There’s a smart idea going around enterprise tech right now: companies shouldn’t let every team wire up AI on its own. Instead the CIO should build an “Enterprise AI Harness,” a shared layer that sits between your people and the AI models, with company-wide rules, guardrails, and a single front door. The pitch, credited to Brian Gracely, is to add guardrails and controls, and to centrally decide which data and which tools each request is allowed to use.
He’s right about the architecture. Centralizing this is the correct call. But I went through the parts list the way I look at any system, hunting for the way in. And here’s the problem: every component is an attack surface, and “guardrails,” in the sense the pitch uses the word, is a governance term, not a security one.
%%{init: {"theme": "base", "themeVariables": {"primaryColor": "#e8f4fd", "primaryBorderColor": "#3182ce", "fontSize": "14px", "fontFamily": "system-ui, -apple-system, sans-serif"}}}%%
flowchart TB
U["Employees & teams"] --> GW["Front door
centralized model access"]
GW --> RT["Semantic router"]
RT --> MEM["Shared memory"]
RT --> SK["Reusable skills"]
MEM --> M["Models & tools"]
SK --> M
classDef surface fill:#fde8e8,stroke:#e53e3e,color:#1a202c,stroke-width:1.5px
classDef safe fill:#e8f4fd,stroke:#3182ce,color:#1a202c,stroke-width:1.5px
class U,M safe
class GW,RT,MEM,SK surface
Every red box is a component of the harness, and every red box is an entry point.
Guardrails and security are not the same thing
This is the heart of it, so let me be plain.
A guardrail, the way most enterprise architects mean it, keeps a well-meaning employee from doing something dumb or off-policy. It stops the marketing intern from feeding customer data into a random model, or keeps answers on-brand. That’s useful. It’s also the wrong tool against someone who is actually trying to break in.
Security has to assume the input is hostile. A guardrail assumes the user is cooperative and just needs bumpers. An attacker is not cooperative. They will send the one input specifically designed to slip past the bumper. So when a harness is sold as “governance and control,” buyers hear “this is handled,” when in fact the thing that stops mistakes and the thing that stops attacks are two different systems. Most harness pitches I’ve come across have the first and not the second.
And centralizing makes the stakes higher, not lower. The moment every AI interaction in the company flows through one shared layer, that layer becomes the most valuable target in the building. Get into it once and you’re not in one team’s tool, you’re in all of them.
Walking the components, one by one
Here’s the parts list, and what I see when I look at each piece.
The single front door (centralized model access). Routing every team through one managed gateway is great for cost and consistency. It also means one set of credentials, one config, one blast radius. If that gateway is compromised, the attacker inherits every team’s access at once. This isn’t hypothetical hand-waving. Through 2029, more than half of successful attacks on AI agents are expected to exploit access-control problems rather than anything exotic (Gartner, 2025). The front door is the lock that matters most, and it’s usually the one nobody threat-modeled.
Smart routing (semantic routing). The harness reads what a user wants and quietly sends it to the right model or tool behind the scenes. Convenient. But now the decision about which tool runs is being driven by the content of the request, and content is exactly what an attacker controls. If I can phrase my input so the router sends me to a more powerful tool than I should reach, the routing layer just became my privilege-escalation path. The thing that hides complexity from Sarah in accounting also hides it from your security team.
Shared memory (the clearing house). The harness gives agents memory and consistency across the company. Genuinely useful, and genuinely the softest spot in the whole stack. If many agents read from a shared memory, then one poisoned entry gets trusted and reused by all of them, often days later, far from where it was planted. The security community has a name for this now. The OWASP Top 10 for Agentic Applications 2026, announced in December 2025, lists it as ASI06, Memory and Context Poisoning. It exists as a named, top-ten risk precisely because shared memory is so easy to abuse.
Reusable skills. The harness encourages teams to build a capability once and share it everywhere. Good for efficiency. But it means one bad or compromised skill doesn’t stay contained, it propagates to every team that reuses it. We just watched a version of this play out in the wild: an audit of nearly 4,000 shared agent “skills” found 13.4% contained at least one critical security issue (Snyk ToxicSkills, February 2026). Reuse multiplies value, and it multiplies a single mistake.
Line those four up against the risks they map to and the pattern is hard to miss:
%%{init: {"theme": "base", "themeVariables": {"primaryColor": "#e8f4fd", "primaryBorderColor": "#3182ce", "fontSize": "14px", "fontFamily": "system-ui, -apple-system, sans-serif"}}}%%
flowchart LR
GW["Front door"] --> A["Access-control abuse
>50% of agent attacks
through 2029"]
RT["Semantic router"] --> B["Goal / routing hijack
steered by user input"]
MEM["Shared memory"] --> C["ASI06
Memory & Context
Poisoning"]
SK["Reusable skills"] --> D["Supply-chain compromise
13.4% of skills critical"]
classDef comp fill:#e8f4fd,stroke:#3182ce,color:#1a202c,stroke-width:1.5px
classDef risk fill:#0f172a,stroke:#0f172a,color:#fff,stroke-width:1.5px
class GW,RT,MEM,SK comp
class A,B,C,D risk
Each convenience feature has a matching named failure mode. The harness ships the left column and calls it done.
Why the industry keeps making this mistake
Because the harness is being designed by platform and architecture teams solving for cost, consistency, and developer happiness. Those are the right goals. Security just isn’t one of the boxes they’re optimizing, so it shows up as “we added guardrails” and everyone moves on.
The gap is visible in the numbers. Only about 29% of organizations feel prepared to secure agentic AI (Cisco State of AI Security 2026). Only 23% have a formal strategy for agent identity, the basic question of who an agent is and what it’s allowed to do (CSA/Strata, February 2026). So we have a lot of companies building a centralized AI layer while most of them admit they haven’t sorted out the security fundamentals that layer depends on. That’s not a harness. That’s a single point of failure with good branding.
What a secured harness actually adds
The fix isn’t to abandon the harness. The idea is sound. The idea is to build the security half that the governance version is missing. Concretely, four additions:
- Identity at the front door. Treat agents as their own kind of identity, with real authentication and least-privilege access, not a shared key everyone uses. Most legacy access systems were built for humans and don’t handle this well yet.
- Controls on the router. The routing decision shouldn’t be steerable by raw user input. Constrain which tools a given request can ever reach, regardless of how it’s phrased.
- Integrity on the memory. Know where each piece of stored context came from, control who can write to it, and keep a trail so a poisoned entry can be found and pulled.
- A real audit trail. Log what tools were called and what actions were taken, in a form your security team can actually review. Guardrails decide what’s allowed; the audit trail tells you what really happened.
The takeaway
Gracely is right that enterprises need an AI harness. I’d just add the part the pitch leaves out: a harness centralizes control, and centralizing control centralizes risk. “Guardrails” keep honest people on the path. They do nothing against someone aiming at the one shared layer that now touches everything.
If you’re building one of these, good. Build the security half at the same time, not after the breach. Map each piece of your harness to the way it can actually be attacked, that exercise is a lot cheaper than discovering the gaps the other way. If you want a starting point, I put together a free scorecard to see where your own agents stand. Start there, then go look hard at your front door.
References