Compartmentalizing the Agentic Workforce

The next way of working

The next model of work is not one person helped by one assistant. It is a fleet of narrow agents per workflow, each built for a specific type of task, some with a person in the loop and some running on their own. A recruiter's workflow has a sourcing agent, a scheduling agent, and a reference-check agent. A finance team's has a reconciliation agent, a reporting agent, and a vendor-payment agent. A support queue has a triage agent, a refund agent, and an escalation agent. Each one is narrow on purpose. Each one needs different data, different actions, and a different amount of reach.

That is the world worth building toward, not because more agents is the goal, but because narrow, bounded agents are how automation becomes trustworthy enough to actually deploy. One general agent with broad access is a liability. A set of narrow agents, each holding only what its job requires, is an organization.

The hard problem underneath that vision is simple to state and difficult to do: how do you give each agent exactly the abilities its role demands, and nothing more, across thousands of agents per company, changing every day? That is the layer PortEden exists to be.

Identity systems were built for people, not agents

Every access system in the typical company inherited one assumption from an earlier world: that the number of things needing permissions grows about one per person. Directories, role assignments, periodic access reviews, the joiner and leaver process: all of it was designed for a slowly growing set of human identities you could review every few months.

The agent era breaks that assumption. Agents are a different kind of identity. They do not pass through a human login, they can run around the clock with no normal pattern to compare against, and they have no natural end of life. They do not resign, they do not get offboarded, and they do not expire on their own. And they are arriving fast. Gartner projects that around 40% of enterprise applications will embed task-specific agents by the end of 2026, up from under 5% the year before, and forecasts that worldwide spending on AI-agent software will reach roughly $206 billion in 2026 and about $376 billion in 2027.

A process of periodic review and long-lived credentials cannot govern a population that grows faster than anyone can review it. The unit of access control has shifted from the person to the agent, and the number of units is exploding. You cannot solve that with a manual process.

Why agents are risky in a new way

It is tempting to treat agents as just more automated accounts. They are harder, for one specific reason. An AI agent tends to combine three capabilities in the same place:

Give every agent its own walls

If least privilege answers how much access an agent should have, compartmentalization answers how the damage is contained when something goes wrong anyway. It is the more important of the two, because it assumes failure instead of trying to prevent it.

The idea is borrowed from fields that have lived with catastrophic failure for a long time. Ships are built with watertight compartments so a single breach does not sink the vessel. Intelligence agencies run on need-to-know so a single compromised officer cannot expose the whole network. The common pattern is to partition the system so a breach in one cell stays in that cell.

Applied to a workforce of agents, that means:

• The sourcing agent can read candidate records but cannot touch payroll.
• The vendor-payment agent can start a transfer but cannot read the full customer database.
• The reporting agent can read financial data but can only write to the dashboard, nothing outbound.
• An agent built for a one-day task holds access that expires at the end of the day.

Why this matters more for agents than it ever did for people comes down to two facts. First, agents are routinely given more access than their job needs, so the average compromised agent is also a high-value one. Second, the real damage in a modern breach rarely comes from the first step. It comes from riding trusted connections outward into other systems. An over-permissioned, well-connected agent is a perfect place to pivot from. Compartmentalization is what turns a breach into a contained incident instead of a spreading one: if the compromised agent only ever held a thin, scoped credential, there is nowhere for an attacker to ride to.

Where the control has to live

Almost everyone now agrees that agents need to be scoped and compartmentalized. The harder, more valuable question is where the control is actually enforced. There are only a few candidate places, and most of them do not work:

• Inside the agent. You cannot ask the thing being manipulated to police itself. Self-restraint is not a security boundary.
• Inside each application. Every app would have to model per-agent identity, per-field sensitivity, and instant revocation, and do it consistently across your whole stack. They do not, and there is no single place to see or change the rules.
• In the model gateway. That layer governs the conversation with the model: prompts, tokens, routing, and cost. It is real and useful, but it does not sit on the wire between the agent and your customer database, and it does not build the scoped, redacted, revocable connection into each system. Controlling the model is not the same as controlling the data.
• At the boundary between the agents and your systems. This is the one place where you can enforce, per agent, which systems it reaches, which fields it sees, which actions it may take, what gets logged on every call, and an instant kill switch when something looks wrong. It is the one place that controls both what comes in and what goes out, and the one place a security team can express compartmentalization as policy and have it actually hold.

That boundary is what PortEden is: the controls live inside the connector itself, between the agent and the system. This is also where the market is heading. Gartner predicts that by 2030 half of all AI-agent deployment failures will trace to insufficient runtime enforcement of agent capabilities, that by 2028 a large share of CIOs will demand guardian controls to track and contain agent actions, and that a significant portion of agentic projects will be cancelled, with inadequate risk controls named among the causes. The organizations that succeed with agents will be the ones that solved enforcement at the boundary first.

Security here is the enabler, not the gate

The instinct is to file all of this under security, which in most companies means the thing that slows deployment down. That framing is backwards, and it is the most important thing to get right.

The reason the agentic workforce is stuck at what Gartner calls the peak of inflated expectations is not that the agents do not work. It is that nobody can deploy them broadly because nobody can bound the risk. The blocker is not capability. It is the absence of a way to safely say yes.

Compartmentalization and per-agent access control are what turn "we cannot risk giving an agent access to that system" into "we gave it a scoped, redacted, audited, revocable connection, ship it." The control layer is what makes the next agent cheap and safe to deploy, and the one after that. Companies that install this layer do not get fewer agents. They get to deploy many more, because each one is bounded and each one is reversible. Roads do not restrict travel, they enable it by making speed survivable. The data plane for AI agents does the same: it does not restrict autonomy, it makes autonomy deployable at scale.