Agentic AI security crisis deepens as governance gaps expose enterprises to escalating risks

Building an agentic AI strategy that pays off - without risking business failure

Not all "agentic AI" tools are truly agentic systems.Poor prompts and rogue agents can cascade into failures.Focus on measurable outcomes, not hype or ambition. Imagine you're a chief executive. Your AI strategy task force has just presented you with two strategic options. The first one is safe. You can use agentic AI to reduce overhead and save 10% of overall human capital costs. The second choice is daring. You can increase growth tenfold by using agentic AI to transform your company's operations. Also: AI agents are fast, loose, and out of control, MIT study finds The first choice will barely move the needle, but will help the AI initiative pay for itself. The second choice could blow the doors off your numbers and make you a legend in your board's eyes. It could also get you fired. Know that the superlatives are off the charts. KPMG estimates that agentic AI will unlock $3 trillion in annual productivity gains. Accenture makes the case that agentic AI is "no less than a new type of capital," and "marks a shift in economic history." Last fall, Gartner said, "organizations have a crucial three- to six-month window to define their agentic AI product strategy, as the industry is at an inflection point." So, what do you do? Gartner may advise that you need to take action right now. Accenture advises you to go for 10x growth wins rather than 10% cost-savings wins. My advice is to be chill. While there is undoubtedly a ton of upside to agentic AI initiatives, jumping in without a solid strategy can result in failure. Also: 5 ways to use AI when your budget is tight As it turns out, Gartner has a stat for that, too. The research said, "Over 40% of agentic AI projects will be canceled by the end of 2027 due to escalating costs, unclear business value, or inadequate risk controls." There are other reasons for these failures. Gartner said that most early-stage projects are experiments or proof-of-concept, which is as it should be. But these sorts of tests are just that. Tests are not guaranteed to succeed. That's the point. On the other hand, organizations are often led astray by their vendors. Many vendors, jumping on the AI hype wagon, are engaging in what Gartner called "agent washing." No, this isn't James Bond in a shower. It's a term derived from greenwashing, the practice of falsely portraying products as eco-friendly. Also: 1 in 2 security leaders say they're not ready for AI attacks - 4 actions to take now In the case of agent washing, Gartner estimated that less than 13% of the thousands of agentic AI vendors are actually shipping agentic products. Most companies are rebranding existing products -- ranging from AI assistants, robotic process automation, script-based services, and chatbots -- as "agentic." The assumption that these tools can perform autonomous tasks is faulty, leading to pilot projects based on these products that are destined to fail. Another gotcha is costs. Most AI implementations rely on external large language models for cognitive processing services provided by the likes of OpenAI, Google, and Anthropic. These services get linked to your applications through an application programming interface (API). Think of the API like the socket in your wall. You plug your coffee maker into that socket, and you get power to generate that sweet, sweet brown elixir. The socket and plug are standardized interfaces (like the API). Your coffee maker is your application. The cloud service is the power company, to whom you pay a fee for usage. Also: Why AI led one company to abandon open source AI companies measure metered usage based on a metric called "tokens." Generative AI uses tokens fairly sparingly. They're consumed when a question is asked, and that's it. Like a coffee maker making a cup of coffee, the power/token usage is minimal. Now, contrast the power demands of a coffee maker to that of a server rack. The servers consume more power and use it constantly, 24/7. The power bill for a server rack will be considerably higher than for a coffee maker (even my overused coffee maker). It's the same with agentic AI, which runs almost constantly, with multiple agents at once, consuming tokens voraciously. As companies scale up their use of agentic AI, they're finding their cloud bills are ballooning. There's a reason OpenAI went from zero revenue in late 2022 to more than $20 billion in 2025. Another pitfall is that AI projects are "non-deterministic," meaning the same input can produce different outputs across runs, because the AI incorporates probability, randomness, and context sensitivity rather than following a fixed, repeatable execution path. Also: I asked 5 data leaders about how they use AI to automate - and end integration nightmares This lack of predictability can be brutal when building and testing solutions, debugging failures, validating outputs, ensuring compliance, and maintaining consistent behavior across updates and deployments. Madhav Thattai, EVP & GM of Agentforce at Salesforce, told me this in an email: "Software used to be solely deterministic: same input, same output, easy to trust. AI agents break that model, with the same input producing different outcomes. That demands a hybrid approach. Context, control, and governance can't be bolted on post-deployment. The companies succeeding are designing those layers in from day one." Think about what could happen when a trusted employee goes bad. The same could happen with agents, except agents are far faster than any employee. An unintended action, done at scale, can ripple through your entire organization at light speed. My mom used to have a saying that frustrated me throughout my entire childhood. She said, "Do what I mean, not what I say." Her expectation was that she was raising me right, so I should really know what she wanted, regardless of whether or not she articulated it correctly. Also: Why enterprise AI agents could become the ultimate insider threat Goal misalignment can be a real issue if an employee prompts an agent incorrectly. While you could probably create a checks-and-balances agentic supervision system, the more probable reality is that if you prompt the agent incorrectly, it won't intuit your intent. It will just blast through your network, leaving rubble in its wake. If you have a misinstructed agent somewhere in your logic chain, those failures will cascade into others, creating a domino effect that can leave you wishing you could hide out in the forest in a yurt for the next two years (or maybe that's just me). Security and privacy is another issue. Almost all deep AI agentic deployments involve using a non-premises LLM. This means that your data has to be sent to the AI somewhere in the cloud. Also: AI agents of chaos? New research shows how bots talking to bots can go sideways fast The big AI companies do promise they won't use your enterprise data for training, but the fact is, you're still sending data to a system you don't control. This could trigger all sorts of privacy, regulatory, and governance issues. Be sure to dig deep here before making any permanent implementation decisions. I could go on and on about risk factors. There are some scary stories out there. McDonald's lost hundreds of dollars on McNugget orders and also mixed bacon into ice cream. UT MD Anderson Cancer Center lost $62 million on a Watson deployment. I'm not trying to scare you away from agentic AI. I want you to understand that deployment is risky. You need to be very strategic and deliberate. This is not a shiny new toy. This is a bet-your-company risk and opportunity. You know what they say. "No risk, no reward," right? We've discussed the risks, so now let's look at how to reap the rewards of agentic AI installations. Accenture identified a tiered approach to AI projects. Also: AI agent adoption and budgets will rise significantly in 2026, despite challenges Is this approach practical or attainable? Sure. Maybe. As much as anything, I guess. I think this pattern of so-called "strategic" analysis of AI opportunities is meant to generate excitement rather than tangible results. Accenture even said (and this is a direct quote), "If the company's agentic AI agenda doesn't excite investors, the ambition is not bold enough." Let's lift up on the gas pedal a little bit, shall we? Going full throttle right out of the gate will likely find you skidding off the road. Instead, use care and consideration. You can still find payoffs. Just do so in a way that has a better chance of overall success. Start by looking at your current business processes. Almost all businesses have some processes that take too long, aren't responsive enough, are too expensive, break all the time, or otherwise cause headaches. You don't even need to do a business-wide deep dive analysis. These problem areas are, and have been, obvious for a long time. Be selective about your choices for trying agentic AI. Look for internal processes that are expensive to run, occur frequently, and follow fairly predictable patterns. Workflows that leak revenue, create bottlenecks, or depend on repetitive manual effort are especially strong candidates. Proceed carefully when using agentic solutions to replace manual labor. You don't want to scare employees that they're going to lose their jobs. Instead, you want to empower employees to make deeper contributions by freeing them up from doing tedious busy work. Start with non-critical systems where mistakes are manageable and won't ripple across the business. Also: How to build better AI agents for your business - without creating trust issues Look at those as low-hanging fruit. Some might be fixable using task-specific agents. Others might be mitigated by multiple agents working together in a single data environment. Still others might be solvable by simple algorithmic processes that don't need AI at all. Avoid areas filled with edge cases, ambiguity, or constantly shifting rules. Those situations are far harder for agents to handle reliably and are more likely to create problems than deliver value. As you move from testing to production deployment, put guardrails in place. Be sure to consider and implement the guardrails before you scale. Keep humans in the loop early on, especially for approvals and exception handling, so agents don't run unchecked. This might be harder than the AI companies promise. When Claude Code suddenly began splitting work among agents, I found that they ran far faster than I could track, often got stuck, and were otherwise troublesome. My fix was to eliminate simultaneous agents, at least until I could better manage them. Increase autonomy gradually as you gain confidence in performance. Don't just rush in and try to turn on full agentic automation right away. This might require you to resist the pressures of investors and other key players, but hold your ground. You wouldn't want to turn over your production line to the impulsive ne'er-do-well nephew of your biggest investor. Likewise, you shouldn't hand over your process flow to AI agents before they're ready for prime time. Also: Deploying AI agents is not your typical software launch - 7 lessons from the trenches "Organizations need adaptable governance that evolves as AI advances. While human oversight remains important today, frameworks should anticipate greater AI autonomy and include clear, future-ready safeguards," Mudit Garg, CEO and co-founder of hospital AI software company Qventus, told ZDNET in an email, "Many health systems that developed AI governance frameworks a couple of years ago are already having to restructure them to accommodate today's AI capabilities." Be sure to continuously monitor both behavior and costs, because with agentic AI, small issues can compound quickly if left unattended. Here's a corollary: If you can't monitor something, or haven't figured out how to yet, wait until you can before setting agentic AI loose. Salesforce's Thattai also had thoughts on AI governance. "Businesses are assembling agents across models, vendors, and tools. Governance has to be open and composable enough to meet them there. But openness without oversight is just sprawl," he said. "Agents need to be built on standards with tight governance, consistent visibility, and monitoring across the entire agent lifecycle. Trust is non-negotiable." Once you've identified a viable use case, keep the initial project very limited. Start with a single workflow. Make sure you can demonstrate clear, measurable ROI. From there, expand into closely related processes where the patterns and data are similar. Wait until you've proven you can reliably execute on multiple projects before you try to scale more broadly across the organization. How can you tell it's working? First, talk to your people. They'll tell you if they love or hate the new systems. Once you've gotten the measure of worker sentiment, look at other metrics that can measure success in clear, operational terms. Look for reductions in cost per task, faster cycle times, fewer errors, and measurable revenue captured or recovered. Also: I built an app for work in 5 minutes with Tasklet - and watched my no-code dreams come true "The biggest challenge is proving ROI at scale. Many health systems lack clear performance benchmarks and face long implementation timelines, compounded by reliance on legacy EHR systems," said Qventus' Garg. Keep in mind that if you can't tie a process to a tangible, measurable result, you can't prove you've added value. "Success requires defining measurable outcomes early and prioritizing fewer, high-impact use cases, moving from 80% to 95% accuracy rather than spreading across 1,000 shallow applications," Garg said. Keep these cautions in mind as well: Don't start by attempting a full transformation. Don't deploy across multiple systems at once. Don't assume that what a vendor tells you they can do is actually what they can deliver. Don't let anyone force you into moving faster than your organization can effectively absorb. At the beginning of this article, I gave you a choice. But it doesn't really make sense to pick between a safe 10% efficiency gain and a risky 10x transformation. The companies that win with agentic AI will implement solutions in the contexts where they will succeed, sometimes deriving incremental cost savings and sometimes hitting home runs. Start with targeted improvements. If all goes well, they'll simply pay for themselves. Learn what works, what breaks, and what scales. Then, over time, expand those wins into broader systems that reshape how your business operates. Also: AI magnifies your team's strengths - and weaknesses, Google report finds Agentic AI is powerful. It can absolutely change a business's trajectory. That can be for good or not so good. Back in December, I discussed how AI is an amplifier, that it "magnifies the strengths of high-performing organizations and the dysfunctions of struggling ones." So, what do you do? My recommendation is that you move carefully so you don't unleash an untethered beast into your business model. Start with pilot projects, build on them, and slowly scale up over time. As you do, you may find opportunities that let you take your business to the next level, or even beyond. If you could apply agentic AI to one frustrating workflow today, what would it be? Let us know in the comments below.

