Bad Design Is Your Biggest Security Risk

A leading CIO says security works best when it's invisible to users, a principle that must now extend to AI agents.

Vince Kellen, the Chief Information Officer for the Texas A&M University System, argues that poorly designed security measures are a significant threat to organizational safety. His core message is that security works best when its controls are largely invisible to the people they are meant to protect. When security policies are cumbersome or create friction, employees are more likely to bypass them, inadvertently creating vulnerabilities. Instead of complex, intrusive procedures, Kellen advocates for a seamless user experience where security is integrated into workflows so smoothly that it goes unnoticed. This approach prioritizes making the secure path the easiest path, which encourages compliance without frustrating users or hindering their productivity. The goal is to build a security culture based on enablement rather than restriction, where employees can work efficiently without feeling like they are constantly fighting the system. This perspective challenges the traditional view of security as a set of rigid gates and checkpoints.

This insight is crucial for CTOs, security leaders, and IT teams responsible for implementing and enforcing corporate policies. It suggests that the effectiveness of a security program depends as much on its usability as its technical strength. If a policy is technically sound but practically unusable, its real-world value diminishes significantly. This principle extends beyond individual employees to the next wave of technology: autonomous AI agents. Kellen warns that these agents must be treated with the same security scrutiny as human users. As organizations increasingly deploy AI to automate tasks and make decisions, these digital workers will become new targets for attackers. They require the same level of visibility, monitoring, and policy enforcement to ensure they operate safely and within their intended boundaries. Without these guardrails, an AI agent could be manipulated to exfiltrate data, disrupt operations, or perform other malicious actions, posing a novel and serious risk to the enterprise.

When security measures are difficult to use, employees find workarounds, creating vulnerabilities that undermine the very policies designed to protect the organization. This shifts the focus from mere policy enforcement to the critical importance of user-friendly security design.

Poor security UX leads to lower compliance, increased risk of breaches, and lost productivity as employees struggle with cumbersome controls. Applying this same thinking to AI agents is critical to prevent them from becoming a major new attack vector.