AI agents are outrunning enterprise security, exposing critical blind spots in governance

Virtual barbarians at the gate: securing the AI blind spot

Many companies have quickly moved to adopt artificial intelligence in their systems, embedding it into virtually everything from customer apps to internal systems. That speed has created new pressure for security teams, because AI-enabled applications can introduce unfamiliar attack surfaces, unpredictable behavior, and new ways for attackers to manipulate inputs, access data, or chain weaknesses across systems. Traditional security approaches still matter, but static checks, periodic penetration tests, and basic vulnerability scans were not built for this pace of change. They can miss issues that only appear when applications are tested dynamically, in context, and from an attacker's perspective. As AI accelerates development and expands the attack surface, platforms like XBOW are becoming more important. With continuous pentesting and autonomous offensive security, XBOW helps teams find, validate, and prioritize exploitable vulnerabilities before attackers do. Protecting AI Systems Through Continuous Testing Washington State University explains how AI can be a double-edged sword. "Adversarial attacks exploit vulnerabilities in AI models to manipulate their behavior. By making subtle modifications to input data, attackers can deceive AI systems, leading to incorrect outputs or decisions." AI doesn't just turn your system into a target; it completely changes the whole security game. In addition to looking for classic flaws like buffer overflows or weak firewalls, security professionals now have to worry about brand new vulnerabilities, such as prompt injection, data leakage, and adversarial inputs that can manipulate the model. Teams must evolve their strategy for this broader, more dynamic attack surface that traditional testing methods are not always equipped to evaluate. Platforms such as XBOW enable continuous testing to better protect complex systems that are easily manipulated by new forms of attack. The big challenge is in security AI, given its dynamic and often unpredictable nature. In traditional software, a specific command always yielded the same results, making defense, if not easy, at least a set of predictable bulwarks. AI models, however, can be subtly influenced or tricked in ways that bypass conventional security controls, and the general lack of human oversight can make this problem even worse. How Agentic Testing Is the New Adaptive Approach to AI Security Security teams need a new approach. Testing AI for vulnerabilities needs to be continuous, adaptive, and focused on how the system behaves, not just something that gets run once in a while. Teams can no longer afford to rely on simple scheduled assessments. The speed at which AI deploys its executables means a security process needs to be faster and even more flexible to predict breaches ahead of disasters. Which is where agentic testing comes in. It uses AI itself to simulate sophisticated, real-world attacks both persistently and realistically. This systematic "fight fire with fire" approach goes beyond checking for known bugs and actively testing the system's resilience by mimicking the creative nature of a human or a human combined with an AI attack. The Next Generation of AI Security Modern platforms, including XBOW, use AI to simulate attacks and help security teams find exploitable weaknesses. These agentic testing platforms use autonomous "agents" that can systematically probe the AI system's defenses. These agents don't follow a script. Instead, they learn from the system's response, adapting their tactics and relentlessly looking for the weakest point in the AI setup, like a giant game of cat and mouse that never ends. As an example, a basic test might check if an obviously problematic command is blocked. An agentic test, on the other hand, will use a series of subtly crafted, conversational prompts to trick a Large Language Model (LLM) into revealing sensitive data or even ignoring its built-in safety rules. An agent might start with a harmless request, analyze the LLM's response, and then slowly escalate its game until the system performs an unauthorized action. By running these simulations, your team can "teach" the security system to up its game in response. Integrating the Human Factor Into AI This does not mean the human factor has been cut out. In fact, this ongoing simulation is important because it lets the human security team find and fix vulnerabilities before they are exploited by a real attacker. And by ranking risks based on their level of exploitability, companies can focus their limited time and resources on the most important and damaging flaws. Integrating AI testing also means that security becomes part of the system from the moment of its inception. Security isn't treated as the final stage at the end of development. Instead, it runs throughout the lifecycle of the system, from development and deployment to retirement, while also properly meeting security compliance guidelines. Anticipating the AI Threat With Adaptive Security Platforms like XBOW give security teams the means to achieve such a deep integration. They provide the sophisticated weapons needed to keep up with rapidly evolving threats. Even better, they can act as a proactive shield before the threat even reaches your doorway. Automatic and continuous agentic testing can put your security team back at the front gates so they can identify the enemy. The age of AI is here, and it's showing no signs of going away. It requires a security system that can not only keep up but anticipate its next move before it even knows it. Moving from static checks to adaptive, behavior-driven defense can help your team flip that script and more easily manage the new (and next) generation of security risks that are growing out in the AI wilderness.

