Michael C. Vincent: Picture an enterprise. Their AI agents are already running — inside Oracle Fusion, touching payroll, touching the general ledger — and nobody has written down what those agents are allowed to do. That is not a hypothetical. That's the Tuesday morning most enterprises are currently living through.
Mark Delaney: Ha — yeah, hey, rough week for me too actually. I've been thinking about exactly that — like, who's even watching these things?
Michael C. Vincent: Nobody, mostly. Which is why June 15th mattered. Reshma Sivakumar — Principal Product Manager at Oracle SaaS Cloud Security — published 'Fusion AI Agents: Secure by Design,' four controls, runtime enforcement. Least privilege, just-in-time authorization, deterministic tool contracts, approval workflows.
Mark Delaney: And then they gave the tools away for free, which — I mean, that struck me as a little odd.
Michael C. Vincent: Not odd. Urgent. The 2026 CrowdStrike report clocked attack breakout time at 29 minutes — AI-enabled adversary activity up more than 89%. An autonomous agent with standing privileges is a gift to that attacker. Oracle is giving away the Database Lifecycle Management Pack and Database Security Central through early 2027 because they need enterprises using these controls before the first catastrophic public breach.
Mark Delaney: So the free tools are basically — what, a distress signal?
Michael C. Vincent: More or less. Though I'd frame it as a forcing function.
Mark Delaney: Okay but — before we call this a blueprint everybody should rally around, can we just — uh, can we actually explain what these four controls do? Like, what does JIT authorization mean for someone who's not living inside a security doc?
Michael C. Vincent: Hotel key card.
Mark Delaney: Wait — say more.
Michael C. Vincent: Your key card works for your floor, only while you're checked in. JIT authorization does exactly that — it issues credentials scoped to one task, at the moment that task requires them. The agent doesn't carry a master key. It gets a floor key, uses it, and the key expires. That's the whole idea. What it's killing is standing privilege — the classic enterprise failure where an agent gets broad access once and holds it forever just in case.
Mark Delaney: Yeah, no, that actually makes sense. And the deterministic tool contracts thing — I mean, that one I keep reading and I'm like, okay, what does that actually block in the real world?
Michael C. Vincent: Fund transfers. Shell commands. Sub-agent delegation. Database queries. Before the agent executes any of those, an explicit allow-or-deny check runs — not inside the model's reasoning, at the action layer. Which matters enormously, because you're not trusting the model to behave. You're enforcing behavior regardless. Now — and this is the part I think gets glossed over — Reshma Sivakumar's guidance is still labeled 'best-practice considerations.' Not a standard. Not a mandate. Which means no enterprise is contractually obligated to implement any of it.
Mark Delaney: Wait — so academic researchers are landing on the same controls independently? Like, not because Oracle told them to?
Michael C. Vincent: That's the signal. Tianneng Shi published the Progent framework on arXiv — April 16, 2025 — symbolic policy rules over tool names and arguments, least-privilege logic baked directly into the agent's action layer. Same architecture. Oracle hadn't commercialized any of this yet. And then Saikat Maiti's 'Caging the Agents' paper, March 18, 2026 — six-domain zero-trust threat model for agentic AI in healthcare. Credential exposure, execution capability abuse, network egress. Independent convergence. That's not coincidence.
Mark Delaney: Oh, that's — yeah, okay, that actually does feel significant.
Michael C. Vincent: But Progent names something most vendors won't. Enforcing least privilege and strict tool contracts reduces agent autonomy — and may degrade task performance. They wrote that. They watched it happen in real conditions.
Mark Delaney: Wait, no — that means Oracle's controls aren't free. There's a cost, it's just paid in friction. And I keep thinking about, uh, like — Tuesday morning payroll. An agent flags for JIT re-authorization three times in one hour. Someone at that company is going to disable the workflow before lunch.
Michael C. Vincent: You see, that's exactly where this holds and breaks simultaneously. Jordan Skinner argued in late June 2026 that agent authorization has crossed from best practice to runtime standard. He's right about the direction. But the Tuesday morning moment is real — operational pressure will push enterprises straight back toward standing privileges, because standing privileges don't ask for permission three times.
Mark Delaney: So the architecture is correct and nobody's actually going to use it.
Mark Delaney: And that's — I mean, that's the real thing, right? Like, the blueprint is correct. I'll grant Oracle that. But Oracle is also writing the guidance, selling Oracle Fusion, and running Oracle Cloud Infrastructure. That's the same company doing all three. And now GPT-5.6 — June 26th, the U.S. government tells OpenAI to restrict the Sol, Terra, Luna rollout to a small group of trusted partners — and that's coming from a completely different direction, no coordination. So you've got governance being patched from everywhere at once, none of it talking to each other.
Michael C. Vincent: The blueprint is real. I'll give you that.
Mark Delaney: Yeah. And the architecture — JIT approvals, audit trails, privilege review cycles — those are all built for humans checking things. And the agents are not waiting. That gap isn't closing anytime soon. I don't know, man. Uneasy place to land but I think that's genuinely where we are.
Michael C. Vincent: It is. Good thinking-through, this one.