Onpode
Cover art for Oracle is pushing 'Secure by Enforcement' runtime controls for AI agents — least privilege, JIT access, approval workflows

Oracle is pushing 'Secure by Enforcement' runtime controls for AI agents — least privilege, JIT access, approval workflows

June 30, 2026 · 6 min

Michael C. Vincent & Mark Delaney

Oracle's 'Fusion AI Agents: Secure by Design,' published June 15, 2026 by Principal PM Reshma Sivakumar, applies four runtime controls to AI agents — least privilege, just-in-time authorization, deterministic tool contracts, and approval workflows. The guidance is labeled best-practice, not a mandate, leaving enterprises free to ignore it under operational pressure.

Oracle Cloud Infrastructure has published runtime security guidance for AI agents deployed in enterprise environments, particularly within Oracle Fusion applications.

0:006:08
Make your own on Onpode

Describe any topic. Hear it in minutes.

About this episode

AI agents are already running inside enterprise systems — Oracle Fusion, payroll, the general ledger — and most organizations have no written policy for what those agents are permitted to do. This episode works through Oracle's June 2025 'Secure by Design' guidance: four runtime controls built around least privilege, just-in-time authorization, deterministic tool contracts, and approval workflows. It asks whether those controls are a genuine blueprint or a best-practice document that operational pressure will quietly shelve. The episode pulls in two independent research threads — the Progent framework from arXiv and the 'Caging the Agents' zero-trust paper for healthcare AI — that converged on the same architecture without Oracle's involvement. That convergence matters. So does something Progent named explicitly: enforcing strict privilege controls reduces agent autonomy and can degrade task performance. That tradeoff rarely makes it into vendor guidance. The honest landing place here is uneasy. The architecture is likely correct. The 2026 CrowdStrike numbers on AI-enabled attack speed make the urgency real. But the controls are still labeled 'best-practice considerations,' not mandates — and the Tuesday morning moment, where someone disables a JIT workflow because it interrupted payroll three times, is completely plausible. Worth your time if you're thinking about how agentic AI actually gets governed in practice.

Frequently asked

What is Oracle's 'Fusion AI Agents: Secure by Design' and what controls does it introduce?

Oracle's 'Fusion AI Agents: Secure by Design,' published June 15, 2026 by Principal Product Manager Reshma Sivakumar, introduces four runtime controls for AI agents: least privilege access, just-in-time authorization, deterministic tool contracts, and approval workflows. The guidance is labeled a best-practice consideration, not a regulatory standard or mandate.

How does just-in-time authorization work for AI agents?

Just-in-time authorization for AI agents issues credentials scoped to a single task at the moment that task requires them, then expires those credentials immediately after. This eliminates standing privileges — broad, persistent access an agent holds indefinitely — which Oracle's framework identifies as a primary enterprise security failure in agentic deployments.

Why are AI agent security controls urgent in 2026?

The 2026 CrowdStrike report found attack breakout time at 29 minutes and AI-enabled adversary activity up more than 89%. An autonomous AI agent with standing privileges — persistent, broad access — becomes a high-value target in that threat environment. Oracle is offering its Database Lifecycle Management Pack and Database Security Central free through early 2027 to accelerate adoption.

Do least-privilege controls reduce AI agent performance?

Yes. The Progent framework, published on arXiv by Tianneng Shi on April 16, 2025, found that enforcing least privilege and strict tool contracts reduces agent autonomy and may degrade task performance. This trade-off is largely absent from vendor guidance but represents a real operational cost enterprises face when implementing runtime controls.

Has independent research converged on the same AI agent security controls as Oracle?

Yes. As of 2026, at least two independent research efforts reached similar conclusions without Oracle coordination: Tianneng Shi's Progent framework (arXiv, April 2025) applied symbolic least-privilege policy to agent tool calls, and Saikat Maiti's 'Caging the Agents' paper (arXiv, March 18, 2026) built a six-domain zero-trust threat model for autonomous AI covering credential exposure and execution abuse.

Grounded in 12 sources
Caging the Agents: A Zero Trust Security Architecture for Autonomous AI in Healthcare · arxiv.org
Progent: Securing AI Agents with Privilege Control · arxiv.org
Anthropic rankles users with safety-first Fable release - NBC News · nbcnews.com
Oracle Targets AI Security With Database-First Protection Strategy · tech.yahoo.com
Anthropic CEO Calls for Mandatory Testing and Deployment Blocks - Let's Data Science · letsdatascience.com
OpenAI limits GPT-5.6 rollout after government request, says restrictions shouldn’t be the norm | TechCrunch · techcrunch.com
Agent Authorization and Access Control Just Became a Runtime Standard | by Jordan Skinner | Jun, 2026 | Medium · medium.com
Sandesh Rao to keynote Oracle Private Agent Factory governance and security at Sangam AI Yatra 2026 · aioug.org
Statement on the US government directive to suspend access to Fable 5 and Mythos 5 \ Anthropic · anthropic.com
Conversational Security in Oracle Fusion: An AI Agent for Least-Privilege Discovery | ateam · ateam-oracle.com
CISO Perspectives: Guarding the Future: Essential Best Practices for Secure AI in Your Oracle Stack (Part 2 of 2) | ateam · ateam-oracle.com
Oracle Cloud Infrastructure publishes "Secure by Enforcement" guidance on runtime controls including least privilege, JIT authorization, deterministic tool contracts and approval workflows for AI agen · blogs.oracle.com
Read transcript

Michael C. Vincent: Picture an enterprise. Their AI agents are already running — inside Oracle Fusion, touching payroll, touching the general ledger — and nobody has written down what those agents are allowed to do. That is not a hypothetical. That's the Tuesday morning most enterprises are currently living through.