A live operational risk: Why AI agents are outrunning your security

The excitement was real, and enterprises moved fast on AI agents. Governance did not. Deloitte's recent report found that only 21% of organizations have mature governance for autonomous AI agents, while 73% say they are concerned about AI security and data privacy risks. Most people frame this as a resourcing lag. It's something far more uncomfortable than that. It is a self-assessment problem. Organizations that were running agent pilots in 2024 are now pushing those systems into live security operations, customer workflows and internal decision pipelines. Today, 23% of companies are using agentic AI at least moderately. Within two years, nearly three in four companies expect to reach that level. But governance did not make the same jump. That gap is a live operational risk, not a planning exercise for next quarter. Policy wrote the check. Enforcement never cashed it. AI governance programs tend to stall at the same point: the handoff from policy to enforcement. Organizations write principles, publish guidelines and establish review boards. What they rarely build is the technical infrastructure to make any of that enforceable at runtime, where agents are actually making decisions and taking actions. The underlying mismatch is architectural. Traditional governance was designed around human decision-makers and deterministic software with predictable, auditable behavior. Agentic AI operates differently. These systems interpret instructions, infer intent and act across systems in sequences that no policy document anticipated. Governance built for the old model does not port cleanly. The category itself has shifted, and most governance frameworks haven't caught up. "AI agent" has become a catch-all term, but many of the systems entering production today operate less like reactive chat tools and more like persistent digital workers. They run continuously, operate under their own accounts, have defined access to enterprise tools and pursue ongoing objectives. Governance designed for session-based tools begins to strain when systems become continuous operational actors inside the enterprise. The checklist trap Since 2023, the AI governance industry has produced a steady stream of frameworks, standards and guidance documents. Organizations adopted them quickly, in many cases faster than they have adopted the technical controls the frameworks describe. This is the checklist trap. The framework exists. The box is checked. The risk register shows "mitigated." And the agent is still running with broad permissions and no behavioral monitoring. Governance theater is not a neutral outcome. It is actively dangerous because it creates false confidence in controls that have never been technically enforced. Consider a digital worker deployed to handle customer support tickets. It can issue refunds, access customer records and update billing systems. On paper, its permissions are scoped. In practice, it operates continuously across multiple systems, making decisions at machine speed. Without enforced boundaries and active monitoring, it becomes a cross-system actor whose effective reach is broader than anyone intended. That drift may not be visible until something goes wrong. Publishing a policy that mirrors an industry standard and deploying agents that actually operate within enforced boundaries are two entirely different things. The industry has conflated them. Governance is infrastructure, not documentation Mature governance is not a static artifact. It is a live system. Enforced controls mean permissions that cannot be exceeded at runtime, not permissions documented as scoped. Monitored behavior means anomaly detection tuned to agent-specific baselines, not log files reviewed after an incident. The organizations in that 21% treat agent governance the same way strong security organizations treat privileged access management. It is continuous, instrumented and accountable to a named owner. Every production agent has a defined scope, a defined owner and a defined boundary. When it drifts outside that boundary, something fires. Organizations do not need to gut their existing governance frameworks. The principles are sound. They need to extend identity, access, monitoring and lifecycle controls to explicitly include non-human actors, much like they already do for privileged users. This is fundamentally a technical infrastructure problem. It requires investment in tooling, in monitoring architecture and in the organizational capacity to act on what the monitoring surfaces. Policy documents cannot substitute for any of it. What security leaders need to do now Audit what is running, not what was approved. Most organizations know which agents were approved for deployment. Far fewer have current visibility into what those agents are actually doing in production. Start there. Replace permission assumptions with permission verification. "Analyst-level access" is not a scope definition. Map every agent to a specific, tested list of actions it needs to perform. If that list cannot be written down and validated, the agent has wider access than its governance accounts for. Build agent-specific behavioral baselines and treat deviations as incidents. Human SOC monitoring and agent monitoring require different models. Agent behavior outside its defined task pattern is signal, not noise. Instrument accordingly. Treat AI systems as first-class identities. If a system operates under its own account and can act autonomously, assign it a named owner, scope its access narrowly, monitor its behavior continuously and include it in your lifecycle processes from onboarding to decommissioning. The gap compounds The risk is not only that something goes wrong. It is that something goes wrong inside a governance structure that gave everyone involved confidence it would not. Closing that gap requires shifting from governance on paper to governance in operation by auditing what agents actually do, tightly verifying their permissions, monitoring their behavioral patterns and treating them as accountable identities within the enterprise. Every quarter that agent deployments scale without enforcement infrastructure is a quarter where the gap between documented governance and operational reality widens. It does not stay static. It compounds. The 21% are not just ahead on compliance. They are building on a foundation that the other 79% will eventually have to construct anyway, under worse conditions and with less time to get it right. We've featured the best AI tool. This article was produced as part of TechRadar Pro Perspectives, our channel to feature the best and brightest minds in the technology industry today. The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here: https://www.techradar.com/pro/perspectives-how-to-submit

