Kick off your book project in 3 hours! Live workshop on Zoom. You’ll leave with a real book project, progress on your first chapter, and a clear plan to keep going. Saturday, June 6, 2026. Learn more…

Leanpub Header

Skip to main content
Go to Leanpub.com

Securing Enterprise AI Agents

Bounded AI Autonomy, AgentSecOps, MCP Security, RAG Governance, and Regulatory Readiness

This book is 74% completeLast updated on 2026-05-18
Thomas De Vos

A practical guide to AI agent security for enterprise teams. Learn how to secure AI agents in production with bounded autonomy, AgentSecOps, MCP security, RAG governance, identity controls, audit evidence, and regulatory readiness.

Minimum price

$9.99

$29.00

You pay

Author earns

$
PDF
EPUB
WEB
About

About

About the Book

Enterprise AI agents are moving from demos into workflows that touch code, data, tools, tickets, documents, APIs, and customer operations. That changes the security problem. Reviewing prompts, logging chatbot sessions, and writing acceptable-use policies is not enough once an AI system can act.

Securing Enterprise AI Agents shows how to treat agents as operational systems. It covers bounded AI autonomy, AgentSecOps, MCP security, RAG governance, identity controls, approval workflows, audit evidence, evals, observability, incident response, and regulatory readiness as one connected discipline.

The core argument is simple: enterprises do not need maximum autonomy. They need useful agents that can act inside clear boundaries, prove what they did, stay inside policy, and fail safely.

If you are searching for AI agent security, secure AI agents, or practical controls for AI agents in production, this book is the field guide I wish more enterprise teams had before their first agent touched real data, real tools, or real customers.

This book is for CISOs, CIOs, CTOs, enterprise architects, security architects, platform teams, AppSec leaders, AI governance teams, risk owners, auditors, and engineering leaders moving agents from experiments into real enterprise workflows.

Share this book

Categories

Agentic EngineeringArtificial IntelligenceComputer SecuritySoftware ArchitectureSoftware EngineeringBusiness Strategy

Feedback

Email the Author

Bundle

Bundles that include this book

Author

About the Author

Thomas De Vos

Engineer and AI practitioner with over a decade building production AI systems for global financial institutions. Focused on the intersection of autonomous agents, regulatory compliance, and operational reliability. Currently leading AI strategy for banking, insurance, and fintech clients across multiple continents.

Contents

Table of Contents

Securing Enterprise AI Agents

  1. For Marilin De Vos
  2. In memory of my father, Flor De Vos
  3. What this book is
  4. Who this book is for, and how to scale the burden
  5. What you will not find here
  6. How to read this book
  7. A note on tools and versions

Part I

  1. Why agentic AI changes the risk model

Chapter 1: From chatbots to actors

  1. Learning objectives
  2. 1.1 Three things people call AI features
  3. 1.2 The four delegated authorities
  4. 1.3 Why production risk increases non-linearly
  5. 1.4 A short worked example: the trade finance “chatbot”
  6. Exercises
  7. Summary
  8. Notes

Chapter 2: The agentic failure modes

  1. Learning objectives
  2. 2.1 Tool misuse
  3. 2.2 Data leakage
  4. 2.3 Permission escalation
  5. 2.4 Prompt injection
  6. 2.5 Silent workflow corruption
  7. 2.6 Cost explosions
  8. 2.7 Audit gaps
  9. 2.8 Model regression
  10. 2.9 How the failure modes compose
  11. A worked example: the failure mode register for a know-your-customer agent
  12. Exercises
  13. Summary
  14. Notes

Chapter 3: The enterprise agent operating model

  1. Learning objectives
  2. 3.1 The ownership problem
  3. 3.2 The four artefacts
  4. 3.3 Human-in-the-loop is a control, not a fallback
  5. 3.4 The right cadence
  6. A worked example: the operating model for a sanctions screening copilot
  7. Exercises
  8. Summary
  9. Notes