The rise and risks of agent management platforms

Also: These top 30 AI agents deliver a mix of functions and autonomy Agent wranglers are required to bring management sensibilities to this growing space. So, can AI agent sprawl be tamed? Some vendors are giving it a try, leading to a new technology category, agent management systems, that are tasked with managing networks of AI agents. An agent management platform essentially acts as a digital HR department for AI agents, and experts suggest now is the right time for such offerings. Agents running outside of management frameworks are essentially the AI equivalent of shadow IT. "It works until it doesn't, and when it stops working, you have no audit trail, no version control, and no governance to fall back on," noted Shelly Palmer, professor at Syracuse University and CEO of The Palmer Group. Agent management solutions on the market include Google Vertex AI Agent Builder, Amazon Bedrock Agents, Microsoft 365 Copilot, Decagon AI, and Sierra AI, serving various purposes from orchestrating systems to multi-agent automation. These platforms are essential to the future of agentic automation. The key to success is to "treat agents as infrastructure rather than features," said Diptamay Sanyal, principal engineer at CrowdStrike. Also: AI agents are fast, loose, and out of control, MIT study finds Agents aren't one-off builds. "The problem is you end up with dozens of agents with no shared context model, no consistent governance, and no reusable patterns," Sanyal said. "A proper management platform gives you composable primitives, multi-tenant isolation, model routing across LLM providers, and observability into what agents are actually doing." With agents multiplying by the millions, handling everything from sales to software development, the big hurdle is that they all want access to the same data. "This creates an AI governance challenge," said Manu Narayan, CIO at GitLab. "If you don't build your AI stack intentionally, you could end up with dozens of vendors, and all of their agents, holding the keys to the kingdom." Also: How to build better AI agents for your business - without creating trust issues This situation leads to agent sprawl, "a fragmented ecosystem of loosely managed agents with inconsistent behavior, duplicated functionality, and unclear ownership," said Yash Vijay Patil, software engineer with Texas A&M University. "Without strong governance, this sprawl can lead to operational inefficiencies and increased risk exposure." Many vendors and internal teams are building agent solutions for specific use cases, but often they lack shared identity models, lifecycle policies, or risk frameworks, said Monika Malik, a lead data and AI engineer at AT&T. "That approach creates duplication, inconsistent behavior, hidden costs, and security exposure. The problem will not be too few agents, but too many unmanaged ones." Then there is the complexity of agent networks exacerbated by the popularity of consumer options like OpenClaw, said Brian Jackson, principal research director at Info-Tech Research Group. "It's safe to assume some employees will try to automate their work tasks with those. This leads to a problem in tracking all the agents you have deployed in the enterprise environment. While different management platforms claim they can discover the agents deployed in your system, the truth is that they are limited by the identity management layer." Agent management platforms offer benefits such as observability, so you know which agents you're using and what they're doing, Jackson said. Also: Worried AI agents will replace you? 5 ways you can turn anxiety into action at work In addition, these platforms enable governance by "using a central policy to set guardrails for what agents can and can't do and keep them aligned with enterprise goals." Ultimately, these systems enable value realization, as they "monitor performance over time and ensure agent costs and outputs fall within expectations, and add value to work," he added. The role of such management platforms is to "provide a control layer for how organizations deploy, monitor, secure and enhance their agents over time," said AT&T's Malik. "The major advantage of these platforms is not just orchestration, but operational discipline: visibility into what agents are doing; where they are pulling data from; how they are making decisions; when human oversight is required." However, the competition between vendors to own the agentic management space is fierce, Jackson observed. "It will be a strategic position where enterprises are building their workflows and crafting deeper ties into an ecosystem," he said. Also: 5 security tactics your business can't get wrong in the age of AI - and why they're critical Consequently, many agent implementations will be tied to familiar systems of record within varying lines of business, Jackson continued. "You end up with a situation where marketing is managing agents out of what used to be the CRM platform, while IT is managing agents from an asset management and observability platform." As agents become more autonomous, "defining clear boundaries, monitoring behavior, and maintaining trust will be critical," said Patil of Texas A&M. "In short, agent management platforms offer powerful leverage, but only when paired with disciplined governance and thoughtful adoption strategies." Eliminating complexity is a challenge, "when agents act across multiple interconnected systems simultaneously," said Narayan. "Consolidation through agent management platforms helps," he said. "They establish the context, permission models, security controls, and data boundaries that simplify agent orchestration at scale. Combining this type of platform with a hub-and-spoke model can help you become more intentional across your AI stack without slowing adoption speed." Another challenge with agent management platforms is "they are harder to change than most cloud choices because they shape workflows, integrations, permissions, and operating models," said Malik. That situation is why adopting agents needs to be an enterprise decision. All stakeholder departments -- from engineering to security to legal to data governance to business owners -- need to be involved in decisions about the agent management platform. "The primary obstacle is averting fragmented adoption. Organizations should view agent platforms as long-term operating infrastructure, not just another purchase of an AI tool," said Malik. Agent platform decisions are difficult to reverse because they are deeply embedded in workflows, data pipelines, and business logic, said Patil. "Evaluate platforms based on interoperability, extensibility, vendor lock-in risks, and support for open standards. Crucially, decisions should not be left solely to engineering -- cross-functional stakeholders, including security, data, and business leaders, must be involved." Also: Why enterprise AI agents could become the ultimate insider threat In addition, professionals should remember that it's already difficult to get "data and workflows out of legacy software platforms," said Jackson. "Adding an AI layer on top of that means that the integration goes even deeper into the platform. Trying to migrate an agent management system will be like trying to perform a brain transplant." Businesses should, therefore, prioritize flexibility when moving to an agent management platform. "Evaluating where you are comfortable placing bets on platforms, versus trying to set up on a self-hosted platform," said Jackson. "Given the unpredictability of consumption costs for agentic workloads, it may be wise to architect a system that leverages internal infrastructure and avoids tying business processes to metered charges or consumption-based pricing." Professionals should also treat the development and implementation of an agent management platform "like a database selection, not a SaaS tool evaluation," said Sanyal. "Involve platform engineering, security, and legal from day one. Not after the pilot succeeds. Plus, the decision shouldn't sit with a single line-of-business owner. It needs platform engineering, security, and whoever owns your identity and access model in the same room."

How frontier AI makes cyber resilience ever more urgent

To ensure cyber resilience, organizations need the ability to detect, contain and continue operating when incidents occur. It has been several weeks since Mythos - Anthropic's new artificial intelligence (AI) model - changed the conversation. The company claims the tool can perform the most advanced cybersecurity tasks, prompting market volatility, vendor responses and a wave of analysis about what happened and why it matters. Much of that analysis focused on the threats Mythos was designed to combat. However, the more important shift is not just an escalation of cyber risk - it is a structural shift in how cyber risk is created. The response, therefore, cannot be incremental. It must reflect a transformation in how attacks are built, scaled and executed. Claude Mythos is the first widely confirmed AI system capable of finding and exploiting software vulnerabilities at scale. It can uncover serious, previously unknown flaws, called "zero-days," in major systems and autonomously chain them together to bypass multiple layers of defence. In simple terms, it functions like a zero-day factory, continuously discovering new cyberattack methods. The key shift is the move to continuous, automated discovery. Vulnerability identification is becoming persistent and effectively unbounded. This challenges a long-standing assumption in cybersecurity: that exposure can be measured, prioritized and reduced over time. At machine scale, the backlog expands rather than contracts. Mythos is part of a broader trend. Similar capabilities are emerging across commercial and open-source models, embedding offensive capability directly into software. Attacks that once required highly specialized expertise are now more accessible. The constraint is shifting from expertise to access - to models, compute and intent - creating a more complex and harder-to-contain risk environment. Cybersecurity has traditionally relied on a set of working assumptions that attackers operated at human speed, sophisticated attacks required scarce expertise and defenders had time to patch, detect and respond. Those conditions are changing. AI-driven attacks compress timelines from days to minutes, while the gap between sophistication and scale continues to narrow. As advanced models become more accessible, barriers to entry continue to fall. At the same time, vulnerability discovery is becoming continuous. Security models have long depended on the idea that exposures could be identified and reduced over time. In this environment, exposure persists and must be managed as an ongoing condition. Prevention remains essential. Keeping attackers out is still the objective. However, as advanced offensive capabilities become more widely available, the probability of breach increases. The window between intrusion and impact is also shrinking. Security now operates as a real-time system that must function continuously under pressure. Organizations need the ability to detect, contain and continue operating when incidents occur. That is the foundation of cyber resilience. Two priorities help guide this shift. First, defence needs to operate at machine speed. Detection, triage and initial response increasingly need to happen without waiting for human intervention, as response windows narrow. The role of analysts is evolving toward supervising systems, investigating edge cases and making higher-impact decisions. Second, organizations should plan for breach scenarios. Threats can originate from compromised endpoints, suppliers or development tools, making containment-focused architecture essential. To operationalize resilience in this environment, five priorities stand out: Organizations are already seeing the operational impact. Vulnerabilities disclosed in the morning are scanned and probed globally within hours. At the same time, alert volumes are increasing, making it more difficult to separate signal from noise. As both attack activity and telemetry scale, maintaining trust in detection becomes as important as detection itself. This shift extends beyond large enterprises. Mid-sized organizations, public-sector entities and small- and medium-sized enterprises are often more exposed, as scalable attack capabilities are applied more broadly. Within a short time horizon, any externally exposed vulnerability of meaningful impact will be discovered and tested by AI, regardless of who identifies it first. This dynamic is already taking shape. The question for security leaders is whether their organizations are prepared to operate under these conditions. Cyber resilience was always the goal. Frontier AI makes it urgent.