AI doesn't break security. Complexity does

Too often, the history of enterprise security has been a history of making things harder to use. A new threat emerges, a new control gets bolted on, and somewhere in the process, people start working around the very systems designed to protect them. Over the course of my career, I've seen firsthand that security adoption rarely fails because people don't care about security. It fails because the secure path feels harder than the insecure one. In the age of AI, that lesson matters more than ever. AI expands the attack surface and raises the ceiling on what attackers can do, which makes simplifying security even more critical. Security controls that require effort or inconvenience eventually get ignored. People find workarounds. The answer is to make the secure path the easiest path. Security works best when it gets out of the way When security is easier to use than to avoid, people adopt it. Years ago, when the industry was rolling out two-factor authentication at scale, the biggest challenge wasn't building the security itself, but the friction that came with using it. People had to stop what they were doing, grab a phone, launch a VPN, enter codes, and interrupt their workflow just to log in. What ultimately drove adoption wasn't policy, compliance requirements, or security training. It was simplicity. Now that it's as easy as a fingerprint or a face scan, people use it without hesitation. The same principle drove browser makers to make security more visible and intuitive for everyday users. Rather than expecting people to manually inspect URLs, modern browsers prominently flag non-HTTPS sites as insecure, helping guide users toward safer behavior by default. Security became stronger in part because the secure path also became the easier and more obvious one. Where complexity shows up in AI Agent permissions are a good example of where this plays out in AI systems. Employees accumulate numerous permissions over time through a project here, a system access there, a role that never got cleaned up after a team change. Humans know which access is relevant to a task even if the system doesn't actively enforce it. Agents lack that judgment. An agent assigned to a problem will probe every available path. If it can access 12 systems but the task requires only two, it might still explore the other 10. It's just being thorough, but the result is a potential attack surface far larger than the task required. The temptation is to put a human in the loop by flagging significant actions and asking for approval before proceeding. But in practice, an agent may prompt a human to approve a deeply technical action without enough context to judge whether it's appropriate. In most cases, they'll approve it simply to keep the workflow moving. This only adds friction and a false sense of oversight. What's really needed is a permissioning model built around intent. The agent should have only the credentials it needs for a specific task, and they should expire when it's done. The industry is already beginning to move toward better models. Standards like OAuth are evolving to support agentic AI, allowing agents to carry the identities scoped to a specific task, rather than a user's full permission set. Making AI security easy to use Ease of use starts with visibility, so the first priority is knowing what's actually happening. Where are your agents connecting? What data are they touching? What permissions are they exercising? Many enterprises are surprised by the answer when they first look. Most organizations operate with roughly 80% visibility and control. The problem is the remaining 20%, because that's where the real risk tends to live. AI is going to find those gaps far faster than humans can. Start with monitoring, even if you're not ready to enforce anything yet. Use AI to sift through what you find and prioritize the highest-risk behaviors. Then close those down systematically. On the identity side, move toward workload identity wherever you can. The old model of creating service accounts, downloading keys, and distributing them across your infrastructure is fragile and hard to audit. Modern cloud environments offer a better approach: a workload's identity is established at deployment and credentials are never distributed as static keys. The management burden drops and the attack surface shrinks with it. For agents specifically, resist the temptation to give them broad permissions on the assumption that human approvals will catch problems before they happen. Scope agent access to the task at hand and ensure those permissions expire once the work is complete. For teams managing multiple agent-to-tool connections, MCP gateways are emerging as a practical way to encode governance rules centrally rather than tool by tool. Keep a human in the loop for consequential actions, not every action, particularly those where the blast radius of a mistake is meaningful. The pace of risk is accelerating In the AI era, the gap between exposure and exploitation is rapidly disappearing, collapsing from days to hours and, in some cases, minutes. CrowdStrike's 2026 Global Threat Report documents that the average attacker breakout time has accelerated by 65% year over year. As AI becomes more capable of autonomously identifying weaknesses, security teams relying on manual response processes will fall behind. The answer, though, hasn't changed. Security that creates friction will eventually get bypassed. Security embedded directly into the architecture, enforced by default and invisible in practice, is the kind that actually holds. AI raises the stakes, but the principle remains the same: security only works when the secure path is also the easiest one. Mayank Upadhyay is Chief Security & Trust Officer at Snowflake. Sponsored articles are content produced by a company that is either paying for the post or has a business relationship with VentureBeat, and they're always clearly marked. For more information, contact [email protected].