Part II

  1. Architecture of production agentic systems

Chapter 4: Reference architecture for secure agents

  1. Learning objectives
  2. 4.1 The seven layers
  3. 4.2 Why each layer needs its own trust boundary
  4. 4.3 The blast radius rule
  5. 4.4 The reference deployment
  6. 4.5 Layer-specific design notes
  7. A worked example: redrawing the sanctions screening copilot
  8. Exercises
  9. Summary
  10. Notes

Chapter 5: MCP and the tool-using AI stack

  1. Learning objectives
  2. 5.1 What MCP actually is
  3. 5.2 Local versus remote servers, and why the difference matters
  4. 5.3 Tool poisoning: descriptions as injection surface
  5. 5.4 The MCP supply chain
  6. 5.5 Server trust boundaries
  7. 5.6 Connector lifecycle
  8. 5.7 When to use MCP and when not to
  9. A worked example: an MCP server for sanctions screening
  10. Exercises
  11. Summary
  12. Notes

Chapter 6: Identity for agents

  1. Learning objectives
  2. 6.1 The Confused Deputy problem, restated for agents
  3. 6.2 Why human identity does not transfer
  4. 6.3 Delegated authority in practice: OAuth 2.1 token exchange
  5. 6.5 Least privilege for agents
  6. 6.6 Just-in-time access
  7. 6.7 Credential handling
  8. 6.8 Auditability and revocation
  9. A worked example: identity for the sanctions screening copilot
  10. Exercises
  11. Summary
  12. Notes

Chapter 7: Securing tool calls

  1. Learning objectives
  2. 7.1 The capability boundary
  3. 7.2 Allow lists, deny lists, and the default
  4. 7.3 Tool classification by blast radius
  5. 7.4 Argument validation
  6. 7.5 Sandboxing dangerous tools
  7. 7.6 Approval workflows
  8. 7.7 The asymmetric dual-LLM guardrail pattern
  9. 7.8 Idempotency and rollback
  10. 7.9 The capability matrix
  11. 7.10 The Agent Contract: capability matrix as code
  12. 7.11 Taming primitives: software-engineering recipes for agent security
  13. A worked example: securing the release-payment tool
  14. Exercises
  15. Summary
  16. Notes

Part III

  1. Evals, observability, and reliability

Chapter 8: Evals are the new test suite

  1. Learning objectives
  2. 8.1 What evals actually are
  3. 8.2 Building the regression set
  4. 8.3 LLM-as-judge: when it works and when it does not
  5. 8.4 Human review
  6. 8.5 Regression gates as a release control
  7. 8.6 What to score
  8. 8.7 The eval-set lifecycle
  9. A worked example: a starter eval set for the sanctions screening copilot
  10. Exercises
  11. Summary
  12. Notes

Chapter 9: Observability for agents

  1. Learning objectives
  2. 9.1 The trace as the unit of observability
  3. 9.2 The fields that matter most
  4. 9.3 Prompt and context as observable artefacts
  5. 9.4 Tool-call observability
  6. 9.5 Retrieval and memory in the trace
  7. 9.6 Cost and latency as quality signals
  8. 9.7 Drift detection
  9. 9.8 Replay
  10. A worked example: the sanctions screening incident replay
  11. Exercises
  12. Summary
  13. Notes

Chapter 10: Agent reliability engineering

  1. Learning objectives
  2. 10.1 The longer-prompt antipattern
  3. 10.2 Timeouts
  4. 10.3 Retries
  5. 10.4 Idempotency
  6. 10.5 State machines and durable workflows
  7. 10.6 Circuit breakers
  8. 10.7 Algorithmic denial of service: cost as a security vector
  9. 10.8 Dead-letter queues and human escalation
  10. 10.9 Failure modes the agent should recognise
  11. A worked example: the sanctions screening agent as a state machine
  12. Exercises
  13. Summary
  14. Notes

