IBM Agent Risks Favor a Narrow AI Surface

IBM’s own explainer on AI agents does not sell a fearless future. It lists personalization and automation, then walks straight into failure modes: multi-agent loops, privacy leaks when connectors sprawl, and the kind of oversight gaps that make security teams twitch (IBM on AI agents). NIST’s AI Risk Management Framework is the boring vocabulary that helps you say that out loud in a room with legal (NIST AI RMF). None of that is an argument against AI. It is an argument for narrow surfaces.

Why smaller can be safer

Enterprise buyers are learning the same lesson consumer apps learned in 2024: breadth is not the same as control. OpenAI’s agent governance paper lines up with IBM on logging, escalation, and human checkpoints before consequential actions (OpenAI agent governance paper). Translation for architecture reviews: blast radius matters as much as model capability.

When one assistant can reach every SaaS API at once, a misconfiguration or a poisoned prompt can travel fast. A mis-forwarded email thread still requires a human mistake that already exists in everyday operations, and the model only sees what you put in the thread. That is not magical safety; it is a different shape of risk.

Email as intentional narrowness

via.email is built around a pattern that sounds almost too simple: one protocol everyone already uses, many specialist agents, each at its own address, with you still pressing send on anything that matters.

• Distill to Three turns a long vendor memo into three bullets so the security question is obvious. distill.to.three@via.email.
• Extract Action Items pulls owners and deadlines out of a chain before they vanish under “looping in” noise. extract.action.items@via.email.
• Graph Survey Sentiment helps HR and IT teams turn raw survey text into structured themes when you paste or attach responses. graph.survey.sentiment@via.email.
• Build Grading Rubric supports education teams who need consistent rubrics without another authoring tool. build.grading.rubric@via.email.
• Prep Meeting Brief synthesizes context before a cross-functional review so you are not re-reading six threads at midnight. prep.meeting.brief@via.email.

That is the product story: bounded capability per task, not a single super-assistant with a map of every system you own. via.email does not access your inbox, calendar, or external accounts; it does not send mail on your behalf; it keeps conversation context within the thread you use. Those are constraints, and for many security conversations, constraints are the point.

How to explain this to security without a slide deck

If your CISO asks why email is not “just another channel,” the honest answer is behavioral. Employees already route exceptions, approvals, and half-baked vendor claims through mail. Putting assistive drafting where the receipts already live reduces shadow pasting into random chat tools. OECD’s updated AI principles still put human accountability front and center (OECD AI Principles). Your architecture should make that accountability visible, not hide it behind another dashboard.

When breadth is still worth it

Sometimes you need a wide integration. The EU AI Act and similar frameworks are pushing deployers on documentation and disclosure as models spread into workplace tools (EU AI Act overview). The point is not to pick email for every workload. The point is to match surface area to risk—and to admit that “one agent to rule them all” can be a security story that does not survive contact with a procurement worksheet.

The takeaway

IBM’s agent risk list is a feature request for governance, not a reason to freeze. The defensible move for many enterprises is narrow agents, explicit handoffs, human-owned sends—and an interface boring enough that people actually use it.