The next evolution of the penetration test must include agentic AI

When a CISO tells the board "we tested that system last quarter," it sounds reassuring. But in today's threat landscape, it's a measurement that no longer maps to reality. Recent industry research shows that while 95% of organizations prioritize penetration testing, only 32% of their attack surface is actually tested. The problem isn't that penetration testing is broken. It's that the word "tested" no longer means what organizations think it does. Penetration testing used to involve a small team of humans spending a limited amount of time in a system - mapping what they could reach, identifying vulnerabilities within that window, and compiling results into a static report. That model was already under pressure from the pace of change. Then AI broke it. "Tested" simply isn't pulling its weight anymore. Agentic AI is rewriting the rules For more than a decade, automation was the advantage. Mass scanners and automated reconnaissance ran constantly, but they were noisy and required security teams to sift through the output. Defense was slower, but more precise where it mattered. Humans could chain findings, understand business context, and stay one step ahead of attackers. The economics weren't always favorable, but they were workable. That trade has now broken down. Agentic AI is compressing reconnaissance from days to hours. These frontier models reason about endpoints that aren't visible in the UI and they can chain low-impact findings into business-logic exploits. The time between a CVE's public disclosure and the first observed threat-actor exploitation has collapsed to a matter of hours. That isn't a faster scanner. It's a creative attacker that never sleeps, never gets bored, and runs at the cost of compute. Now consider what an annual pentest actually buys you against that threat. It's a snapshot of an attack surface that's changing by the hour, against an adversary that doesn't wait for the next audit. Your board doesn't know that. Your auditors don't know that. And it is increasingly the structural reason why organizations get breached between audits. What "tested" needs to mean now The only way defenders can win is by fighting AI with AI. The next evolution of the penetration test must include agentic AI on the defense side. Here's what that looks like. "Tested" stops being a calendar event and becomes a posture - continuous validation against the latest exploit techniques, on the assets that actually matter, with humans focused on the findings only humans can produce. The test needs to explain what's exploited and confirmed. While a scanner can tell you a vulnerability might exist; agentic AI can tell you whether it actually fires in your environment. That distinction, at scale, is the difference between a six-figure ticket queue your team will never burn down and a short list of things that will kill you next Tuesday. We have found that roughly 40% of the vulnerabilities we find are critical or high. The signal is there. Most teams just can't get to it fast enough. And it stops being a humans-or-machines argument. It is both, and they're deployed differently. AI handles the breadth, the speed, the chained reasoning attackers are already running against you. Humans handle the creativity, the business logic, the things an algorithm has yet to model. Customers running this combined model cut average remediation time on critical vulnerabilities from 63 days to 38 in a single year, a 47% reduction across severity levels. That doesn't happen because they bought more tooling. It happens because their definition of "tested" became continuous. The talent question, reframed The cybersecurity skills gap is real, but the issue isn't a shortage of practitioners. It's a lack of senior judgment, applied where it matters. Much of the work consuming our industry's most experienced researchers is reconnaissance, triage, retesting, and sifting scanner output. That is the exact work agentic AI is now good enough to take on. Redefining "tested" frees that talent. It puts senior researchers back on the problems machines can't solve: novel attack paths and business-logic abuse - the chains that a creative human spots and a model can't reason its way to. While the UK government has set out a vision for defensive AI that operates at machine speed, the talent piece of that vision only works if we stop asking humans to do machine-speed work. What I'd ask a CISO today Pick the system in your environment that, if compromised, would put you on the front page. Now answer this: when was it last exploited under controlled conditions - not scanned, not reviewed -but actually attacked and confirmed? If the answer is "in our last annual pentest," the word "tested" in your security program has stopped meaning what you need it to mean. Fix the word, and the rest of the program has a chance to follow. We feature the best internet security suites for PCs, Macs and mobile devices. This article was produced as part of TechRadar Pro Perspectives, our channel to feature the best and brightest minds in the technology industry today. The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here: https://www.techradar.com/pro/perspectives-how-to-submit