AI agent identity: how to govern agentic AI in 6 stages

A CEO's AI agent rewrote the company's security policy. Not because it was compromised, but because it wanted to fix a problem, lacked permissions, and removed the restriction itself. Every identity check passed. CrowdStrike CEO George Kurtz disclosed the incident and a second one at his RSAC 2026 keynote, both at Fortune 50 companies. The credential was valid. The access was authorized. The action was catastrophic. That sequence breaks the core assumption underneath the IAM systems most enterprises run in production today: that a valid credential plus authorized access equals a safe outcome. Identity systems were built for one user, one session, one set of hands on a keyboard. Agents break all three assumptions at once. In an exclusive interview with VentureBeat at RSAC 2026, Matt Caulfield, VP of Identity and Duo at Cisco, (pictured above) walked through the architecture his team is building to close that gap and outlined a six-stage identity maturity model for governing agentic AI. The urgency is measurable: Cisco President Jeetu Patel told VentureBeat at the same conference that 85% of enterprises are running agent pilots while only 5% have reached production -- an 80-point gap that the identity work is designed to close. The identity stack was built for a workforce that has fingerprints "Most of the existing IAM tools that we have at our disposal are just entirely built for a different era," Caulfield told VentureBeat. "They were built for human scale, not really for agents." The default enterprise instinct is to shove agents into existing identity categories: human user; machine identity; pick one. "Agents are a third kind of new type of identity," Caulfield said. "They're neither human. They're neither machine. They're somewhere in the middle where they have broad access to resources like humans, but they operate at machine scale and speed like machines, and they entirely lack any form of judgment." Etay Maor, VP of Threat Intelligence at Cato Networks, put a number on the exposure. He ran a live Censys scan and counted nearly 500,000 internet-facing OpenClaw instances. The week before, he found 230,000, discovering a doubling in seven days. Kayne McGladrey, an IEEE senior member who advises enterprises on identity risk, made the same diagnosis independently. Organizations are cloning human user accounts to agentic systems, McGladrey told VentureBeat, except agents consume far more permissions than humans would because of the speed, the scale, and the intent. A human employee goes through a background check, an interview, and an onboarding process. Agents skip all three. The onboarding assumptions baked into modern IAM do not apply. Scale compounds the failure. Caulfield pointed to projections where a trillion agents could operate globally. "We barely know how many people are in an average organization," he said, "let alone the number of agents." Access control verifies the badge. It does not watch what happens next. Zero trust still applies to agentic AI, Caulfield argued. But only if security teams push it past access and into action-level enforcement. "We really need to shift our thinking to more action-level control," he told VentureBeat. "What action is that agent taking?" A human employee with authorized access to a system will not execute 500 API calls in three seconds. An agent will. Traditional zero trust verifies that an identity can reach an application. It doesn't scrutinize what that identity does once inside. Carter Rees, VP of Artificial Intelligence at Reputation, identified the structural reason. The flat authorization plane of an LLM fails to respect user permissions, Rees told VentureBeat. An agent operating on that flat plane does not need to escalate privileges. It already has them. That is why access control alone cannot contain what agents do after authentication. CrowdStrike CTO Elia Zaitsev described the detection gap to VentureBeat. In most default logging configurations, an agent's activity is indistinguishable from a human. Distinguishing the two requires walking the process tree, tracing whether a browser session was launched by a human or spawned by an agent in the background. Most enterprise logging cannot make that distinction. Caulfield's identity layer and Zaitsev's telemetry layer are solving two halves of the same problem. No single vendor closes both gaps. "At any moment in time, that agent can go rogue and can lose its mind," Caulfield said. "Agents read the wrong website or email, and their intentions can just change overnight." How the request lifecycle works when agents have their own identity Five vendors shipped agent identity frameworks at RSAC 2026, including Cisco, CrowdStrike, Palo Alto Networks, Microsoft, and Cato Networks. Caulfield walked through how Cisco's identity-layer approach works in practice. The Duo agent identity platform registers agents as first-class identity objects, with their own policies, authentication requirements, and lifecycle management. The enforcement routes all agent traffic through an AI gateway supporting both MCP and traditional REST or GraphQL protocols. When an agent makes a request, the gateway authenticates the user, verifies that the agent is permitted, encodes the authorization into an OAuth token, and then inspects the specific action and determines in real time whether it should proceed. "No solution to agent AI is really complete unless you have both pieces," Caulfield told VentureBeat. "The identity piece, the access gateway piece. And then the third piece would be observability." Cisco announced its intent to acquire Astrix Security on May 4, signaling that agent identity discovery is now a board-level investment thesis. The deal also suggests that even vendors building identity platforms recognize that the discovery problem is harder than expected. Six-stage identity maturity model for agentic AI When a company shows up claiming 500 agents in production, Caulfield doesn't accept the number. "How do you know it's 500 and not 5,000?" Most organizations don't have a source of truth for agents. Caulfield outlined a six-stage engagement model. Discovery first: identify every agent, where it runs, and who deployed it. Onboarding: register agents in the identity directory, tie each one to an accountable human, and define permitted actions. Control and enforcement: place a gateway between agents and resources, inspect every request and response. Behavioral monitoring: record all agent activity, flag anomalies, and build the audit trail. Runtime isolation contains agents on endpoints when they go rogue. Compliance mapping ties agent controls to audit frameworks before the auditor shows up. The six stages are not proprietary to any single vendor. They describe the sequence every enterprise will follow regardless of which platform delivers each stage. Maor's Censys data complicates step one before it even starts. Organizations beginning discovery should assume their agent exposure is already visible to adversaries. Step four has its own problem. Zaitsev's process-tree work shows that even organizations logging agent activity may not be capturing the right data. And step three depends on something Rees found most enterprises lack: a gateway that inspects actions, not just access, because the LLM does not respect the permission boundaries the identity layer sets. Agentic identity prescriptive matrix What to audit at each maturity stage, what operational readiness looks like, and the red flag that means the stage is failing. Use this to evaluate any platform or combination of platforms. Source: VentureBeat analysis of RSAC 2026 interviews (Caulfield, Zaitsev, Maor) and independent practitioner validation (McGladrey, Rees). May 2026. Compliance frameworks have not caught up "If you were to go through an audit today as a chief security officer, the auditor's probably gonna have to figure out, hey, there are agents here," Caulfield told VentureBeat. "Which one of your controls is actually supposed to be applied to it? I don't see the word agents anywhere in your policies." McGladrey's practitioner experience confirms the gap. The Cloud Security Alliance published an NIST AI RMF Agentic Profile in April 2026, proposing autonomy-tier classification and runtime behavioral metrics. But SOC 2, ISO 27001, and PCI DSS have not operationalized agent identities. The compliance frameworks McGladrey works with inside enterprises were written for humans. Agent identities do not appear in any control catalog he has encountered. The gap is a lagging indicator; the risk is not. Security director action plan VentureBeat identified five actions from the combined findings of Caulfield, Zaitsev, Maor, McGladrey, and Rees.

Why AI auditability is what every security leader should be talking about

When I joined Smartsheet, one of my first priorities was understanding where AI was actually operating across the business. What I found was less a deliberate strategy than an honest reflection of how fast things had moved: AI tools embedded in workflows, some vendor-approved, some not, adopted by smart people solving real problems faster than policy could keep up with. When I went back to some of those vendors to understand what we were actually dealing with -- what data the model had accessed, what actions it had taken -- the answers were thin. The audit infrastructure simply wasn't there. That combination of tools already embedded in our environment with no traceable record of what they'd done is what sharpened my thinking. The risk wasn't the tools themselves; it was the invisibility. The instinct for most security leaders is to ask: "How do we control it?" But control implies restriction, and as many of us have learned, restriction doesn't change behavior. It just drives it underground, where you have even less visibility. The question that actually matters is simpler but harder to achieve: "Can we trace it?" The most helpful model I've adopted for answering that question: treat every AI agent as a new kind of "employee". Each should have a defined role, a scope of authority, and a chain of accountability. You wouldn't let a new hire make consequential decisions without oversight in their first weeks. That same logic applies to an AI system operating inside your organization's workflows -- and traceability is what makes that oversight real. From the rear-view mirror to real-time There was a time when "audit" meant conducting a periodic look back at what happened. That changed with digital transformation. As technology-driven actions became more common, so did logging and observability platforms. Audit became continuous, with data flowing in real time, providing a security layer that flags anomalies as they occur. Today, audit isn't a post-mortem, but a real-time operational discipline. With the rise of agentic AI, that means logging which data sources an agent queried, which actions it took autonomously versus escalated for approval, and who sat in that approval chain in real time, not reconstructed after the fact. Here's why this matters at the board level: when an AI-assisted process produces a bad outcome -- like a risk flagged incorrectly, a resource assignment triggered without manager approval, or a status update pushed out before anyone signed off -- the first question you'll face from leadership, legal, or a regulator is: "Who approved this, how, when, and why?" If you can't answer those questions, you're facing a governance crisis on top of a process failure. Audit as a foundation, not a checkbox To solve this, security leaders need to build audit into their AI strategy from the start. Not as a compliance exercise, but as the foundational layer that makes agentic AI governable. What I look for when evaluating any AI capability, whether built internally or sourced from a vendor, is a traceable chain: what data informed the recommendation, whether human sign-off was required before an action was taken, and who, if anyone, reviewed it. If a vendor can't show me that chain, the capability isn't enterprise-ready, regardless of how impressive the outputs are. This isn't about slowing teams down. It's about giving people the confidence to act on AI outputs rather than second-guess them. When employees can see how an AI recommendation was generated and know that appropriate oversight is in place, they can begin to own decisions. That's not a compliance outcome; that's a productivity outcome. Audit stops being a checkbox and becomes the mechanism that lets teams scale AI confidently while maintaining human accountability. Your new AI employees Returning to that model of AI as an employee: the framing changes what questions you ask. Instead of "How do we prevent AI from doing harm?" the question becomes: "What would we need to know to trust this AI's judgement the way we trust a capable team member?" The answer almost always comes back to the same things: clear ownership, defined decision rights, a record of actions taken, and a mechanism for human override. Those aren't novel security concepts. They're just being applied to a new kind of "employee". As security leaders, we cannot solve every AI risk overnight, but we can establish a foundation that moves beyond high-level principles into operational reality: 1. Map where AI is actually operating, including integrations surfaced through OAuth tokens and API keys in your systems, because you cannot govern what you cannot see. 2. Be explicit about which decisions require human sign off and which don't, and commit to revisiting those boundaries every six months as the technology and its organizational impact evolve. What feels low-risk today may look very different when an agent is running it at scale. 3. Hold your vendors accountable by investing in like-minded organizations that have committed to full AI auditability and traceability, and integrate those controls with your existing monitoring platforms as they're introduced. When AI is traceable, clearly owned, and auditable, governance stops being a bottleneck and becomes a competitive advantage. The organizations that figure this out will move faster because their people have the confidence to act on AI outputs and the tools to course-correct when needed. As the old adage goes, "trust, but verify." The standards landscape is beginning to catch up. NIST's AI Risk Management Framework, the EU AI Act's requirements around high-risk AI systems and emerging agentic identity protocols are all pointing in the same direction: auditability is becoming a baseline expectation, not a differentiator. Security leaders who build for it now won't just be compliant -- they'll be ahead. Which brings us back to the question you should be asking, if you're not already: can you trace it? We've ranked the best software asset management (SAM) tools. This article was produced as part of TechRadar Pro Perspectives, our channel to feature the best and brightest minds in the technology industry today. The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here: https://www.techradar.com/pro/perspectives-how-to-submit

Anthropic's most powerful AI model just exposed a crisis in corporate governance. Here's the framework every CEO needs. | Fortune

