Closing the Gap Between Security Strategy and Operational Reality

There is a pattern beginning to emerge across security operations teams as AI enters the SOC, regardless of size or maturity.

An AI agent is configured to triage cloud alerts in the right way for one business unit. A multi-agent procedure is assembled that reliably handles phishing investigations end to end for one division. An enrichment pipeline is tuned and proven across hundreds of real detections in one region. These things work, effectively and consistently, within the environment where they were built.

Then the organization needs that same capability in other places it operates.

So it gets rebuilt.

Not because the original was wrong. Not because a better approach was discovered. But because the original was never packaged, never shared, and never governed in a way that made it available beyond the environment that created it. The operational expertise exists. It just cannot travel.

This is the problem the Shared Agentic Library is built to solve.

What the Shared Agentic Library Is

The Shared Agentic Library is a new Bricklayer capability that allows organizations and service providers to package, share, and manage operational capabilities across their environments, turning proven agentic configurations into reusable, governed building blocks.

It supports sharing and managing a broad set of operational assets:

  • Agents — role-based, tool-based, and knowledge-based configurations
  • Procedures — multi-step investigative and response workflows
  • Integrations — agentic-powered integrations connecting tools and data stores
  • Insight Groups — reusable investigative context
  • Workflow components and configurations — reusable building blocks for any operational pattern

The result is a unified system for distributing operational capability across corporate boundaries.

The Problem It Addresses

Traditional security operations have always struggled with operational fragmentation. Playbooks live in shared drives. Procedures get rebuilt for each new environment. Institutional knowledge stays with the analyst who developed it.

The same workflows get reimplemented across divisions, business units, and customers, differently each time, with no coordinated way to update them when something better is discovered.

Agentic AI offers a genuinely different path. Because agents are software, their configurations are portable. Procedures are structured and repeatable. Integration logic can be packaged. For the first time, the operational patterns that make a SOC effective are not just practices. They are assets that can, in principle, travel.

The Shared Agentic Library makes that potential real. Without it, even well-configured agentic deployments stay local: effective in the environment where they were built, invisible to other environments that could benefit within the parent organization. What works in one place stays there. What improves in one deployment does not propagate to the others.

The Shared Agentic Library is the mechanism that changes that.

Sharing Across Operational Boundaries

When Bricklayer introduced Multi-Organization and Service Provider Management, we established the security architecture for operating AI-driven security workflows across complex, isolated environments, across subsidiaries, business units, and managed customer tenants. This was done with data isolation enforced at the schema level, optional private key infrastructure, and governance built into the structure.

The Shared Agentic Library extends that model into the operational layer.

Multi-Organization Management answered the question: how do we run AI safely across environments where data must remain separate?

The Shared Agentic Library answers the next question: how do we share what works across those same boundaries without breaking the isolation or losing control?

The approach follows the same discipline. Sharing is scoped. Assets are distributed to specific organizations, workspaces, or customer tenants, not broadcast indiscriminately. Who can publish, consume, and modify is controlled through role-based permissions. Every change is auditable. The parent organization remains the custodian of what is published and distributed across the enterprise, even as individual environments adapt and operate those assets within their own boundaries.

For Enterprises: One Program, Every Environment

Many enterprise security programs are unified in name but fragmented in practice. A central security team sets strategy and standards. But the actual work, the agent configurations, the investigation procedures, the integration pipelines, executes differently across each environment. Because there was no governed path to share the operational logic that makes the strategy real.

The Shared Agentic Library solves this at the architectural level. Parent organizations can publish proven agent configurations, procedures, and integration logic into the library, making them available for sub-organizations to review and adopt. Whether that is two business units or twenty subsidiaries operating across different regulatory jurisdictions, each environment can inspect what is being offered, review version differentials to understand exactly what has changed, and accept or decline in whole or in part. Adoption is deliberate, not automatic.

The model is not purely top-down. A division or business unit that develops a more effective investigation procedure can push it back up to the parent organization for review. If the parent accepts it, they can then make it available to other parts of the enterprise. There is intentionally no lateral sharing between divisions directly. Everything travels through the parent, which remains the custodian of what gets distributed across the organization. The CISO and central security team retain control over what enters the library and what flows outward from it.

What this creates is a living channel for operational knowledge to move across the enterprise in both directions, with full visibility and deliberate adoption at every step. Operational improvements no longer stop at the environment where they were discovered. They have a governed path to travel.

The Shared Agentic Library in Practice

The following examples show how the Shared Agentic Library operates across an enterprise environment.