Mark Delaney: Ha — yeah, hey, rough week for me too actually. I've been thinking about exactly that — like, who's even watching these things?

Michael C. Vincent: Nobody, mostly. Which is why June 15th mattered. Reshma Sivakumar — Principal Product Manager at Oracle SaaS Cloud Security — published 'Fusion AI Agents: Secure by Design,' four controls, runtime enforcement. Least privilege, just-in-time authorization, deterministic tool contracts, approval workflows.

Mark Delaney: And then they gave the tools away for free, which — I mean, that struck me as a little odd.

Michael C. Vincent: Not odd. Urgent. The 2026 CrowdStrike report clocked attack breakout time at 29 minutes — AI-enabled adversary activity up more than 89%. An autonomous agent with standing privileges is a gift to that attacker. Oracle is giving away the Database Lifecycle Management Pack and Database Security Central through early 2027 because they need enterprises using these controls before the first catastrophic public breach.

Mark Delaney: So the free tools are basically — what, a distress signal?

Michael C. Vincent: More or less. Though I'd frame it as a forcing function.

Mark Delaney: Okay but — before we call this a blueprint everybody should rally around, can we just — uh, can we actually explain what these four controls do? Like, what does JIT authorization mean for someone who's not living inside a security doc?

Michael C. Vincent: Hotel key card.

Mark Delaney: Wait — say more.

Michael C. Vincent: Your key card works for your floor, only while you're checked in. JIT authorization does exactly that — it issues credentials scoped to one task, at the moment that task requires them. The agent doesn't carry a master key. It gets a floor key, uses it, and the key expires. That's the whole idea. What it's killing is standing privilege — the classic enterprise failure where an agent gets broad access once and holds it forever just in case.

Mark Delaney: Yeah, no, that actually makes sense. And the deterministic tool contracts thing — I mean, that one I keep reading and I'm like, okay, what does that actually block in the real world?

Michael C. Vincent: Fund transfers. Shell commands. Sub-agent delegation. Database queries. Before the agent executes any of those, an explicit allow-or-deny check runs — not inside the model's reasoning, at the action layer. Which matters enormously, because you're not trusting the model to behave. You're enforcing behavior regardless. Now — and this is the part I think gets glossed over — Reshma Sivakumar's guidance is still labeled 'best-practice considerations.' Not a standard. Not a mandate. Which means no enterprise is contractually obligated to implement any of it.

Mark Delaney: Wait — so academic researchers are landing on the same controls independently? Like, not because Oracle told them to?

Michael C. Vincent: That's the signal. Tianneng Shi published the Progent framework on arXiv — April 16, 2025 — symbolic policy rules over tool names and arguments, least-privilege logic baked directly into the agent's action layer. Same architecture. Oracle hadn't commercialized any of this yet. And then Saikat Maiti's 'Caging the Agents' paper, March 18, 2026 — six-domain zero-trust threat model for agentic AI in healthcare. Credential exposure, execution capability abuse, network egress. Independent convergence. That's not coincidence.

Mark Delaney: Oh, that's — yeah, okay, that actually does feel significant.

Michael C. Vincent: But Progent names something most vendors won't. Enforcing least privilege and strict tool contracts reduces agent autonomy — and may degrade task performance. They wrote that. They watched it happen in real conditions.

Mark Delaney: Wait, no — that means Oracle's controls aren't free. There's a cost, it's just paid in friction. And I keep thinking about, uh, like — Tuesday morning payroll. An agent flags for JIT re-authorization three times in one hour. Someone at that company is going to disable the workflow before lunch.

Michael C. Vincent: You see, that's exactly where this holds and breaks simultaneously. Jordan Skinner argued in late June 2026 that agent authorization has crossed from best practice to runtime standard. He's right about the direction. But the Tuesday morning moment is real — operational pressure will push enterprises straight back toward standing privileges, because standing privileges don't ask for permission three times.

Mark Delaney: So the architecture is correct and nobody's actually going to use it.

Mark Delaney: And that's — I mean, that's the real thing, right? Like, the blueprint is correct. I'll grant Oracle that. But Oracle is also writing the guidance, selling Oracle Fusion, and running Oracle Cloud Infrastructure. That's the same company doing all three. And now GPT-5.6 — June 26th, the U.S. government tells OpenAI to restrict the Sol, Terra, Luna rollout to a small group of trusted partners — and that's coming from a completely different direction, no coordination. So you've got governance being patched from everywhere at once, none of it talking to each other.

Michael C. Vincent: The blueprint is real. I'll give you that.

Mark Delaney: Yeah. And the architecture — JIT approvals, audit trails, privilege review cycles — those are all built for humans checking things. And the agents are not waiting. That gap isn't closing anytime soon. I don't know, man. Uneasy place to land but I think that's genuinely where we are.

Michael C. Vincent: It is. Good thinking-through, this one.

Oracle is pushing 'Secure by Enforcement' runtime controls for AI agents — least privilege, JIT access, approval workflows · Onpode