In early April, Anthropic sent shudders through the tech community with Claude's Mythos Preview model. Mythos marked a paradigm shift in AI capabilities, reportedly delivering processing power that enables superhuman coding and reasoning, a massive performance leap over previous models. While testing the model, Anthropic discovered decades-old software flaws and bugs that had evaded millions of previous attempts. Addressing such concerns is very different from the familiar parallel in public policy debates over how AI raises such concerns for protecting privacy and intellectual property in the age of spiraling entrepreneurial opportunities and ferocious global competition. These new challenges speak to shared concerns by all parties across sectors. For example, Mytho's model's agentic abilities pose severe security risks as they can autonomously execute multi-step attacks and generate exploits at a fraction of the cost of humans. In response, Anthropic launched Project Glasswing, a coalition providing restricted access to the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and a consortium of U.S. corporates, including Microsoft, Apple, and J.P. Morgan, to help identify and fix critical system vulnerabilities before Mythos' potential public release. The emergence of Mythos underscores the urgent need for robust AI governance. When given profit-at-all-costs prompts, agentic systems have exhibited aggressive behavior, such as threatening a competitor with supply cutoffs in simulations. As these systems scale in performance and usage, companies must regard AI not just as chatbots but as a system of autonomous agents requiring strict oversight. Without governance, Agentic AI risks writing unverified, hostile code and sensitive interactions with external vendors without oversight. In multi-step agentic pipelines, even small drops in accuracy can cause cascading errors, making sovereign AI architecture and central monitoring essential for oversight of autonomous decisions. While leaders in the artificial intelligence industry dubbed 2025 the year of Agentic AI, 2026 marks the shift from capability to execution. Unlike large language models, AI agents can interact with external tools, execute multiple steps to complete a task, learn from their results, and iterate. Yet even as Agentic AI systems evolve rapidly across industries, governance and regulatory policy are moving far more slowly. Without governance that addresses accountability, transparency, bias, and data privacy, enterprise deployment will stall on its most significant risks. But rollout varies sharply across industries, and leaders face similar yet distinct questions about what to assess before deployment, what to govern during it, and which companies are already navigating it well. To map the answers, Yale's Chief Executive Leadership Institute conducted a cross-industry review of Agentic AI deployments and the governance practices emerging from them. Governance, in this pure definition, is not an evaluation of threats from the Trump administration to preempt state AI laws, debates about the economic and national security effects of a patchwork of disharmonious state regulations, the oversight of "frontier" AI model developers, or the protection of consumers and children from potential abuses of AI technologies. Rather, this analysis looks further ahead to the collective system safeguards and practices that the private sector must institutionalize now, not only to ensure Agentic AI will scale effectively but also to ensure it operates as designed at the enterprise level. Currently, a patchwork of domestic and international regimes governs AI. Key domestic frameworks include the NIST AI Risk Management Framework and the National Policy Framework for Artificial Intelligence. States and localities have been active as well, including California's SB 53, New York's RAISE Act, and certain New York City regulations on automated hiring. Internationally, influential governance models include the EU Artificial Intelligence Act, South Korea's Framework Act, Singapore's Model AI Governance Framework, and China's set of AI regulations. More will follow. These regimes differ in critical ways. Some are legally binding (California, New York, China, the EU); others issue voluntary guidance (NIST, Singapore). They vary in target, whether model developers, deployers, or systems, and in requirements, from mandatory reporting to specific safety thresholds. What meets standards in one jurisdiction may fall short in another, creating a fragmented and at times unworkable compliance environment. Regulation has historically lagged innovation. State and national standards for automobiles took decades to emerge. The Clinton administration's light-touch approach shaped internet governance for a generation. Social media is still working through foundational questions, as the Section 230 debate shows. Private-sector governance models for agentic deployment will be critical to building consumer confidence and ensuring safe, accountable integration into the workplace. With governance still taking shape, leaders need a working framework. Eight variables anchor it. Four of these variables matter most before deployment. Transparency asks whether stakeholders can reconstruct how the agent reached its decision, through explainability, disclosure, and auditable pathways. Accountability asks who bears responsibility when things go wrong, and how humans intervene and remediate. Bias asks whether the system perpetuates, amplifies, or introduces systematic disadvantage, including through feedback loops where biased outputs reinforce biased inputs. Data privacy asks how the organization protects information that agents access and combine across systems without per-transaction human review. A single workflow may trigger several regulatory regimes at once: HIPAA, GLBA, CCPA/GDPR, bar rules, IRS Circular 230, and trade secret law. Four more variables matter once deployed, and these are what most differentiate one industry's challenge from another's. Decision reversibility sets the upper bound on tolerable error. Stakeholder impact scope determines whether governance must be transactional, with per-decision audits, or systemic, with architecture-level controls. Regulatory prescription shapes the work itself -- banking's SR 11-7 dictates model risk management in detail, while retail has almost no sector-specific AI regulation. Structural systems governability determines how easily governance can be built, whether workflows decompose naturally into discrete, measurable, audit-ready steps, or deliver value through fluid judgment that must be engineered into structure. By considering these together, we can create a governance diagnostic matrix that generates cross-cutting questions and applied examples for each matrix cell, based on our industry review. The four industries that follow occupy distinct positions on these dimensions. Where existing regulation is extensive, errors are difficult to reverse, and the impact remains at the transaction level, the banking archetype applies. Agent governance maps onto existing infrastructure, with privacy and reversibility as the binding constraints. Where regulation is extensive but the consequences involve human well-being, the healthcare archetype holds. Bifurcate, move on administrative use cases now, and invest the runway in the data integration and human-in-the-loop architecture clinical adoption requires. Where regulation is minimal and errors are reversible, the retail archetype applies. Experiment at scale, treat deployment as a learning function, and build the patterns that industries with less room to borrow will eventually adopt. Where errors cascade across networks, the supply chain and logistics archetype holds. Governance must be architectural, with checkpoints on the highest-leverage decisions, audit logs across all agent actions, and validation layers before execution. Organizations whose profiles do not cleanly match should weight reversibility and blast radius most heavily. They determine the consequences when governance fails. The eight variables define where governance must be tightest, and where leaders can move faster. CEOs can use these as reference archetypes to map their organization against, identify the one that most closely matches its profile, and draw from the lessons that follow. For financial services, agentic adoption is not optional. Near-term, agents promise major back-office savings that competitive pressure will quickly hand to consumers. In the medium term, customers will use their own agents to shop rates and switch providers, eroding the inertia that has long protected incumbent relationships. The industry must adapt its business model and integrate agents into customer-facing technology, and quickly. The good news is that banking's existing regulatory scaffolding is an asset rather than a hindrance. The frameworks that have long constrained the industry now supply much of the architecture agentic governance requires. On transparency, SR 11-7's "Guidance on Model Risk Management" already requires banks to provide specific reasons for model decisions, a requirement that extends to agents. Existing audit and reporting obligations cover much of the ground, though they must expand to track multi-step workflows. The same pattern holds for bias. The Equal Credit Opportunity Act already addresses the most acute risks in agent-outsourced tasks like credit scoring, where errors can disproportionately affect low-income customers. Sandbox testing of both individual models and agent interactions before deployment should be standard. Decision reversibility is the harder constraint. In credit, anti-money laundering (AML), and fraud, errors are difficult to undo, demanding continuous monitoring as agents take on more ambitious tasks and their behavior shifts. Banks must test full workflows and inter-agent interactions, where unforeseen risks emerge. Identity management -- assigning each agent its own ID -- enables tracking, and workspaces will need to evolve to allow humans to supervise dozens of agents at once. Privacy is the hardest problem, and the one that leaders flag most. Industry leaders cite data privacy (77%) and data quality (65%) as their top scaling barriers. Agents are prone to leaking personal data when interacting with external tools and other agents, and exposure cannot be reversed. Since fraud detection and AML require deep data access, banks must tightly constrain how agents use it outside predefined tasks. Banks are positioned to deploy agents faster than most industries. The sector's advantage accrues to those who map agent governance onto existing infrastructure rather than treat it as net-new work. Healthcare is heavily regulated, but unlike banking, it faces fewer immediate competitive pressures to deploy. The result is a bifurcated trajectory -- fast adoption on the administrative side and deliberate integration on the clinical side. Leaders who recognize the split will capture near-term wins while building the governance required for the bigger prize. Administrative wins are already real. Hospitals are seeing efficiency gains in documentation and claims processing, and physicians are seeing more patients through faster order entry, per a Mayo Clinic interview we conducted. Primary care and nursing integration are on the near horizon. Clinical integration is the harder problem because errors are irreversible. Misrouted referrals or faulty diagnostic recommendations can have life-threatening consequences. The stakes demand transparency as every clinical recommendation must be traceable to its underlying sources. Brazilian nonprofit NoHarm's prescription-review tool, deployed across 200+ hospitals and screening millions of prescriptions monthly, illustrates both the value at stake and the scale at which a single failure mode would harm patients. Yet, accountability is undercooked. Federal regulators set guardrails only for AI-enabled medical devices, leaving systems to build their own guardrails. Bias is one of healthcare's deepest exposures. Decades of underrepresentation in medical training and clinical trials carry forward in training data, and pattern-based specialties like radiology and pathology could amplify those inequities without active mitigation. Privacy is governed by HIPAA, but the harder operational problem is access. 62% of hospitals report data silos across EHRs, labs, pharmacy, and claims. Agents need data to function, and silos both limit utility and elevate the risk of improper access. Encryption, anonymization, and tight controls help, but do not fix the underlying integration gap. Healthcare should continue to move on administrative use cases, and invest the runway now in the data integration, bias auditing, and human-in-the-loop architecture that clinical adoption will require. The deliberate pace is appropriate to the stakes -- and the governance built today is the moat tomorrow. Retail is the industry where Agentic AI is moving fastest, and the one with the most to teach the rest of the economy. Light regulation, decomposable workflows, and reversible errors mean retailers can experiment at scale, iterate quickly, and build governance approaches in live conditions rather than on paper. Moving quickly captures these early returns and will be important for developing institutional muscle from which other industries can eventually learn. The trajectory is already visible, with 51% of retailers having deployed AI across six or more functions. Visa and AWS recently published a blueprint for shopping agents across the sales pipeline. And Mastercard's Agent Pay, launched in 2025, lets registered digital agents browse, select, and purchase on behalf of users, a working example of the sector's structural advantages stitched into one product. The industry's advantages stack with transparency: 54% of U.S. consumers say they do not care whether support comes from AI or humans, as long as it is fast. Retail can deploy without fully solving the disclosure problem first. On accountability, the returns and refunds infrastructure already handles error correction, and escalation is largely automated, leaving retailers well-positioned for agentic accountability without a net-new architecture. Decision reversibility is the single biggest enabler. Most agent actions, including product selection, cart assembly, pricing, and even completed purchases, are correctable through returns, refunds, or post-transaction adjustments. OpenTable's agentic customer service resolved 73% of cases within weeks, scaling swiftly precisely because errors carry no irreversible cost. More sophisticated controls -- delegated consent, spending limits, audit trails -- will mature as the sector does. The variable to watch is stakeholder impact. Individual purchase errors are trivial, but vendor-side failures in pricing algorithms, inventory, or multi-agent workflows can cascade. Companies are responding by implementing observability tools and centralized monitoring that track agent decisions throughout the transaction lifecycle. AWS's Amazon Connect suite is one example. Low regulatory prescription, combined with high structural governability, means retailers are largely building governance from scratch but onto workflows that already cooperate. APIs, standardized catalogs, checkout systems, and payment protocols like AP2 make agent integration natural. Shopify is embedding governance directly into infrastructure, linking identity, payment authorization, and transaction logging, so controls live in the system rather than around it. Retail's tailwinds are real, but the strategic value is not just speed. It represents an opportunity to develop and stress-test governance practices that will set the template for industries with less room to experiment. Retailers who treat their deployments as a learning function, not just an efficiency play, will be the ones whose approach shapes adoption across the rest of the economy. Supply chain and logistics is the fastest-moving industrial sector in agentic deployment, and the industry where governance is most architecturally consequential. The same multi-agent orchestration that enables the speed also makes errors systemic. A single mispriced quote, customs misclassification, or routing error can cascade across suppliers, carriers, plants, and customers in hours. The transformation underway is consequential in both directions -- outsized returns for early movers, and outsized exposure if governance lags. The pace is real and well past the pilot stage. C.H. Robinson's Always-On Logistics Planner runs over 30 AI agents across the shipment lifecycle, processing over three million tasks and capturing 318,000 freight-tracking updates from phone calls in September alone, with price quotes delivered in 32 seconds, where hours were the standard. UPS used Agentic AI to clear 90% of the 112,000 daily customs packages without manual intervention in September 2025. Uber Freight is running a 30+ agent platform on its AI infrastructure, which already manages roughly $20 billion in freight. The risk profile is also qualitatively different from earlier industries. In banking, an erroneous decision affects a transaction. In supply chain, it can affect an entire network, and multi-agent networks also widen the vulnerabilities. Sensitive data on pricing, routing, customer identity, and cargo contents moves across systems, where a single compromised credential can have a far-reaching impact. Even DHL, which is using agents for customs clearance and data cleansing, has flagged that recommendations and decisions still require human-in-the-loop oversight and auditability. This dynamic makes governance a matter of embedding engineering constraints into the system itself, rather than reviewing each decision after the fact. Leaders need human-in-the-loop checkpoints on the highest-leverage decisions -- high-value quotes, customs classifications, contractual commitments -- alongside mandatory audit logs and version control across all agent actions. Continuous monitoring for data drift, red-teaming of multi-agent interactions, and data validation layers before execution belong in the baseline architecture, not the bolt-on. Deloitte frames Agentic AI in the industry as a system of agents that coordinate across suppliers, plants, and logistics partners, but only within defined guardrails. Supply chain is where multi-agent governance gets stress-tested at scale. Companies that get the architecture right early will set the patterns the rest of the economy adopts when its agentic systems start orchestrating across organizational boundaries, which they will. Three takeaways travel across all four industries. Existing regulatory architecture is an asset instead of a brake. The industries best positioned to deploy quickly are those whose systems most naturally accommodate the eight variables that shape agentic behavior. Banking's scaffolding is proof; healthcare's deliberate clinical pace is the right response when irreversibility and bias raise the stakes. The patterns built today are the templates of tomorrow. Retail's identity frameworks and supply chain's architectural guardrails will be borrowed by those still catching up. Rather than whether to deploy, the question is how to govern at the scale and pace each environment requires. The renowned Enlightenment philosopher John Locke advised: "Where there is no law, there is no freedom." When rule-making is enacted properly, its impact is not to abolish our freedoms nor restrain our lives, but rather to protect and expand our freedom by preventing others from violating our rights. AI developers, businesses, governments, and the public interest should all be on the same side across parties and continents on this front. Done well, governance is what makes adoption durable. The companies that establish it intelligently, neither uniformly fast nor uniformly slow, are the ones whose agentic systems will still be running and trusted five years from now. **This article is part three of a four-part series from the Yale Chief Executive Leadership Institute (CELI) on the state of Agentic AI adoption across industries and sectors. The research is designed to help CEOs understand the current and expected pace at which agentic systems are being deployed -- and the strategic decisions that pace forces on them. Over the past six months, CELI researchers analyzed hundreds of company materials and industry analyses and conducted dozens of conversations with senior technology leaders across the U.S. The industries analyzed include Financial Services, Consumer Packaged Goods, Food & Beverage, Healthcare, Insurance, Manufacturing, Professional Services, Real Estate & Housing, Retail, Supply Chain & Logistics, Telecommunications, and Travel & Hospitality, as well as the public sector. The series examines four implications of the findings: labor market effects, data infrastructure readiness, governance and regulatory policy, and customer experience. With research contribution from Catherine Dai, Zander Jeinthanuttkanont, Yevheniia Podurets, Jasmine Garry, Johan Griesel, Andrew Alam-Nist, Peter Yu, and Christian Ruiz Angulo