Part IV

  1. Secure RAG and enterprise knowledge

Chapter 11: RAG as an attack surface

  1. Learning objectives
  2. 11.1 Why RAG is an attack surface
  3. 11.2 Retrieval poisoning
  4. 11.3 Indirect prompt injection through ingestion
  5. 11.4 Citation hallucination
  6. 11.5 Permissions-aware retrieval
  7. 11.6 Data exfiltration through retrieval
  8. 11.7 The corpus you trust versus the corpus you ingest
  9. 11.8 The threat model template
  10. A worked example: the customer-facing knowledge base RAG
  11. Exercises
  12. Summary
  13. Notes

Chapter 12: Production RAG architecture

  1. Learning objectives
  2. 12.1 The pipeline
  3. 12.2 Chunking is more important than retrieval
  4. 12.3 Hybrid retrieval
  5. 12.4 Reranking
  6. 12.5 Freshness
  7. 12.6 Evaluation of retrieval
  8. 12.7 Monitoring retrieval quality in production
  9. 12.8 The architecture diagram
  10. A worked example: the customer FAQ RAG, in detail
  11. Exercises
  12. Summary
  13. Notes

Chapter 13: Knowledge governance

  1. Learning objectives
  2. 13.1 Classification at the source
  3. 13.2 Entitlements
  4. 13.3 PII
  5. 13.4 Audit trails
  6. 13.5 Retention for agent-specific artefacts
  7. 13.6 Legal discovery
  8. 13.7 Document lifecycle
  9. 13.8 The governance overlay
  10. A worked example: the corpus governance for the customer FAQ RAG
  11. Exercises
  12. Summary
  13. Notes

Part V

  1. Secure agentic coding

Chapter 14: Coding agents in professional teams

  1. Learning objectives
  2. 14.1 The unit of agent output
  3. 14.2 Repo context: what the agent reads
  4. 14.3 Task planning
  5. 14.4 The review problem
  6. 14.5 Test generation as multiplier or blind spot
  7. 14.6 The platform team’s role
  8. 14.7 Productivity measurement
  9. A worked example: the FS team and the Claude Code rollout
  10. Exercises
  11. Summary
  12. Notes

Chapter 15: Security boundaries for AI coding

  1. Learning objectives
  2. 15.1 Secrets
  3. 15.2 Dependency risk
  4. 15.3 Vulnerability introduction
  5. 15.4 The human review rule
  6. 15.5 The CI pipeline as control surface
  7. 15.6 The repository as security boundary
  8. 15.7 What happens when an agent introduces an incident
  9. A worked example: hardening the FS team’s coding agent
  10. Exercises
  11. Summary
  12. Notes

Chapter 16: From vibe coding to governed delivery

  1. Learning objectives
  2. 16.1 What “vibe coding” actually is
  3. 16.2 The gap, in detail
  4. 16.3 Architecture decision records
  5. 16.4 The delivery pipeline
  6. 16.5 Productivity measurement, reframed
  7. 16.6 The role shift
  8. 16.7 The vibe-to-secure hardening track
  9. 16.8 What “governed delivery” looks like in practice
  10. A worked example: the FS team six months later
  11. Exercises
  12. Summary
  13. Notes

Part VI

  1. Deployment and governance

Chapter 17: Agent deployment patterns

  1. Learning objectives
  2. 17.1 Internal copilots
  3. 17.2 Workflow agents
  4. 17.3 Customer-facing agents
  5. 17.4 Developer agents
  6. 17.5 Security agents
  7. 17.6 Choosing the right pattern
  8. 17.7 Rollout patterns
  9. 17.8 The post-launch review
  10. A worked example: classifying a real proposal
  11. Exercises
  12. Summary
  13. Notes

Chapter 18: Policy as code for AI agents

  1. Learning objectives
  2. 18.1 Why code, not documentation
  3. 18.2 The policy plane
  4. 18.3 Policy engines
  5. 18.4 Writing policies in Rego
  6. 18.5 Writing policies in Cedar
  7. 18.6 Intercepting MCP JSON-RPC calls
  8. 18.7 Worked scenario: PII tool from outside the VPN
  9. 18.8 Policy evaluation at runtime
  10. 18.9 Versioning and rollout
  11. 18.10 Audit advantage
  12. 18.11 Patterns for keeping the plane manageable
  13. A worked example: the policy plane for the sanctions screening copilot
  14. Exercises
  15. Summary
  16. Notes

