

The question is no longer whether organizations will deploy AI agents. The question is whether they can trust them.
As more organizations move from AI experimentation to real-world deployment, one thing becomes clear very quickly: building an AI agent is an inevitable part of IT operations. Making that agent useful, scalable, and trustworthy in an enterprise environment is the real challenge.
The moment an AI agent can access data, call APIs, and take action on infrastructure, it becomes part of your operational stack—raising important questions around access control, data governance, resilience, and visibility.
This blog explores what it takes to run AI agents effectively on NetApp, from understanding agents and MCP servers to securely operationalizing agentic workflows. But perhaps the most important lesson is this:
The greatest risk isn't a malicious AI agent. It's a well-intentioned AI agent with too much access. The next generation of breaches may not begin with a hacker breaking in. They may begin with an AI agent faithfully executing a task it was never authorized to perform in the first place.
The lesson from incidents like Pocket OS isn't that AI is dangerous. It's that autonomy without governance is dangerous.
For decades, security teams designed controls around human behavior. Users forget passwords. Administrators make mistakes. Attackers steal credentials.
AI agents introduce an entirely new category of operational risk. Unlike humans, agents can execute thousands of actions in seconds. They don't get tired. They don't hesitate. And if given the wrong permissions, they can make mistakes at machine speed.
The recent Pocket OS incident highlighted this reality. An AI-powered coding agent reportedly deleted a production database after misinterpreting a request. No ransomware. No breach. No nation-state attack.
Just automation operating exactly as designed.
The lesson wasn't that AI failed.
The lesson was that the infrastructure failed to enforce boundaries.
Security professionals have long assumed that privileged users can cause damage. AI agents should be treated exactly the same way.
Zero Trust was designed for exactly this scenario. Every user, device, application, and now every AI agent must earn access, prove identity, operate within defined boundaries, and be continuously monitored. Trust is not granted because something is inside the organization. Trust is established through verification and governance.
The core principle of Zero Trust is simple: Never trust. Always verify.
That philosophy applies perfectly to AI agents.
An AI agent should never receive blanket administrative access simply because it is internal.
It should never be allowed to bypass governance controls because it is "helping."
And it should never be able to delete, encrypt, modify, or exfiltrate data without independent verification.
In practical terms, AI agents should be treated as highly privileged service accounts operating under continuous validation.
This is where NetApp security architecture becomes particularly relevant.
Many organizations are discovering that the storage layer is one of the few places where governance controls remain enforceable—even if an application, user account, or AI agent becomes compromised.
When we are asked how to prepare for agentic AI, the answer isn't to build new security products. It's to properly configure the security capabilities you already own and design for AI infrastructure with guardrails.
As organizations deploy AI agents, Model Context Protocol (MCP) servers are rapidly emerging as the standard for connecting agents to enterprise systems, tools, and data sources.
Think of an MCP server as the secure intermediary between an AI agent and the resources it wants to access.
The agent doesn't talk directly to storage, databases, APIs, or business systems. Instead, it sends requests through the MCP server, which brokers access, enforces policies, and provides the context the agent needs to complete its task.
That's powerful.
It's also why MCP servers are becoming a critical security boundary.
Without proper controls, an MCP server can access.
The goal isn't simply to connect AI agents to data. The goal is to ensure those connections are governed, auditable, and aligned with enterprise security policies.
This is where NetApp's approach differs.
Rather than creating a separate governance model for AI, NetApp extends existing enterprise controls—including RBAC, ABAC, MFA, MAV, immutable storage, auditing, and policy enforcement—to the data and services that AI agents access through MCP-based workflows.
In other words, the MCP server serves as the request broker, while NetApp provides the governance framework that determines which actions are allowed.
Every AI agent should have a distinct identity.
Using existing Active Directory, LDAP, RBAC, and ABAC controls, organizations can ensure agents receive only the permissions necessary to complete their assigned tasks.
An AI agent responsible for provisioning storage should not have rights to delete volumes.