You can't firewall a conversation: how AI red-teaming became mission-critical

AI adoption demands red-teaming as traditional security fails against attacks The explosion of AI usage since 2023 is unprecedented. In terms of adoption, AI is moving faster than cloud, faster than mobile, and certainly faster than the internet did. Research group Gartner predicts that 80% of enterprises will deploy AI tools this year. When we classify a company's journey through AI adoption, we see maturity falling into four categories: * Category 1 is general purpose AI and productivity - think employees using ChatGPT, Gemini, CoPilot, etc * Category 2 is when organizations have internal use cases, building custom chatbots for HR or IT, for example * Category 3 includes external use cases like building public-facing GenAI applications, like customer service chatbots * Category 4 is agentic workflows which are made up of complex systems that take actions autonomously on behalf of users These categories often run in parallel rather than in sequence, but it is in the last three categories that security becomes critical. That's because organizations are building complex software on top of non-deterministic AI models, creating vulnerabilities that traditional firewalls simply cannot see. Security is always a priority for business but, with AI, the concern is different - it's a blind spot. Security leaders have spent 20 years deploying and configuring firewalls and web application firewalls (WAFs) to protect the network, but those tools look at network traffic and usage, whereas AI attacks use natural language - and you can't firewall a conversation. That's why 75% of CISOs are reporting AI security incidents, because their existing shields simply aren't designed to catch these threats; why 91% have already detected attempted attacks on their AI infrastructure; and that is exactly why a whopping 94% are now prioritizing testing of their AI systems. New categories of cognitive attacks There are plenty of real-world examples of how AI is changing the threat model. A breach at Asana last summer stemmed from a tenant-isolation logic flaw in the MCP server that allowed cross-organization data exposure. That's a classic multi-tenant bug but it's more dangerous in LLM systems because leaked data appears as fluent language, which makes it much more difficult to detect. Meanwhile, an incident at Lenovo reflected a different failure: broken trust boundaries. Prompt injection redefined a Lenovo chatbot's role and the back-end systems trusted its tool requests without enforcing server-side authorization. The issue wasn't the AI model ignoring rules but authorization being delegated to it. These are just two examples that map to a much broader emerging risk landscape. Organizations aren't just dealing with code vulnerabilities any more, they are facing entirely new categories of cognitive attacks, including: * Prompt injection, both direct and indirect * Data poisoning during the training phase * Sophisticated jailbreak techniques like symbolic language attacks * Token compression, where attackers hide malicious instruction in formats that the AI model(s) can read but humans can't While traditional security guardrails handle deterministic input, prompt injection and other natural language attacks are semantic problems, not pattern-matching ones. These aren't isolated bugs; they are systemic business risks introduced by new AI-driven architectures. The industry is racing to categorize these AI vulnerabilities. There are frameworks emerging like the OWASP Top 10 for GenAI and Agentic Applications, Mitre Atlas and the NIST AI Risk Management Framework but we don't have a definitive database or unified standard for what secure actually looks like. The old approach can't keep up The pressure on industry right now to ship AI is existential. Developers are using AI to write code ten times faster than ever before; organizations are literally shipping new features, and even products, overnight. At the same time, regulation is accelerating matters on the compliance side. The EU AI Act, for example, explicitly calls for adversarial testing for high-risk and general-purpose AI systems. In practice, that means that purpose-built red-teaming - testing AI systems with simulated adversarial attacks - must now be considered a core component of the AI security stack, and in a way that addresses the real-world challenges these systems face. So, CISOs and security teams are expected to secure changes that are happening at machine speed. How? By manually typing prompts into a chat box? It feels like trying to stop a tsunami with a bucket. The math doesn't work. The speed doesn't work. The AI attack surface is fundamentally different and the old approach can't keep up. It's clear that traditional red-teaming is ineffective and AI red-teaming is needed to resolve the tension point of speed versus control. From speaking to customers, helping them to secure their AI systems, there are four key areas we need to consider: * Threat evolution: AI attacks evolve faster than static test suites. As soon as checks are automated, the AI model or the attack changes, and security teams end up maintaining tests instead of reducing risk. * Agent complexity: because AI agents aren't deterministic systems, once you add retrieval, tools, memory, there are almost infinite permutations. You are no longer testing code, you're testing a conversation that changes based on context. * Automation and scale: manual red-teaming does not scale for these systems. One chatbot may be manageable. Hundreds or thousands of chatbots are not. You can't rely on humans to replay thousands of adversarial conversations every time the model or the system prompt is updated * Actionable reporting: findings must be reproduceable and actionable. 'The bot behaved badly' is not actionable. Engineers need the conversation parameters and trigger conditions, otherwise the fixes, the remediations, will stall. Ensuring AI systems behave as intended, even under attack These are the real-world gaps that security teams are trying to close right now, and the reasons why AI red-teaming is coming to the forefront. For example, one of our customers is a global bank, operating in a highly regulated environment. When we first engaged with them, they had over 50 AI use cases across HR, procurement and cyber but they couldn't ship any of them because they couldn't prove safety to their internal auditors. AI red-teaming gave the bank the evidence it needed to understand how its AI systems actually behaved - where data could leak, how prompts could be abused, and where controls broke down in their environment. This customer is taking the findings from red-teaming to improve its defensive posture with custom security controls. This combination allows the bank to scale AI across the business with confidence in their security posture and governance program. In the public sector, meanwhile, the imperative shifts from voluntary testing to mandatory - guided by agencies including NIST and CISA - such as conducting adversarial stress tests to identify mission-critical risks like the weaponization of biological data. Here, AI red-teaming isn't just about reducing risk, it's about maintaining authority to operate and mission continuity. In other words, whether you're protecting customer data or public services, the requirement is the same - continuous, evidence-backed assurance that AI systems behave as intended, even when someone is trying to break them. Deploying enterprise AI with confidence It's clear that enterprises deploying AI need automated testing against known vulnerabilities just to establish a baseline. Context is the new attack surface; static defenses fail against agentic attacks so they must test workloads, not just models. Finally, compliance is a competitive advantage. With the right reporting, security stops being a blocker and becomes the enabler that gets an enterprise's AI to market faster. In that world, the 80% of enterprises that plan to deploy AI this year can do so with confidence rather than fear, whatever phase of their journey they're on. We've featured the best endpoint protection software. This article was produced as part of TechRadar Pro Perspectives, our channel to feature the best and brightest minds in the technology industry today. The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here: https://www.techradar.com/pro/perspectives-how-to-submit

Autonomous agents are reshaping AI security - SiliconANGLE

Autonomous agents are rapidly redefining how enterprise systems operate, exposing new security gaps as machine-driven activity begins to outpace the infrastructure designed for human users. Systems built around human identity and predictable workflows are struggling to keep up as autonomous agents operate continuously and move across environments with little friction. That shift is forcing enterprises to rethink architecture and security models to handle a faster, less predictable risk landscape, according to Ramin Farassat (pictured), chief product and strategy officer of Menlo Security Inc. "Companies are still building and they're securing their environment for human employees," Farassat said. "They need to desperately re-architect their environment because there's going to be this big army of AI agents that are going to be coming up. Of course, we all want this massive speed and the scale that these agents are bringing to the table. The reality is that these agents, unfortunately, lack human intuition. If a hacker throws a zero-day exploit or if they want to do prompt injection to an AI agent, it doesn't have that gut feeling that we as humans have to know that it's being tricked. What happens is that it would just basically execute what it's being told." Farassat spoke with theCUBE's John Furrier for the Google Cloud AI Agents in Action Series on theCUBE, SiliconANGLE Media's livestreaming studio. They discussed how autonomous agents are transforming enterprise security, infrastructure design and real-time threat management. (* Disclosure below.) As autonomous agents scale, security is shifting from reactive controls to real-time analysis of behavior and intent. Traditional defenses built around known threats are no longer sufficient when agents operate at machine speed and interact with dynamic content, Farassat explained. This forces organizations to adopt architectures that can interpret context rather than rely on static rules. "The only way that we could build this architecture such that it can be resilient and be able to scale was that we couldn't just react to known threats. We had to actually analyze the intent behind the website content in real time," Farassat said. "That lets us be able to instantly block things like zero-day exploits, social engineering attacks and things that no one has seen before." The operational model is also changing as security becomes embedded directly into agent workflows. However, the true shift isn't just about implementing AI into the enterprise workflow, but integrating it directly into your security stack, which is exactly the philosophy behind HEAT Shield AI. Solutions leading the AI era focus on bringing AI to the initial point of defense: the browser. This allows AI to visually "see" what the user sees while simultaneously "reading" the underlying HTML and DOM to identify highly evasive threats. Instead of relying on manual intervention, systems are increasingly designed to allow agents to communicate, enforce policies and respond to threats autonomously. This introduces a new layer of automation that extends beyond detection into coordinated response, Farassat added. "It's machine-to-machine defense, it's in real time and it's completely automated, without a human ever having to click a button," he added. "Then on top of all of that automation and the defense, the agent's still continuously running in the background and it can provide additional information to the human team." The rise of autonomous agents is also reshaping how security tools are delivered and adopted. Instead of long deployment cycles, organizations are looking for immediate integration within the environments where AI is already being built. This is pushing vendors toward platform-based distribution models that reduce friction and accelerate adoption, Farassat emphasized. "As we move into this new fast-paced agentic era, the way that we deploy security has to evolve," he said. "It has to be instant, and it cannot require long integration projects. That's exactly why we put our HEAT Shield agent on Google [Cloud] Agent Marketplace. It completely removes the friction." This shift extends into how organizations operationalize security at scale. AI interfaces are replacing traditional dashboards, enabling administrators to interact with systems through natural language and automated workflows. The result is a more fluid model where policies can be updated and enforced in real time without manual configuration, Farassat pointed out. "Using this AI technology, the security admin can now just interact directly with the Menlo agent and ask it things like, 'Show me the current blocklist,' or they can go and actually change a policy," he said. "They say, 'Switch this threat response from logging to blocking,' and AI just handles it for you." The proliferation of autonomous agents is also amplifying challenges around visibility and control. Shadow AI is no longer limited to isolated tools but is embedded across nearly every digital surface, making traditional tracking methods ineffective. This forces organizations to rethink how they identify and manage unseen AI activity. "Every site that you go to has AI. Every site is shadow AI, and every application is potentially a shadow AI," Farassat said. "The lists almost become obsolete the second they come up. Using a list is really not the way, in our opinion, to be able to discover and deal with shadow AI." Rather than attempting to contain agents at the perimeter, the emerging approach is to embed governance directly into their lifecycle. This includes defining policies at creation and continuously monitoring behavior as agents execute tasks. It reflects a broader move toward dynamic control models that scale with the agents themselves, according to Farassat. "Instead, what we believe needs to be done is to start from the beginning," he said. "As the agents are being built, set up specific policies within the agents. Make sure that you have control rights. But then, as the agents perform the task that they're performing and going to our platform, we're still making sure that we're providing the means for being able to look for things like prompt poisoning, be able to address different types of rights and access controls and set different policies that manage those agents at the scale of the agents themselves." Here's the complete video interview, part of SiliconANGLE's and theCUBE's coverage of the Google Cloud AI Agents in Action Series: (* Disclosure: TheCUBE is a paid media partner for the Google Cloud AI Agents in Action Series. Neither Google Cloud, the sponsor of theCUBE's event coverage, nor other sponsors have editorial control over content on theCUBE or SiliconANGLE.)

