A practical session on implementing AI agent access as permission contracts, enabling automated validation, change monitoring, and auditing.
Speaker
Viola Lykova
Agenda
6:00pm - Tea, Coffee and networking
6:30pm - Main presentation – Viola Lykova
7:30pm - Questions and answers, followed by light refreshments
8:30pm - Close
Synopsis
As AI agents become increasingly connected to MCP servers, APIs, and internal tools, many teams still lack a clear way to define what those agents are allowed to access, what actions they can take, and how that access should be reviewed over time. In practice, permissions are often scattered across tool configuration, scopes, prompts, and infrastructure settings, which makes the trust model difficult to understand and even harder to verify for audit purposes.
This practical session uses a real product case study to show how AI agent access can be implemented as explicit permission contracts and automatically verified as part of a CI/CD pipeline. It demonstrates how changes can be monitored for unintended “drift” and stored as evidence for review and audit purposes.
The talk supports DevSecOps aims by focusing on automation, secure delivery workflows, and practical controls that help teams move from implicit trust to reviewable access decisions. It will include security learning points related to risky permissions and capability sprawl, along with concrete takeaways for teams who want to improve visibility and control as AI tooling becomes part of production delivery.
About the speaker
Viola Lykova is CTO at nuclecode and a Senior Software Engineer working across application security, authentication, trust architecture, and secure software delivery. Her work focuses on making security decisions more visible, testable, and practical for engineering teams, especially where product workflows become security boundaries.
Alongside her engineering and open-source work, Viola is the creator and lead architect of an AI security product focused on controlling how AI agents gain access to tools and services. Her talks are practical and engineering-led, with an emphasis on real implementation detail, security trade-offs, and usable takeaways for delivery teams.
Our events are for adults aged 16 years and over.
This meeting is conducted in accordance with the BCS Code of Conduct for Meetings.
BCS is a membership organisation. If you enjoy this event, please consider joining BCS. You’ll be very welcome. You’ll receive access to many exclusive career development tools, an introduction to a thriving professional community and also help us Make IT Good For Society. Join BCS today
If you are attending in person, please familiarise yourself with the Visitor Instructions for the BCS London Office.
Please note, if you have any accessibility needs, please let us know via groups@bcs.uk, and we’ll work with you to make suitable arrangements.
BCS privacy notice: your data will be processed by BCS in accordance with our data privacy notice.
Photography: by attending this event, you may be photographed or filmed. Please speak to a member of staff if you do not wish to be included.
For overseas delegates who wish to attend the event, please note that BCS does not issue invitation letters.
This event is brought to you by: DevSecOps specialist group
