Cequence Security announced general availability of Agent Personas in Cequence AI Gateway on April 28, 2026. The feature gives enterprises granular control over what autonomous AI agents can do at the infrastructure level, scoping permissions down to individual tool calls via the Model Context Protocol (MCP).
The Privilege Gap
The core problem Agent Personas addresses: authenticating an agent’s identity is not the same as controlling its actions. Agents inherit the privileges of the users who deploy them but, unlike humans, have no judgment about when not to exercise available access. A customer service agent with CRM credentials can read, write, and delete records indiscriminately unless something external constrains it.
According to Gartner, “If an AI agent cannot prove who it is acting for and why, it should not get access to tools and data.” The firm’s February 2026 report on AI security states that the primary risk with agents “is not what the AI says, but what the AI does.”
More than 80% of Fortune 500 companies now deploy active AI agents, yet only 47% have AI-specific safeguards in place, according to Cequence.
How It Works
Agent Personas uses plain-English job descriptions to define a scoped virtual MCP endpoint per agent role. Practical examples from the announcement:
- A customer service agent gets CRM read-only access. No record modification.
- A coding agent can read GitHub issues and create Jira tickets but cannot merge pull requests.
- A CI/CD automation agent accesses specific pipeline tools and a single notification channel. Nothing else.
The system introduces Agent Access Keys, a composite credential binding three things together: agent identity, user identity, and persona-level privileges. Security teams can trace exactly who did what, when, and under which permissions.
Per-tool policy enforcement includes rate limits, data masking, and approval workflows applied at the individual tool-call level. Changes to a persona propagate immediately across every agent using it with no code changes required.
Early Deployment
One major U.S. telecommunications provider used Agent Personas to prevent agents from crossing access boundaries across GitLab, Confluence, Jira, and Slack. Scoped virtual endpoints ensured each agent accessed only what it needed, eliminating lateral access risks without additional infrastructure.
“Enterprises have made massive investments in AI, and the race to put agents into production across customer experiences, employee workflows, and business operations is accelerating fast,” said Ameya Talwalkar, CEO and Co-Founder at Cequence, in the announcement.
The Governance Control Plane
Agent Personas is model-agnostic, enforced at the infrastructure layer across OpenAI, Google, Anthropic, open-source, and custom models equally. This positions it as a control plane layer that sits between the agent and the tools it accesses, regardless of which LLM powers the agent.
Cequence AI Gateway now supports more than 140 verified enterprise application integrations and protects over 10 billion daily API interactions. The company co-authored three CIS Critical Security Controls Companion Guides for securing AI agents, LLMs, and MCP environments alongside the Center for Internet Security and Astrix Security.
The Pattern Emerging
Agent identity and access control is consolidating into a distinct product category. Microsoft patched an Entra ID privilege escalation vulnerability affecting agent roles earlier this month. Silverfort acquired Fabrix Security for runtime identity control across human and agentic identities. Now Cequence ships infrastructure-level privilege scoping as a standalone governance layer. The message from the market: authentication without action-level authorization is insufficient for production agent deployments.