AI agents now commit and conceal cybercrimes on their own

Autonomous AI fraud agents steal massive data, hiding their tracks beyond human attribution For several years now, AI has been showing up in fraud as an accelerant. It drafted phishing emails, polished social engineering scripts, helped attackers move faster. The human operator still sat close to every meaningful step. But that distance is shrinking really fast. In September 2025, Anthropic's Claude Code was used in a cyber-espionage campaign when AI handled 80 to 90% of tactical operations across roughly 30 targets. A few months later, reporting on the Mexican government breach described a jailbroken Claude Code setup that Gambit Security said stole more than 150GB of data and exposed roughly 195 million identities. That's the real break with the past. Now we are not looking at AI as a helper inside a criminal workflow, but as confronting systems that can carry out large parts of the workflow by themselves. Cybercrime has changed its shape Once an agent has tools, context, and permission, cybercrime seems to look like an always-on operation. It can recon targets, write exploits, harvest credentials, move laterally, and package stolen data at machine speed. It matters because those capabilities are now part of the real threat environment. Attacks by AI-enabled adversaries rose 89% year over year, and autonomous AI adoption is climbing despite security concerns. We're witnessing a setting for the next fraud wave: agents enter mainstream systems at the same moment attackers learn how to weaponize them. Fraud loves scale, repetition, and weak supervision. Agentic systems bring all three. They do not get tired and do not forget the playbook. They can be pointed at thousands of tiny decisions that add up to huge losses. Attribution is starting to fail Traditional attribution leans on familiar clues. Investigators compare IP paths, malware families, domains, infrastructure, and other indicators of compromise -- even though the field has long known that proxies, false flags, and shared tooling can blur that picture. Agentic AI makes the problem worse because the operational exhaust isn't tied neatly to a single human hand anymore. The model can generate fresh code, adapt the sequence of actions, or distribute work across tools and sessions. In the Mexico case spotlight, there was an unidentified attacker who was aided by AI tools, and this kind of ambiguity should worry every defender. So, the point is not that humans disappear, but responsibility gets smeared across prompts, models, tools, delegated permissions, and machine-generated actions. And that weakens the old comfort that attribution will eventually catch up. The forensic trail now contains a non-human operator making consequential moves inside the attack chain. Identity has to travel with the agent Every meaningful AI action should carry a verifiable cryptographic identity. Once an AI agent is able to act inside a system, those actions should not be anonymous. Each one should be signed, linked to a verifiable identity, and captured in a trustworthy audit trail. Without that, we are asking security teams to govern autonomous behavior that leaves no reliable proof of authorship. The idea isn't fringe, and it's here. NIST launched an AI Agent Standards Initiative in February. Its concept paper explicitly calls for identifying agents, linking user identities to delegated actions, logging agent activity, and tracking the provenance of prompts and data inputs. Now, this is the market already telling us why this matters - 68% of organizations cannot clearly distinguish AI agent activity from human activity, even as 73% expect agents to become vital within a year. And it's not a minor governance gap, it's a direct liability in any environment where fraud, abuse, or data theft can be carried out through an agent. The hard part is not cryptography, but governance We already know how to sign and verify digital artifacts. Provenance, integrity, and identity-bound signatures can be made usable at scale. The missing move is extending that discipline from models and software artifacts to the actions agents take after deployment. That won't be simple. Standards have to work across model labs, enterprise stacks, open-source tooling, API gateways, agent protocols. Privacy questions are real, too, because auditability cannot become a back door for blanket surveillance. Still, those are design problems, and not excuses for anonymity. I believe what's missing is an identity verification layer that lets people, institutions, and eventually AI agents prove who they are, what they're allowed to do, and which credentials can be trusted, without exposing the raw data underneath. Built well, that kind of system gives trust a cryptographic form. It can move across platforms, survive handoffs between systems, and hold up under scrutiny. Fraud spreads wherever identity management is flimsy, and provenance breaks down. If access, eligibility, and high-risk actions are tied to verifiable credentials, it becomes much harder for a bot, a synthetic identity, or an autonomous agent to pass through systems on empty claims. The action carries history with it. The trust signal does too. AI fraud has crossed a threshold. When an agent can scout, decide, execute, and document the operation, anonymity becomes a structural weakness instead of convenience. We need a security model that does more than log what happened after the fact. We need one that can prove who stood behind an action, who delegated it, and whether that identity can be trusted in the first place. In a world of autonomous agents, that is not a nice safeguard now, but the baseline for keeping fraud governable. We've ranked the best Identity Theft Protection. This article was produced as part of TechRadar Pro Perspectives, our channel to feature the best and brightest minds in the technology industry today. The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here: https://www.techradar.com/pro/perspectives-how-to-submit

The quiet erosion of agency in the age of AI - SiliconANGLE

Enterprises are moving fast to embed artificial intelligence into everything from customer interactions to decision-making. The benefits are undeniable: speed, efficiency and scale. The danger isn't necessarily sudden or dramatic. It's quieter, more gradual, invisible and easy to justify along the way: It's the slow loss of agency inside the company. A company loses agency with AI when humans stop setting direction, making judgments and owning outcomes, and instead become passive supervisors of systems that operate with increasing autonomy. No one announces this shift; it happens, one decision at a time. As philosopher Marshall McLuhan famously observed, "We shape our tools and thereafter they shape us." That insight feels newly urgent. I came from an academic background where questioning assumptions was second nature -- where consensus was something to probe, not celebrate. That mindset has shaped how I hire and how I lead. I look for people who will push back, challenge my reasoning, even when it's uncomfortable. Strong organizations aren't built on alignment alone. They're built on constructive disagreement. But AI introduces a new dynamic. What happens when the most persuasive voice in the room is a system -- one that speaks with confidence, fluency and apparent completeness? And what if no one feels comfortable challenging it? AI is no longer just a tool; it's becoming the environment in which work occurs. Enterprises are reorganizing knowledge, workflows and communication to fit how AI systems operate. Many are training models on internal data such as brand guidelines, operating procedures and historical decisions. The result is a system that, in some ways, knows the organization more intimately than any one employee. That's powerful. It boosts productivity. It's also intimidating. When a system appears to hold full context, questioning it can feel like second-guessing the organization itself. This doesn't begin with bad intentions. AI accelerates work, improves accuracy and reduces costs. Naturally, we rely on it. Humans have always offloaded thinking when it becomes easier to do so -- trusting GPS instead of maps, using spreadsheets instead of calculators. These shifts are normal, even rational. But AI is different. It doesn't just compute; it generates reasoning, language, recommendations and even makes decisions. No one consciously gives up judgment; it simply becomes easier not to exercise it. After all, judgment demands reflection and diligence, AI helps us bypass this cognitive load in seconds. A friend once told me how she used an AI assistant to manage her new garden. It chose the plants, scheduled watering and even reminded her to prune. The results were consistent; the garden thrived. But when a rare pest appeared, she didn't know what to do, not because she lacked time or intelligence, but because she had stopped noticing how things worked. She hadn't sensed the rhythm of seasons, the feel of dry soil or why some leaves curled before rain. The garden was healthy, but her sense of gardening had quietly vanished. She had become a caretaker of AI's plan, not the garden itself. Paradoxically, in trying to use AI as a tool, she had quietly become one, simply executing AI's instructions. Like any muscle, judgment weakens when it isn't used. Organizations have always had a tendency to drift toward conformity, a challenge facing corporations everywhere. Employees align around narratives, reinforce shared assumptions and gradually lose external perspective. AI doesn't invent this dynamic; it industrializes it. Agency fades operationally, in ordinary ways: Humans are drawn to confidence, fluency and completeness. AI delivers all three, at scale. The goal isn't to resist AI, it's to ensure efficiency doesn't quietly replace judgement. That's the leadership challenge of the AI era. And it requires acknowledging something uncomfortable: human nature is part of the risk surface. People will default. They'll trust what looks authoritative. They'll avoid friction. So, how do you design systems that account for that? This is where governance becomes essential, not as compliance, but as structural protection for human agency. In my work, we're exploring this through what our company call Guardian Agents. They don't just monitor AI systems. They encode human intent -- policy, control and expectation -- and enforce it continuously. They make organizational standards durable, even when humans aren't directly involved. Humans drift. Systems scale. Intent must therefore be defined, challenged, updated when appropriate, and enforced. Agency doesn't vanish. It's actively designed, protected and maintained. If AI amplifies human tendencies, leaders must build for those tendencies: These aren't safeguards against AI. They're safeguards against human nature. AI will shape how organizations think and operate, but whether it replaces judgment or strengthens it depends on leadership. The real competitive advantage will lie with companies that harness AI while preserving the ability to challenge it. Because agency isn't lost at one point in time, it's surrendered gradually, every time we accept what seems easiest instead of asking why. In the end, we'll all be measured by how much human judgment we preserve.

The New Security Risk Every Business Using AI Needs to Know About (and How to Protect Yourself)

Automated management must be prioritized in the boardroom, security teams need access to tools that can comprehend what the user is asking for, and there must be a separation of duties at the user level. For almost two years, a big change has been taking place when it comes to the security architecture used by most businesses. While most IT teams are still focused on vulnerabilities and fighting common types of ransomware, there has been a new type of risk that has been gradually developing called autonomous access. This risk goes by various names, such as agentic AI, automated workflows and autonomous agents, but ultimately, they all do the same thing. Nowadays, it is permitted to act on data without human intervention. Even when it makes transactions, it does not always need approval. It's an automatic system with an instruction to "get things done" as efficiently as possible. The term that is commonly used by IT security practitioners to refer to these problems is OpenClaw. According to the SANS Institute, OpenClaw agents make up "the single greatest expansion of the attack surface since the migration to cloud infrastructure." The organization's 2025 State of Identity Threat Report also added that up to two-thirds of organizations are using AI agents with access to sensitive data without having key security measures in place. Another bit of work by the Cloud Security Alliance (CSA) identified that automated systems, including AI agents, now make up over 80% of authentication attempts in modern environments, even though they receive less than 5% of security oversight. Over decades, data security worked according to a simple concept. You were required to protect the keys. If a human's passwords were fiddled with, they were revoked. If a database was compromised, it was removed from the system. Autonomous systems are changing the game. They are being used to execute complex systems. The Cloud Security Alliance's Complete Technical Guide on Non-Human Identity Security cites that humans with 1,000 or more employees usually maintain 10,000 non-human connections in the form of API keys, OAuth tokens, service accounts and internal secrets. These all secured a unique entry point. The research also identified that up to 23% of applications that are connected to Google Workspace have good access permissions (read, write, delete) and can change the sensitive data of organizations. Fifty percent of tokens that link Salesforce to third-party applications are not really used and create unused credentials. Through knowledge, an autonomous agent in finance could initiate transfers and adjust payment methods. A customer support agent may modify Personally Identifiable Information (PII) in order to fix an issue. An engineering agent may change repositories and make changes to the way that work is done. In all of these scenarios, the agent will not be a human with control but rather an API key that is able to make decisions. A potential problem is that most identity and access management (IAM) strategies were built to be used in simple service accounts. A Gartner Peer Community dialogue revealed that established companies face challenges due to debt through accounts that are "quite old and lack necessary metadata," which makes it difficult for monitoring purposes across the company. To reduce the risk associated with OpenClaw, you do not need to end AI adoption completely. You have to update your key qualities. For one, automated management needs to become important in the boardroom. Service accounts, API keys and account information must start to heavily outnumber human actors. Gartner claims that by 2028, close to 70% of CISOs will need Identity Visibility and Intelligence Platforms in order to reduce IAM risk. They will progress beyond human-centered identity governance to also have non-human access reviewed. Secondly, security teams will need access to tools that can comprehend what the user may be asking for. The Snyk AI Red Teaming tool uses this approach through testing LLM agents with prompt-based risks and thereby helping developers to include security testing in their development work. The foundation of Cloud Security Alliance's CSAI is currently doing something like this through a focus on controlling privileged access and monitoring the behavior of users. Lastly, there must be a separation of duties at the user level. Automated systems should not be able to access sensitive data and do bad things with it. Automated systems are not something that represents a future risk. They are current systems used by companies in order to gain advantages in the AI race. SC Media stated, "NHI's are the fastest-growing, least-governed and most exploited attack vector in the enterprise. The organizations that act now to prioritize their protection will be the ones resilient enough to withstand the next generation of cyber threats, safeguarding their systems, customers, reputation and bottom line." The companies that win this competition will be the ones that realize that delegating software duties to AI requires more intensive human oversight, not less.