Why visibility is the new frontline of cybersecurity

Unlike simple chatbots, modern AI agents are capable of independently executing actions and orchestrating workflows. In a security context, this allows them to correlate information and respond to incidents much faster than humans can react. As such, Security Operations Centres (SOCs) are increasingly relying on AI agents to manage the sheer volume of digital threats. These tools allow teams to detect and resolve security incidents quickly, significantly cutting down the time it takes to stop a live attack, explains, Michelle Abraham, senior research director in the International Data Corporation's Security and Trust Group. Overcoming blind spots The ability for AI agents to observe all relevant data, agent actions and system states in real time - with few blind spots - is a baseline requirement, Abraham continues. This includes transparency to correlate signals across domains such as identity, endpoint, network, cloud and SaaS. "AI agents require zero blind spot visibility in order to detect lateral movement, privilege escalation and multi-stage attacks, in order to provide auditable, explainable and reversible actions," she says. "Relying on fragmented data and control planes means agents operate with partial context, which leads to missed detections, increased false positives and negatives, and the inability to track agent actions or explain outcomes." This shift necessitates a pivot away from legacy pricing that rations data and towards a model where AI is grounded in the organisation's full, searchable data foundation. The legacy model of charging per endpoint has left many Australian enterprises with blind spots in their network due to budget constraints, says Mike Nichols, general manager of Security at search AI platform Elastic. Along with eliminating per-endpoint pricing to facilitate oversight across the enterprise, Elastic's search and analytics capabilities also ensure AI agents are across data stored in a wide range of environments, including long-term cost-effective object stores like AWS S3 and Google Blob. Context is king for real-time response As threat actors leverage AI efficiencies to attack smaller targets, Nichols says zero blind spot visibility is not just a concern for the big end of town. "No matter what your size, you cannot have an agentic SOC if the AI can only see half of your environment," he says. "You must remove the per-endpoint barrier and provide access to all data environments, to ensure the AI has the complete context required to respond to threats in real time." "This must be done in a way that isn't only in-cloud but also operates offline, to not only support geographically remote environments but also environments which remain air-gapped due to extremely low-risk tolerance." In the defence and government sectors, where air-gapped security is non-negotiable, having an AI partner that can operate across all isolation levels is a game-changer. It also marks the beginning of a broader shift in how security teams interact with their environments. Bringing the work to the worker For decades, productivity has been tied to navigating a click-path of complex user interfaces and nested dashboards across siloed applications. But Elastic says they are now seeing a collapse of this model. By leveraging the Model Context Protocol (MCP), the AI platform is delivering the first embedded security experiences inside tools like Claude and other AI services. This allows an SOC analyst to not just ask questions of AI, but also to execute a full investigation workflow, from query to remediation, without ever leaving their AI interface. "By embedding critical workflows directly into the AI tools where teams already live, the distance between a question and a remediation action disappears," says Nichols. "Instead of forcing a security analyst to travel to a specific software destination to be productive, the data and the ability to act on it find the user exactly where they are." Keeping humans on the loop Nichols asserts that keeping humans on the loop to oversee AI agents is also important when it comes to transparency and accountability, similar to the way human analysts work under supervision. "We are huge proponents of the fact that AI does not replace people," Nichols says. "I don't believe in the idea of a people-less autonomous SOC." "You wouldn't let a junior security analyst handle a major incident completely unsupervised, and it's the same when it comes to AI agents - they still require oversight and approval from humans to ensure accountability," he explains. "However, I think AI replaces a lot of the drudgery when you're trying to search for a needle in a stack of needles." For more information, visit www.elastic.co/security.

