Agentic AI workflows have arrived in production email environments, autonomously analyzing threats, writing detection rules, and rendering verdicts at machine speed. The promise is real: analysts can finally reclaim time from the relentless grind of Level 1 triage. But the same autonomy that delivers value introduces a class of risks that the industry has barely begun to confront. At RSAC 2026, Sublime Security offered one of the more technically grounded conversations about what it means to build and deploy agentic AI securely.

The Code-Data Boundary Has Collapsed

Sublime CISO Andrew Becherer opened with an analogy that deserves wider circulation. For decades, application security’s most sacred principle was the separation of code and data. SQL injection exploits the failure to honor that boundary — when user-supplied data flows into a query without proper parameterization, the database can’t distinguish an attacker’s payload from a legitimate value. Parameterized queries restored the boundary by enforcing strict type checking between what the application controlled and what the user supplied.

LLMs destroy that boundary entirely.

When everything — system instructions, user input, external data, and agent context — feeds into the same inference machine, the concept of “parameterized queries for AI” becomes a dangerous illusion. Becherer was direct: teams pointing to AWS Bedrock’s Converse API as a control against prompt injection are making the same category error as developers who thought inline SQL was safe before Bobby Tables became an internet meme. Bedrock’s segmentation is a discretionary control on a language model, not a mandatory technical enforcement mechanism. The LLM can still be manipulated across that boundary. Architects who treat it otherwise will have a very bad time.

Sublime’s Agentic Architecture in Practice

Sublime deploys two production agents today. ASA, the Autonomous Security Analyst, handles Level 1 and Level 2 alert triage, evaluating inbound emails against link analysis, domain age, attack scoring, and other inputs before rendering a verdict. ADE, the Autonomous Detection Engineer, writes detection rules in Sublime’s proprietary Mail Query Language.

What makes Sublime’s approach worth examining is not the agents themselves but the architectural controls constraining them. Becherer explained the enforcement model clearly: ASA carries a defined service identity with explicit entitlements. It can make read calls to retrieve the inputs it needs for triage — link analysis results, attack scores, domain reputation data. It cannot call user management APIs; enable or disable detection rules; or reach arbitrary internal functions through an MCP server with broad platform access.

This is not alignment-based control. Sublime does not rely on prompting ASA to make responsible decisions. The enforcement lives in the architecture — in the identity, entitlement model, and execution environment the agent operates within. Becherer likened it to a least-privilege sandbox: the agent does everything it needs to do and precisely nothing else. Figuring out what “nothing else” means and then enforcing it at the infrastructure layer rather than the prompt layer, is the hard work most agentic deployments skip.

Humans Still Hold the Line

ADE writes detection rules but doesn’t deploy them. That distinction reflects a deliberate design choice: human review remains mandatory before any ADE-authored rule enters production. Sublime customers have requested the ability to let ADE auto-provision its own rules, but Sublime’s position is measured: full automation requires a significantly more robust review process, one that can confidently distinguish a well-formed detection rule from one that is malicious or subtly broken. The industry is not there yet.

Why This Matters

CISOs and security leaders evaluating agentic AI platforms need to ask harder questions than most vendors currently invite. Does the platform enforce agent authority at the identity and entitlement layer, or does it rely on the LLM’s own judgment to stay in bounds? What happens when an agent encounters attacker-crafted content in the data it processes? Where does the human review gate sit, and is it mandatory or optional?

Sublime’s architecture suggests the company has worked through these questions with more rigor than most. For organizations running lean teams that cannot sustain the volume of manual triage that modern email threat landscapes demand, Sublime’s combination of autonomous analysis, constrained agent authority, and human-in-the-loop detection engineering represents a model worth serious evaluation. The agents are fast. The architecture is thoughtful. And the controls, critically, live outside the LLM — which is exactly where they need to be.