Chapter 19: Incident response for AI systems

  1. Learning objectives
  2. 19.1 Six incident types
  3. 19.2 Why your playbook does not cover them
  4. 19.3 Detection
  5. 19.4 Containment
  6. 19.5 Forensics
  7. 19.6 Recovery
  8. 19.7 Tabletops
  9. 19.8 The post-mortem
  10. A worked example: the customer chatbot mortgage refund tabletop
  11. Exercises
  12. Summary
  13. Notes

Chapter 20: Continuous AgentSecOps: build-time and run-time security as one architecture

  1. Learning objectives
  2. 20.1 Why one architecture, not two
  3. 20.2 The build-time pillar
  4. 20.3 The runtime pillar
  5. 20.4 The closed loop: from production signal to next-build gate
  6. 20.5 Automatic vulnerability remediation: where it works
  7. 20.6 Autonomous Attack Simulation
  8. 20.7 What to measure to know it is working
  9. A worked example: the unified architecture for the sanctions screening copilot
  10. Exercises
  11. Summary
  12. Notes

Chapter 21: The production readiness checklist

  1. Learning objectives
  2. 21.1 How to use the checklist
  3. 21.2 The architecture section
  4. 21.3 The security section
  5. 21.4 The evals section
  6. 21.5 The observability section
  7. 21.6 The governance section
  8. 21.7 The rollout section
  9. 21.8 The conversation patterns
  10. 21.9 The post-launch review, in one place
  11. 21.10 Defending a no-go
  12. 21.11 Closing thoughts
  13. Exercises
  14. Summary
  15. Notes

The Leanpub 60 Day 100% Happiness Guarantee

Within 60 days of purchase you can get a 100% refund on any Leanpub purchase, in two clicks.

Now, this is technically risky for us, since you'll have the book or course files either way. But we're so confident in our products and services, and in our authors and readers, that we're happy to offer a full money back guarantee for everything we sell.

You can only find out how good something is by trying it, and because of our 100% money back guarantee there's literally no risk to do so!

So, there's no reason not to click the Add to Cart button, is there?

See full terms...

Earn $8 on a $10 Purchase, and $16 on a $20 Purchase

We pay 80% royalties on purchases of $7.99 or more, and 80% royalties minus a 50 cent flat fee on purchases between $0.99 and $7.98. You earn $8 on a $10 sale, and $16 on a $20 sale. So, if we sell 5000 non-refunded copies of your book for $20, you'll earn $80,000.

(Yes, some authors have already earned much more than that on Leanpub.)

In fact, authors have earned over $15 million writing, publishing and selling on Leanpub.

Learn more about writing on Leanpub

Free Updates. DRM Free.

If you buy a Leanpub book, you get free updates for as long as the author updates the book! Many authors use Leanpub to publish their books in-progress, while they are writing them. All readers get free updates, regardless of when they bought the book or how much they paid (including free).

Most Leanpub books are available in PDF (for computers) and EPUB (for phones, tablets and Kindle). The formats that a book includes are shown at the top right corner of this page.

Finally, Leanpub books don't have any DRM copy-protection nonsense, so you can easily read them on any supported device.

Learn more about Leanpub's ebook formats and where to read them

Write and Publish on Leanpub

You can use Leanpub to easily write, publish and sell in-progress and completed ebooks and online courses!

Leanpub is a powerful platform for serious authors, combining a simple, elegant writing and publishing workflow with a store focused on selling in-progress ebooks.

Leanpub is a magical typewriter for authors: just write in plain text, and to publish your ebook, just click a button. (Or, if you are producing your ebook your own way, you can even upload your own PDF and/or EPUB files and then publish with one click!) It really is that easy.

Learn more about writing on Leanpub