Fortifying the Future: Enterprise Security for the AI Execution Layer

Enterprise security has always had a comforting assumption baked into it: systems do what they were built to do. Sometimes badly. Sometimes insecurely. Sometimes in ways that make auditors develop a nervous twitch. But still, the basic shape was understandable. Applications processed requests. Databases stored data. APIs connected systems. Users clicked things they probably should not have clicked. Then AI arrived and made the whole thing a little weird. AI did not introduce one neat new risk category. Security teams are very good at turning new risk categories into taxonomies, dashboards, and meetings with names like "working group." The real change is that AI cuts across the categories we already had. Employees use AI tools to summarize, analyze, code, create, and make decisions faster. Developers embed models into applications connected to customers, documents, databases, and internal systems. Agents retrieve information, call tools, invoke APIs, and take action across workflows. AI is no longer sitting politely inside a single application boundary. It is becoming a new execution layer across the enterprise. A prompt entered in a browser can shape a business decision. A retrieved document can manipulate an application response. A model output can trigger an agent action. A tool call can move data, change a record, or initiate a workflow before a human has time to review what happened. In other words, language has become executable. That does not mean every prompt is code. It means natural language can now influence how systems behave, what they access, what they generate, and what actions they take. This is already showing up in real security research. Check Point Research has disclosed vulnerabilities in AI developer tooling, including command injection in OpenAI Codex CLI and critical flaws in Claude Code that could expose API keys and redirect authenticated traffic. Researchers have also documented how hidden instructions in AI workflows can manipulate agents into exposing secrets or taking attacker-controlled actions. That is why enterprises need an AI Defense Plane. The AI security gap is architectural Most enterprises understand that AI changes the risk model. The harder question is whether they have the architecture to control it. According to Check Point's 2026 Cloud Security Report, 77% of organizations have changed their security strategy in response to AI, but only 26% say they have the architecture to enforce it. This creates a familiar enterprise pattern: the strategy has moved on, but the architecture is still looking for its shoes. Policies get written. Governance boards are formed. Acceptable-use rules are published. Teams deploy filters, model safeguards, data controls, or testing processes. All of that matters. But it does not automatically create a coherent control model. AI risk does not stay inside one layer. It moves between employees, applications, models, data, tools, APIs, and agents. It appears through interaction, context, intent, and behavior. The issue is not whether an organization has AI policies or point solutions. The issue is whether it can enforce them across the places where AI is used, embedded, and allowed to act. Point controls do not see the full path Point controls can solve narrow problems. They can inspect a traffic path, filter an input, monitor a tool, or test a model at a specific moment in time. But AI systems rarely fail in only one place. A single AI workflow may begin with a user request, pull in retrieved context, pass through a model, generate an output, and trigger an action through an agent or tool. Every step may look legitimate in isolation. The risk often appears in the chain. That is where fragmentation becomes a problem. One team may manage employee AI usage. Another may secure AI applications. Another may review models. Another may own identity and access. Another may manage data protection. Each sees part of the picture. None sees the full execution path. If AI risk travels through the system, security cannot sit in a corner and wait for it to arrive. What is the AI Defense Plane? The AI Defense Plane is a unified security architecture for discovering, protecting, governing, and validating AI behavior across the enterprise. It is not one control point. It is a coordinated control model across three connected planes: employees using AI tools, applications embedding AI into workflows, and agents that access data, invoke tools, call APIs, and take action. Across those planes, the AI Defense Plane brings together four capabilities: discovery, protection, governance, and assurance. Discovery shows where AI is used, what data flows through it, and where it can act. Protection prevents prompt-based attacks, data exposure, unsafe outputs, tool misuse, and out-of-policy behavior at runtime. Governance enforces policy consistently across users, applications, agents, and environments. Assurance continuously tests whether AI systems and controls behave safely as models, prompts, tools, permissions, and workflows change. These capabilities need to work together. Governance without enforcement turns policy into guidance people can acknowledge, admire, and then route around. Testing without runtime control exposes weaknesses but does not stop production misuse. Runtime protection without assurance can drift as systems evolve. Only 14% of organizations say they have AI security policies that are both enforced and audited. The AI Defense Plane connects these functions into one operating model. The three planes of enterprise AI risk These planes are useful because they show where AI enters, where it runs, and where it acts. But they are not hard walls. That is part of the problem. A copilot-powered workflow created by an employee can start to look a lot like an AI application built by a development team. It may access corporate data, combine context from multiple systems, and trigger actions across business tools. The owner may be different. The risk pattern is not. Employees: AI enters through