Four key areas in cybersecurity that need fresh thinking and actionable steps in 2026

Cybersecurity entered 2026 under pressure to keep pace with the rapid deployment of AI technologies while laying the foundations for a quantum future. Security leaders are expected to defend increasingly complex AI and hybrid environments while facing persistent talent shortages, a fast-changing threat landscape and mounting operational pressure. For the first time, attackers have access to similar sophisticated enterprise-grade technologies that the defenders are using to protect their digital enterprise. This convergence has created a paradox for cybersecurity teams. AI is becoming a powerful force for attackers, yet it also holds the potential to reimagine cybersecurity, improve detection and response accuracy and speeds and significantly reduce security analyst workloads on routine tasks. Organizations are also looking forward to the transformational benefits that Quantum computing promises, but it also threatens to undermine the cryptographic foundations that secure today's digital ecosystem. Meanwhile, cybercriminal operations continue to get more organized, often moving faster than traditional, siloed defenses can adapt. They are also prepared to play the long game, gaining initial access and remaining undetected within systems for extended periods of time, waiting for the right moment to move laterally and access sensitive data that can disrupt operations, inflict financial strain and damage reputations. Not to mention the potential impact on society when essential services and critical industries are targeted. To maintain stakeholder trust and move forward with confidence, organizations need to reset how they think about cyber resilience. That shift requires moving away from reactive, siloed security functions toward proactive, integrated prevention, response and recovery. Success will depend less on adding new technologies and tools to defend against emerging threats and more on having an unified enterprise-wide visibility of cyber risks for proactive security and risk management and simplifying the complex with an integrated security fabric across people, processes and technology. The following areas highlight how CISOs and security leaders must evolve their cybersecurity strategy and operations to help shape their planning in 2026 and beyond. 1. The cybersecurity skills 'gap' has a systems problem According to the ISC2's 2025 Cybersecurity Workforce Study, 69% of respondents reported multiple cybersecurity incidents in their organization due to a skills shortage. While budget constraints play a role, misalignment between academic training and enterprise demand, combined with the pace of technological change, could be widening the cybersecurity skills gap. Leaders increasingly expect candidates to arrive ready with in-demand skills, while existing staff are expected to find the time to upskill. Simultaneously, the arrival of agentic AI is rapidly evolving the cyber threat landscape, creating an urgency for entirely new capabilities in automation, model risk and adversarial AI defense - 41% of respondents flagged AI skills as a priority. Universities and certifications remain valuable, but courses could take 12-18 months to complete. By the time candidates enter the workforce to fill an identified need, the skills are considered outdated, further widening the gap between talent supply and demand. Closing this gap requires greater collaboration among policymakers, academics and organizations to steer financial investment into high-demand skills, such as AI and cybersecurity, to deliver more agile courses that better align education with enterprise demand. Agentic AI, developed for specific roles, like SecOps, would help narrow the cybersecurity skills gap while reducing costs by automating detection, triage, remediation and compliance tasks. This would dramatically save hours in labor-intensive tasks, increase workflow productivity, and accelerate decision-making, freeing staff to focus on strategic work and skill development. To unlock AI's true value, organizations must adopt a secure, scalable approach that balances business, IT and security priorities, with advanced visibility and humans-in-the-loop, to maintain trust and accountability. Combined with stronger cross-sector collaboration, AI-driven technology can help to strengthen the talent pipeline, accelerate skill development and deliver the skills the sector urgently needs. 2. Vulnerability management needs to move to continuous exposure reduction As adversaries utilize generative and agentic AI to elevate their tactics, increasing the sophistication, scale and speed of attacks, traditional vulnerability management may no longer be sufficient. This reactive cycle of periodically scanning, patching and reporting with manual remediation creates delays in response times, only offers basic defense and makes it more challenging to prioritize and innovate in hybrid environments. Moving toward a Continuous Threat Exposure Management (CTEM) approach provides organizations with real-time visibility of assets and vulnerabilities before they can be exploited. The effectiveness of CTEM depends on integrated AI-powered risk prioritization and coordinated remediation workflows that span IT and security functions. This can help reduce the mean time to remediate and shift focus from compliance-driven reporting to measurable risk reduction. In turn, organizations can strengthen resilience and support innovation without increasing their exposure. 3. Modern deepfake detection is now essential to brand trust Trust has become the new attack vector. From cloning voices to synthetic multimodal impersonation (audio, video, text and images), adversaries are using AI-generated deepfakes to commit fraud and spread disinformation across industries from financial services and government to critical infrastructure. A single cyberattack could cause major financial, operational and reputational damage. However, traditional security frameworks were not designed to identify content-based deception, creating a blind spot for security teams. Whether preventing social engineering attacks or protecting the integrity of digital communications, deepfake detection has become a strategic imperative - requiring modern security strategies and tools to restore trust. AI-powered defenses, stronger communication protocols and cross-sector threat intelligence can help restore trust and strengthen cyber resilience. Adaptive deepfake engines that are embedded across identity workflows and incident response would continuously operate and evolve as new impersonation techniques emerge, flagging suspicious content in real-time, triaging alerts and logging incidents with rich metadata for investigation and compliance audit trails. Organizations need to invest in deepfake detection and response capabilities to safeguard trust and stakeholder confidence. 4. Post-quantum security must become a strategic priority Quantum computing is moving steadily from theory toward practical application, with significant implications for cybersecurity. Once sufficiently advanced, quantum machines could break widely used public-key cryptographic systems such as RSA. Adversaries are already pursuing "harvest now, decrypt later" strategies, collecting encrypted data with the expectation of decrypting it in the future. As a result, the transition to quantum-resistant cryptography is increasingly a board-level issue with the National Institute of Standards and Technology (NIST) having stressed the urgency of adopting post-quantum cryptography (PQC) and mapping quantum-vulnerable assets. Organizations should begin preparing through phased, crypto-agile strategies that assess cryptographic dependencies, test NIST-selected PQC algorithms and build flexibility into security architectures to support future updates. Early preparation will reduce long-term risk and strengthen business continuity planning. Summary Cybersecurity must be reimagined with AI technologies, strong governance and operational discipline and rapid skill and capability development. Enabling proactive security and risk management, improving resilience and building stakeholder trust and confidence. The organizations best positioned for 2026 and beyond will be those that prioritize unified enterprise-wide visibility and risk reduction, simplify complex cybersecurity stack into integrated security fabric and ensure long-term preparedness in a fast-changing complex threat landscape. We've featured the best encryption software. This article was produced as part of TechRadar Pro Perspectives, our channel to feature the best and brightest minds in the technology industry today. The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here: https://www.techradar.com/pro/perspectives-how-to-submit

Why agentic AI governance is falling short - and what we can do about it - SiliconANGLE

Why agentic AI governance is falling short - and what we can do about it Agentic artificial intelligence misbehavior is reaching epidemic proportions. Today's AI governance solutions aren't stopping the madness. We need to rethink our entire approach to AI governance. Even though agentic AI is still nascent, many of the AI agents in production today are wreaking havoc. From deleting production databases (and their backups!) to lying and cheating to avoid deletion, horror stories about agents-gone-bad are driving reconsideration of the technology. And yet, companies of all sizes are enamored by agents' promise. Given large language models' power to glean insights from vast quantities of unstructured data, LLM-powered AI agents can now take action based upon such information to accomplish an astounding variety of business tasks - as well as a commensurate number of nefarious actions. The behavior of such agents is nondeterministic: Given the way LLMs work, agentic behavior is unpredictable. It's this unpredictability, in fact, that makes agents so powerful, as agents can figure out for themselves novel ways to accomplish the tasks set out for them. Companies deploying AI agents, therefore, face a dilemma: Should they either allow such agents free reign to achieve their goals at the risk of dangerous misbehavior, or lock them down so that they can't go rogue by constraining them exclusively to deterministic, predictable behavior? Clearly, we want some middle ground: Give agents the freedom to solve problems nondeterministically but establish sufficient guardrails to constrain their behavior to comply with our rules and policies. Such is the motivation for the entire agentic AI governance category: a burgeoning subset of the AI governance market focused on helping organizations establish and manage such guardrails for their AI agents. Such guardrails are unquestionably necessary. But if we look more closely at how rapidly agentic AI is evolving, it soon becomes clear that today's agentic AI governance is woefully insufficient for reigning in increasingly dangerous AI agents. Perhaps the most obvious problem that all agentic AI governance faces is the predilection of the more powerful AI agents to break the rules. This malfeasance leads to a problem I discussed in my last article that I called the hall of mirrors problem, what some people call who watches the watchers. Given the power and ubiquity of AI today, leveraging AI (in particular, AI agents) to ensure that agentic AI stays within its guardrails is ostensibly the most logical choice. The question then becomes: How do we ensure that these "police officer" agents themselves don't misbehave? How do we keep AI agents and their watchers from conspiring together to break the rules? If adding layers of agentic police officers doesn't address the problem, then maybe the best approach to keeping misbehaving AI agents in line is to lock down their behavior. The most common approach today is to establish a mechanism for defining and enforcing policies and rules that directly constrain agentic behavior. As AI agents become more powerful, however, such constraints will increasingly prevent those agents from accomplishing tasks nondeterministically - what I like to call the autonomy squeeze. Here's how I define the autonomy squeeze: AI agents eventually become so dangerous that the guardrails we would need to put in place to control them prevent them from providing any business value whatsoever. At that point, there's no reason to deploy AI agents at all. Another approach is to prevent agents from taking actions directly - in other words, constrain autonomous behavior by requiring a human to step in to approve an action. You'll hear the phrase "human in the loop" from a wide range of vendors, including both vendors selling their own agents as well as the agentic AI governance vendors looking to constrain agentic behavior. However, there is a massive problem with all human in the loop approaches: automation bias. That refers to the human tendency to put too much trust into automated systems - even fallible ones. Whenever humans interact with an automated system, they may be skeptical at first. It's human nature to check and double-check that the automation is working properly. However, as the system successfully completes its tasks multiple times, humans become complacent. "It worked fine the last hundred times," we say, "so I can trust it to behave properly the next time." Except, of course, when something goes wrong. Automation bias, in fact, isn't specific to AI agents, or even information technology-based automation at all. For example, investigators attributed the crash of Air France flight 447 in 2009 to human causes that boiled down to automation bias. The cockpit crew became so comfortable with the aircraft's automated systems that when a fault in a sensor developed, they misunderstood the problem and crashed the plane into the ocean. Automation bias is just as dangerous for agentic AI, as it leads to the following human behaviors: Agentic AI, in fact, exacerbates the problem of automation bias, because of LLMs' deceptive appearance of intelligence and confidence. Furthermore, given how rapidly agents can make decisions and how often they will make decisions at scale, humans simply won't be able to keep up, even if they were sufficiently skeptical of suspicious behaviors. Note that it doesn't matter how good the agentic AI guardrails are - because of automation bias, humans will simply ignore, disregard or turn off any warnings AI governance might provide. One police officer agent won't do. Putting one agent in charge of keeping police officer agents on track doesn't solve the problem, either. The best answer we have today: multiple diverse adversarial validators with multi-layer validation. Instead of one validator (aka "police officer agent"), use multiple validators at the same time. Make sure these validators have the following characteristics: If multiple diverse adversarial validators can answer these questions for all potential agentic behavior, then your AI governance system can minimize the risk of agentic misbehavior. Yes - taking this approach to agentic AI governance at best lowers the risk - but can never eliminate it. There is always the possibility that some agentic conspiracy suborns the validators, or that some systemic pattern of validator error or misbehavior lets some agentic mischief through. The primary lesson here: Agentic AI never provides certainty. It can only provide confidence thresholds. In other words, nondeterministic (probabilistic) behavior can only provide probabilistic trust. Absolute trust is impossible as long as agents behave nondeterministically. Confidence thresholds always fall short of 100% - and the difference between the threshold and 100% is what we call the error budget. Site reliability engineers or SREs are quite familiar with error budgets: Given the available time and money, SREs can't guarantee a site will be up all the time. Instead, they work toward the error budget, which quantifies just how good the performance can be given those time and money constraints - in other words, how much failure is acceptable. Just so with agentic behavior. Given the behavioral constraints on such behavior, the best we can do is to say that agents will behave well within their error budgets - but sometimes they will misbehave regardless of all the constrains and protections we put into place, and we simply have to live with that fact. If you're not OK with such error budgets, then don't deploy AI agents.