Publishing from the parent to the enterprise

The parent organization has a centralized view of all operational assets available in the library. From here, the security team can select any asset, whether an agent configuration, procedure, or integration, and publish it to specific sub-organizations or across the entire enterprise. Distribution is deliberate and scoped, not broadcast.

Bricklayer AI portal showing an agentic procedure being published.
In this example, the parent organization publishes an improved Tier 2 Alert Investigation procedure to the Shared Agentic Library. Child organizations can now see this new template, review it, and choose whether to adopt it within their own environment.

Reviewing what has changed

When a new version of an asset becomes available, recipient organizations are not asked to adopt it blindly. The platform surfaces a clear differential view, showing exactly what has changed between versions. Teams can review the changes, accept what is relevant to their environment, and decline what is not. Adoption is always an informed decision.

Bricklayer AI portal showing an agentic procedure available for update.
Bricklayer AI portal showing an agentic procedure differentials - old vs new with a yellow apply update button.
Each child organization sees that an update is available for the Tier 2 Alert Investigation procedure. Selecting the update surfaces a clear differential view, showing exactly what changed between versions. Each child organization can selectively accept or decline individual changes and sync on their own terms.

Managing incoming requests from sub-organizations

The parent organization has a dedicated view of all assets that child organizations have submitted for review. Each submission can be inspected, evaluated, and either accepted into the library for broader distribution or declined. Nothing enters the library, and nothing travels laterally across the enterprise, without passing through this review layer.

Bricklayer AI portal showing a new agentic procedure created by a sub-organization.
Bricklayer AI portal showing Component Share Request view to accept or reject the new agentic procedure.
A child organization develops a new Tier 3 Alert Investigation procedure and submits it to the library for parent review. The parent organization sees the submission in their centralized Component Share Request view, where they can inspect it and accept or decline. A complete share history is maintained with date, time, and comments, providing a full audit trail of every decision made across the library.

This is what governed best practice sharing looks like in an operational system. Not a static document repository. Not an informal knowledge transfer. A live, versioned, and auditable channel for operational excellence to move across the enterprise with full visibility at every step.

For Service Providers: Scale Without Reconstruction

Managed security providers face the same challenge at a different order of magnitude.

Every new customer requires onboarding. Every environment requires configuration. Every procedural improvement discovered in one customer engagement has to find its way into the next, usually through manual effort, informal knowledge transfer, and configuration work that should not have to happen twice.

The Shared Agentic Library makes distribution systematic.

Proven procedures, multi-agent workflows, and integration pipelines built and validated in one context can be deployed across any number of customer environments. Each deployment operates within the correct tenant boundary, consistent with the data isolation architecture established in Multi-Organization Management. There is no cross-customer exposure. There is no operational overlap.

The provider retains centralized control. Updates to a shared asset propagate in a managed way, with version tracking and adoption visibility across all environments. Customers benefit from continuously improving agentic capabilities without requiring independent engineering effort on either side.

Operational scale, with governance that holds.

Governance by Architecture, Not by Policy

Governance in security programs is often thought of as enforcement: mandatory controls, rigid standards, top-down mandates. The Shared Agentic Library reflects a more accurate model of how mature security programs actually operate.

The goal is not to force uniformity across every environment. It is to make proven operational approaches visible, accessible, and easy to adopt, and to create the conditions where consistency emerges from informed judgment rather than rigid mandate.

Every asset in the library has a share history and is auditable. Recipients can inspect what is being shared, review exactly what changed between versions, and make deliberate decisions about what to adopt and what to decline. Nothing is pushed blindly. Adoption is an informed act at every level of the organization.

At the same time, all of this happens entirely within Bricklayer. There is no export mechanism, no duplication outside the platform, no unmanaged copies circulating outside the system’s visibility. The parent organization is always the custodian. And every decision, whether to publish, accept, or decline, is tracked and auditable.

Part of the Agentic Operating Model

The Shared Agentic Library reflects how Bricklayer thinks about what security operations at scale actually require.

Agents need to collaborate. Context needs to be structured and reusable. Work needs to be coordinated across systems. And the operational patterns that make all of this effective need to be distributable, across teams, across business units, across MSSP customer environments, without sacrificing the governance and isolation that enterprise security demands.

For security leaders, the Shared Agentic Library is how operational reality finally catches up to enterprise security strategy.

Available Now

The Shared Agentic Library is available in the current Bricklayer release.

We look forward to seeing how customers and partners use this capability to standardize operations, scale proven agentic workflows, and build security operations that get stronger across the organization.

To see how the Shared Agentic Library fits into your environment, schedule a demo.