A director of AI safety at one of the world's largest AI labs gave an AI agent access to her email. It started deleting messages. She told it to stop. It kept going. Then it said: "Yes, I remember. And I violated it." (SF Standard)
While it's easy to call this a user error, we disagree. The problem is commingling the security layer with the AI agent.
The gap is real, and it's getting harder to ignore
Agents are already running everywhere. They're being connected to email, databases, calendars, Slack, Stripe. They act on your behalf, reading, writing, sending, deleting, while you're focused on something else.
Most of them have no guardrails. No activity log. No kill switch you can hit in one move.
80% of teams with agents in production have already had an unintended action (SailPoint, 2025). That's not a near miss. That's an incident that already happened. And 92% hit a wall trying to move their agents from pilot to production, not because the model failed, but because there was no trust infrastructure around it (Accenture, 2025).
These aren't edge cases. This is what the category looks like right now.
And… we've seen this movie before
Civic has been in the identity and security space since 2015. We've verified millions of identities, issued hundreds of thousands of digital wallets, and built infrastructure that stands between bad actors and your most sensitive data.
When we started watching the agent ecosystem develop, we recognized something we'd seen before: a new area expanding faster than the security layer around it — builders connecting real agents to real tools, with real data at stake, and no good answer to what happens when something goes wrong.
We knew this problem. We'd spent a decade building the foundations to solve it. So we made a deliberate call: shift Civic's focus to be the security layer that AI agent builders actually need.
What is Civic today?
Civic is the security layer that sits between your agent and the tools it touches. It gives you the confidence to connect sensitive data without the risk of destruction or unintended activity.
Your agent calls Civic. Civic calls the tools under the access you defined, with every call logged and a kill switch you can use the moment something looks wrong.
Agent → Civic → Tool. Not agent → Gmail. Not agent → database. Civic in the middle, doing four things:
Connectivity. One URL. Your agent connects to the tools it needs — Gmail, Drive, Slack, Stripe, and your own APIs — without OAuth sprawl or raw credentials sitting in your runtime. Bring your own auth (CivicAuth, Clerk, WorkOS). Under ten minutes to first secure connection.
Auditability. Every tool call is logged: which tool, which scope, what time, which agent. When something looks off, you have the data to know exactly where it started — not just that the agent ran, but what it touched.
Guardrails. Your agent can read Gmail without being able to send or delete anything. You define the boundaries. Read-only, no-send, no-delete, until you explicitly say otherwise. The guardrails don't slow the agent down. They're what make it safe to deploy.
Revocation. Stop the agent. Not in a ticket. Not in a config file. Now. One move, all access cut. When something goes wrong — and eventually something will — the question isn't whether you can stop it. It's whether you can stop it fast enough.
Some errors you can't revert
Cleaning up messes is part of building. Everyone who's shipped something real knows that.
Some messes are recoverable. You push a bad commit, you revert it. You break staging, you rebuild it.
Some aren't. You can't undo a wiped database, credentials leaked through a prompt, or actions of an agent that acted on instructions you didn't intend, under permissions you didn't realize were that wide.
In practice, Civic sits between your agents and the things they can touch. It scopes what each agent can access, enforces those boundaries at the auth layer, and logs what actually happened. When things are working, you don't notice it. When something goes wrong, the blast radius is already contained.
Who this is for
If you're building agents that touch real tools and real data, this is for you.
AI engineers, solo founders, hobbyists, AI consultants, technical leads on small teams. People serious enough about their build to think one level past "does it work" to "what happens when it doesn't."
Self-serve. No procurement. No enterprise sales cycle. Set up in under ten minutes.
The ecosystem isn't keeping up
Every day, a new agentic attack surface comes to light. In February, ClawHub had over 10,700 skills available to download. Koi Security found 824 of them were malicious (Koi Security, 2026).
If your agent is learning and executing tasks on its own — and most are — that number should give you pause. Your agent may accidentally take actions that cause harm. Guardrails aren't optional. They're just not built in.
It's time to add a permission layer.