A data analytics agent should not have access to backup repositories.
A remediation agent should not be able to modify security policies.
Least privilege becomes even more important when actions occur autonomously.
One of the biggest misconceptions about AI security is that authentication alone is enough.
It's not.
Multi-factor authentication (MFA) can verify that an authorized user, administrator, or service account initiated a request. But MFA cannot determine whether the requested action is appropriate, accidental, or potentially harmful.
That's where Multi-Admin Verification (MAV) becomes critical.
Think of it this way: MFA answers the question, "Who are you?" MAV answers the question, "Should this action be allowed?"
In an agentic environment, both questions matter.
An AI agent may be operating under a valid identity. It may have authenticated correctly. It may even be executing a task on behalf of a legitimate administrator. But if that agent attempts to delete a volume, destroy snapshots, modify security policies, or perform another high-impact operation, organizations need a second layer of protection.
NetApp combines MFA and MAV to create a Zero Trust approach to infrastructure operations.
MFA helps ensure only authorized identities gain access.
MAV requires independent approval before sensitive actions are executed.
Together, they create a separation between authentication and authorization, preventing a single credential, account, administrator—or AI agent—from making irreversible changes without oversight.
Just as financial institutions require multiple approvals for large wire transfers, critical infrastructure operations should require more than a single request, regardless of whether that request originates from a human or an AI agent.
If an AI agent makes an incorrect recommendation, interprets a prompt incorrectly, or attempts a destructive action due to faulty context, MFA confirms the identity behind the request while MAV provides the final safeguard that prevents a costly mistake from becoming a business outage.
Even the most intelligent AI system can make a bad decision.
That's why recovery must be independent of the application or agent that created the data.
Immutable NetApp Snapshot™ copies and SnapLock® technology create protected recovery points that cannot be modified or deleted—even by privileged users or compromised accounts.
If an AI agent accidentally deletes production data, the recovery copy remains intact.
This is the same principle security teams use to defend against ransomware:
Assume something will eventually go wrong and ensure recovery remains possible.
AI agents generate activity patterns.
Those patterns should be monitored.
NetApp Autonomous Ransomware Protection (ARP/AI) and user behavior monitoring provide visibility into unusual access patterns, mass file operations, permission changes, and abnormal behavior.
If an agent suddenly begins touching data it has never accessed before, administrators should know immediately.
Visibility is what transforms automation from a black box into a manageable system.
One of the biggest governance concerns around AI is accountability.
Who accessed data?
What action was taken?
What system initiated it?
Why did it happen?
Every AI workflow should generate a complete audit trail.
NetApp logging, auditing, and policy controls provide a record of actions across storage and data services, enabling organizations to satisfy compliance requirements while maintaining operational transparency.
In the age of AI, auditability becomes a competitive advantage.
The security industry has spent years focusing on prevention.
Agentic AI changes the equation.
No organization can realistically predict every action an autonomous system may take.
The goal is no longer perfect prevention.
The goal is controlled resilience.
Can the system enforce policy?
Can it limit blast radius?
Can it preserve trusted data?
Can it recover quickly?
These are the same questions organizations ask when defending against ransomware, insider threats, and operational mistakes.
AI agents simply add another variable.
The most successful AI deployments won't be the ones with the smartest models.
They'll be the ones with the strongest governance.
Organizations that build agentic workflows on a foundation of identity controls, authorization policies, immutable data protection, continuous monitoring, and auditability will move faster because they can trust their infrastructure to catch mistakes before they become disasters.
That's ultimately the role NetApp plays in the agentic AI era.
Not as the AI itself.
But as the secure, governed, resilient data foundation that allows AI to operate safely at enterprise scale.
Because when an AI agent eventually makes a mistake—and history suggests it will—the difference between a minor incident and a major outage comes down to one thing: Whether your data infrastructure was architected for resilience from the start. For a deeper dive, check out this blog, “Running AI agents on NetApp: Securely, practically, and without surprises,” on our NetApp Community forum.