed later.

  • Require a human approval gate for any agent action that writes to production systems or customer data.

  • Turn on audit logging for every agent action, and put someone on a schedule to actually review it, not just collect it.

  • Treat any agent that reads external content (email, web pages, uploaded documents) as touching untrusted input, and sandbox it accordingly.

The most common mistake businesses make when they start this process is doing the four controls in the wrong order. Scoping access feels urgent and gets done first. Observability feels like paperwork and gets left until last, usually until after something has already gone wrong and there's nothing to look back at. Building the audit log before the agent goes anywhere near production data costs almost nothing extra at setup time and is the single hardest piece to retrofit afterwards.

What a first governance review actually covers

For a business already running Claude Code or Claude Cowork, this is close to the review Automata AI runs as part of every Claude setup engagement: map what each agent touches, confirm who approves what, and confirm what gets logged, before any of it goes near production data. It's usually a half-day exercise for a business with a handful of agentic workflows, not a multi-week security audit, and it produces a document leadership can point to if a regulator, an insurer, or a nervous board member asks how agentic AI is actually governed.

If Claude Code or Claude Cowork is already running inside your business and nobody has written down what it can touch, that's the gap this framework is built to close. Automata AI runs this review as a standalone engagement or as part of a broader Claude setup. Book a time to talk it through if it's overdue.

Ready to move from AI pilot to production?

We help mid-market Australian businesses deploy AI automations that actually reach production and deliver measurable ROI.