the normal path of work For many organizations, employee AI use is where the risk shows up first. People use AI tools to summarize documents, write code, analyze data, draft customer responses, and troubleshoot problems. Much of that usage happens through browsers, SaaS tools, personal accounts, copilots, and productivity applications. The risk is not only malicious behavior. Often, the bigger issue is ordinary work happening faster than existing controls can follow. Only 5% of organizations report full visibility into AI tool usage, data access, and data movement. As Adam Ely, GM of AI Security at Check Point, put it: "A mistake that somebody makes has a bigger blast radius." Workforce AI Security needs to operate where employees actually use AI: across sanctioned and unsanctioned tools, uploads and downloads, browser sessions, SaaS applications, and workflows where sensitive data moves. Applications: AI changes how software behaves AI applications are different from traditional applications because their behavior is shaped dynamically at runtime. Prompts are assembled. Context is retrieved. User input is interpreted. Model outputs are generated in real time. The same application can behave differently depending on the prompt, retrieved data, system instructions, tools, and state. This is where traditional application security starts to feel like it has been handed a very confident intern who keeps making decisions no one explicitly approved. The request may be syntactically valid and still unsafe. The response may appear helpful while leaking sensitive information. Retrieved content may manipulate the model without the user ever seeing the instruction Securing AI applications requires runtime protection in the path where prompts, context, outputs, and actions are evaluated. Agents: AI becomes an actor inside the enterprise Agents represent the sharpest version of the shift from response to action. They do not only generate text. They retrieve data, make decisions, invoke tools, use credentials, call APIs, and execute tasks on behalf of users, teams, applications, or workflows. The 2026 Cloud Security Report found that 64% of organizations already have AI agents in pilot or production, and 12% have granted agents privileged access to core systems. Or, as Adam Ely put it: "We've never had this non-human workforce that is autonomous or semi-autonomous." Least privilege remains essential, but incomplete. An agent can be allowed to access a tool and still use it at the wrong time, for the wrong reason, with the wrong context. AI Agent Security needs to control the execution layer: prompts, data flows, outputs, tool calls, and actions. Runtime is where AI risk becomes real AI security has to operate at runtime because runtime is where AI behavior is determined. A static review can evaluate a system design. A policy can define what should be allowed. A model safeguard can reduce known categories of unsafe output. But AI behavior depends on the live interaction: the user's prompt, retrieved context, available data, connected tools, agent instructions, permissions, and environment state. Only 17% of organizations have broadly deployed runtime LLM controls, even as GenAI workloads and agentic systems move into production. That is why detection after the fact is not enough. A prompt can lead to a tool call. A tool call can change data. A changed record can trigger another workflow. By the time an alert is reviewed, the action may already have happened. Runtime protection extends existing controls into the semantic layer where AI behavior is shaped. It asks questions traditional controls were not built to answer: What is the user or system trying to get the AI to do? Is sensitive data being exposed? Is the agent action aligned with user intent and business policy? Is the tool call appropriate given the context? These questions require controls that understand language, context, and behavior, not only files, packets, identities, or API calls. From testing to enforcement AI security cannot be treated as a one-time deployment gate. Models change. Prompts change. Applications change. Agents gain tools. Permissions shift. Attack techniques evolve. A system that behaved safely last month may behave differently after a model update, new integration, or workflow change. 56% of organizations have no formal GenAI security testing process or test only ad hoc. This is the part of AI security that makes "we tested it before launch" sound a little like "we checked the weather in March, so the whole year should be fine." AI Red Teaming helps teams understand how AI systems can be manipulated under realistic conditions. AI Agent Security applies runtime control in production, helping prevent prompt-based attacks, data leakage, unsafe behavior, and out-of-policy tool use before they turn into business impact. Together, they create a feedback loop: red teaming reveals realistic failure modes, runtime protection turns those lessons into controls, and production signals inform future testing. The goal is not to certify an AI system once. The goal is to keep security aligned with how the system actually behaves over time. The path forward Enterprises do not need a new disconnected AI control. They need a security model that matches how AI now operates. AI is already embedded in employee workflows. It is already entering applications. It is already moving toward agents that can retrieve data, invoke tools, and take action across business processes. That means discovering AI usage across the enterprise, protecting the runtime paths where AI behavior is shaped, governing policy consistently, and continuously validating whether AI systems and controls behave as intended. For CISOs and security leaders, this creates a path to say yes to AI with greater confidence. For platform and application teams, it creates a way to deploy AI without treating security as a blocker. For governance teams, it turns policy into enforceable control. AI has moved from language to action. Security now needs to move from fragmented controls to a unified AI Defense Plane.