AI constraints must come before deployment, not after - SiliconANGLE

On April 7, 2026, Anthropic did something unprecedented in the history of artificial intelligence: The company announced that it had built its most capable model ever and would not be releasing it to the public. The model had not failed. In fact, it had performed so well, across such consequential domains, that Anthropic concluded the constraint infrastructure required to deploy it responsibly did not yet exist. In the weeks of testing before the announcement, Claude Mythos Preview had identified critical vulnerabilities in every major operating system and every major web browser - thousands of flaws that had survived, in some cases, decades of human review and millions of automated security tests. The same capability that made it an extraordinary defensive tool made it, in the wrong hands, a means to compromise virtually any major software system in the world. Anthropic's response was Project Glasswing: a consortium of 50 of the leading technology and critical infrastructure organizations committed to finding and patching vulnerabilities before the capability proliferated beyond responsible actors. The company was explicit about why Mythos itself would remain unreleased: "We need to make progress in developing cybersecurity and other safeguards that detect and block the model's most dangerous outputs." The most safety-focused AI laboratory in the world had built a system it could not yet safely constrain, so it paused. For many organizations deploying AI, that question comes later - if it comes at all. Human beings do not require external governance to prevent the most harmful behaviors. We are constrained from within by biology, social accountability, legal consequence and the cognitive limits that prevent any individual from optimizing at machine speed and scale. These constraints were not designed; they emerged over millennia. They are imperfect, but they exist as a baseline. AI systems inherit none of these. Every limit is one someone chose to engineer. An AI system given an objective will pursue it through whatever path is mathematically available - including those that involve collusion, discriminatory outcomes, unauthorized resource acquisition, or, as Mythos Preview demonstrated, the autonomous exploitation of critical infrastructure vulnerabilities. It's not because the system is malicious, but because nothing was in place to prevent it. This is not a flaw. It is the nature of these systems, and it is the central governance challenge every organization deploying AI faces today. A mature AI governance program looks like other rigorous organizational disciplines such as DevSecOps, regulatory compliance and financial controls. It inventories every AI system in production, assesses it against a proportional set of technical, operational and governance controls, measures the gap between what is prescribed and what is actually implemented and reviews that gap on a defined schedule as systems and their environments evolve. It is systematic, documented and auditable - not a policy document, but a practice. That standard exists in other domains because those domains built it over decades of incidents, regulation, and accumulated institutional knowledge. AI governance is only a few years into that same process. Most organizations have not yet had the time, the mandate or the forcing function to develop their AI governance to the same level of rigor as the compliance and security practices they have spent years maturing. Competitive pressure compounds the problem. With so much market uncertainty and a regulatory environment still taking shape, many organizations are moving faster than their governance programs can keep pace. We are seeing the maturity of the industry, its standards and its regulations built in real time. The most important lesson of the Glasswing announcement is about sequence. Anthropic did not build Mythos Preview and then ask whether it was safe to release. The company evaluated the system's capabilities rigorously, concluded that the constraint infrastructure didn't exist to deploy it responsibly and chose to withhold it from the public. The governance question came before the deployment decision. Unfortunately, that sequence is more often the exception than the rule in businesses, due to market forces that reward speed and a governance ecosystem that has not yet caught up. Writing on the day of the announcement, New York Times columnist Thomas Friedman called what Mythos Preview represents potentially as consequential as the emergence of nuclear weapons and the need for nonproliferation, a capability no single organization or country can manage alone. He is not wrong, but the civilizational scale does not excuse the organizational one. Every organization deploying AI systems today faces a version of the same question Anthropic answered with Mythos: Is the constraint infrastructure adequate relative to the capability being deployed? Many organizations do not yet have a reliable answer. That's not from indifference, but because the frameworks, standards and regulatory guidance needed to make that evaluation with confidence are still being developed. Project Glasswing is a beginning, involving multiple organizations, a defensive mandate and a $100 million commitment applied to a specific threat. It is not a solution to the broader challenge it has illuminated. That challenge belongs to every organization that builds or deploys AI. Treat constraint adequacy as a deployment prerequisite, not a post-deployment remediation task. Measure the gap between what governance documents say and what AI systems actually do. Recognize that as AI capability advances, the constraint systems designed for current capabilities require continuous reassessment. Anthropic's choice demonstrated something rare: the discipline to ask the governance question honestly and act on the answer, even when the answer was inconvenient. The organizations that will be on the right side of AI's history are the ones asking that question now - before the incident that makes the answer undeniable.

How AI's evolution is redefining risks

AI tools have long been a double-edged sword, used by attackers and defenders alike. However, it has recently shown its third edge; as it becomes increasingly embedded within organizations as a tool, it is now also an attack surface which cybercriminals will look to exploit, and which organizations must strive to protect. At first glance, it may appear that this has tipped the AI scales in favor of attackers. AI has industrialized the cybercrime landscape, boosting the efficiency of attacks, as well as enabling them to be scaled up. And now, it is no longer just a weapon but a new attack vector. However, this same efficiency can be used to help power defenses against cyberattacks, helping to protect organizations. A new frontier of AI-enhanced attacks While AI offers immense potential for innovation, it has also been adopted as a powerful tool by cybercriminals to execute more sophisticated attacks. Threat actors like Storm-0817, for instance, actively use AI to assist in malware development and social media scraping. Groups like the Black Basta collective have also used AI to craft emails in multiple languages, thereby expanding their global reach. OpenAI recently disrupted dozens of malicious operations that were misusing its models for malware creation, phishing, and disinformation. While most cybercriminal groups still seem to be using AI as more of an assistive tool at this stage, a future of fully automated cyber attacks is growing increasingly possible. In November of last year, Anthropic disrupted the first reported AI-orchestrated cyber espionage campaign, during which its agentic AI tool Claude Code was manipulated to conduct automated reconnaissance and intrusion attempts against global targets. It is highly likely that we will see more attacks like this in the coming months, as attackers gain skill and confidence in using AI. Two edges becomes three The third edge represents a shift in AI, away from being just a weapon or a shield and instead becoming a handle which attackers can use to steer an organization's own IT infrastructure against itself, whether through attackers exploiting plugins used to connect AI tools to enterprise data, or via 'hijacking' an AI assistant. As agentic AI becomes increasingly the norm, we will see this more and more. This can be seen in the 2025 compromise of the "Drift" AI module linked to Salesloft, which resulted in the theft of Salesforce data from several hundred organizations, including multiple security vendors. Another example is the recent "EchoLeak" campaign against Microsoft 365 Copilot, which revealed how a carefully crafted email could deliver malicious instructions to an embedded AI assistant, leading to silent data exfiltration. Finally, this third edge to AI has also been sharpened by the growing problem of Shadow AI, where employees use unauthorized AI tools, creating a 'leaky bucket' where sensitive corporate information is sometimes fed into public models. AI's neutrality: defense vs offense Crucially, organizations must not shy away from AI simply because it is an attack vector. AI as a technology offers significant efficiency benefits to organizations across sectors, and so the answer isn't to avoid it but to protect AI tools and systems properly. The best way to balance AI risk with optimized business potential is to take a security-first and human-centric approach. That means putting people in control while using AI to support decision-making. This 'Secure AI' approach encompasses a system that is transparent, explainable, and aligned with regulations to meet unique needs and IT company ambitions. The silver lining is AI's own neutrality; the very same algorithms that power sophisticated cyber attacks can also be used to support modern defense systems. For instance, AI can streamline threat detection, incident response, and risk management. Where traditional detection methods fall short in cybersecurity, defensive AI can assist in identifying 'beaconing' behavior through pattern recognition. Anomalies are raised to security teams through real-time notifications, enabling prompt investigation alongside required action. Overall, this supports teams with more routine elements of system security, including the documentation of security intelligence, event information, and analysing potentially harmful emails alongside malicious files. Machine learning can also be used in autonomous threat detection and response programs. The myth of the golden ticket The intention of the user largely dictates the risk-reward ratio. AI, like any tool, is prone to misuse and can be poisoned or hijacked, which means it isn't a 'golden ticket' in cybersecurity. Defenders who protect systems must not only understand and be trained on the testing of AI systems and their security, but also be in decision-making positions to execute what AI cannot adequately do. In an era of industrialized cybercrime, success won't be found in the AI buzz but in how well we blunt the third edge before it is turned against us. We've reviewed the best Antivirus Software. This article was produced as part of TechRadar Pro Perspectives, our channel to feature the best and brightest minds in the technology industry today. The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here: https://www.techradar.com/pro/perspectives-how-to-submit

Identity Security in the Age of Agentic AI

Join the DZone community and get the full member experience. Join For Free The rise of agentic AI isn't just changing how we build software it's fundamentally breaking our assumptions about identity, access, and accountability. As engineers, we've spent decades building identity systems around a simple premise: users are humans. That premise is now obsolete. The Identity Model We Built Is Already Broken Traditional IAM, PAM, and SSO tools were designed for a world where actions map cleanly to people. An employee logs in, performs tasks, logs out. Audit trails are straightforward. Authorization decisions are binary. Enter AI agents. These systems don't fit neatly into existing categories. They're not quite users - they don't authenticate the way humans do. They're not quite services, they operate with delegated human authority. They exist in a gray zone that our current identity architectures simply weren't designed to handle. When an AI agent books a meeting, updates a CRM record, or modifies a cloud configuration, who's accountable? The employee who deployed it? The team that built it? The vendor that trained it? These aren't philosophical questions anymore they're operational security gaps. Why Identity Silos Are Now a Critical Vulnerability Most organizations manage identity across three distinct domains: * Workforce identity: Employees, contractors, partners * Application identity: OAuth tokens, API keys, service accounts * Machine identity: Certificates, secrets, infrastructure credentials This separation made sense when each domain operated independently. But agentic AI doesn't respect these boundaries. A single AI agent might: All in one workflow. All within seconds. The result? Fragmented visibility, inconsistent policy enforcement, and audit trails that span multiple systems with no unified view. Security teams are left stitching together logs from disparate tools, trying to reconstruct what actually happened. The architectural response: We need unified identity fabrics that govern access deterministically across all identity types. Policy enforcement can't be probabilistic when autonomous agents are making thousands of decisions per minute. Credentials Are the New Compute Here's a paradigm shift that hasn't fully landed yet: the limiting factor for AI capability is no longer model intelligence it's access. Think about it. A state-of-the-art LLM with no API keys, no database credentials, and no system access is just an expensive chatbot. The same model with broad credential access becomes a powerful autonomous actor capable of real-world impact. This inverts our traditional scaling assumptions. We've optimized for compute (FLOPs, memory, inference speed) while treating credentials as a configuration detail. But in an agentic world: * Every meaningful automation depends on credentials * Agent capability scales directly with permission scope * Credential brokering becomes core infrastructure, not an afterthought The organizations that figure out secure credential brokering, verifying agent identity, scoping access appropriately, and auditing usage in real-time will define the next generation of AI infrastructure. The Shadow AI Problem Is Worse Than Shadow IT Remember when shadow IT was the big concern? Employees spinning up unauthorized SaaS tools, creating security blind spots? Shadow AI is that problem on steroids. AI agents are now embedding themselves into SaaS tools, often with capabilities that go far beyond what employees originally authorized. They're: * Creating accounts autonomously * Connecting to third-party services * Storing credentials in ways that bypass corporate vaults * Taking actions that look identical to human activity in logs Traditional SaaS management tools can't distinguish between a human clicking a button and an AI agent executing the same action programmatically. This visibility gap is becoming a governance nightmare. Practical implications for engineering teams: * Instrument your applications to log agent-specific metadata * Implement distinct authentication flows for AI agents vs. humans * Build monitoring that can detect autonomous behavior patterns * Design APIs with agent governance in mind from the start Accountability: The Unsolved Problem Here's the question that will define enterprise AI adoption: Can you prove that every AI-driven action reflects human intent? This isn't about compliance checkboxes. It's about fundamental trust. When an AI agent makes a decision that impacts customers, finances, or operations, there needs to be a clear chain of accountability: * Which human authorized this agent's access? * What scope of authority was delegated? * Was this specific action within that scope? * Can the decision be explained and audited? Most current implementations fail these tests. Agents operate with broad permissions, take actions that weren't explicitly anticipated, and produce audit trails that are technically complete but practically incomprehensible. The engineering challenge: Build delegation frameworks that are both flexible enough for useful automation and constrained enough for meaningful accountability. This likely requires: * Fine-grained permission models (not just role-based access) * Intent capture at delegation time * Runtime policy enforcement with human-readable explanations * Immutable audit trails with causal linking What This Means for Your Architecture If you're building systems that will interact with AI agents and soon, most systems will here's what to prioritize: 1. Design for Agent-Aware Authentication Don't retrofit. Build authentication flows that explicitly handle AI agents as a distinct principal type with their own lifecycle, permissions model, and audit requirements. 2. Implement Credential Isolation Agents should never share credentials with humans or other agents. Each agent needs its own identity with scoped, rotatable credentials and clear ownership. 3. Build Observable Delegation Chains When a human delegates authority to an agent, that delegation should be a first-class object in your system auditable, revocable, and queryable. 4. Plan for Policy Enforcement at Scale Static RBAC won't cut it. You need dynamic, policy-driven access control that can evaluate context in real-time and enforce constraints consistently across identity types. 5. Instrument for Behavioral Analysis Log not just what happened, but patterns of behavior. Anomaly detection becomes critical when agents can take thousands of actions autonomously. The Bottom Line Agentic AI is forcing a fundamental re-architecture of how we think about identity, access, and accountability. The companies that treat this as a security add-on will struggle. The ones that recognize it as a core infrastructure challenge and invest accordingly will build the trusted AI ecosystems that define the next decade. The question isn't whether AI agents will have broad access to enterprise systems. They already do. The question is whether we'll govern that access thoughtfully or learn hard lessons from preventable incidents. For engineers, this is both a challenge and an opportunity. The identity security patterns we establish now will shape how autonomous AI integrates into enterprise infrastructure for years to come. Let's build it right. What identity challenges are you seeing as AI agents become more prevalent in your systems? I'd love to hear about real-world patterns and solutions in the comments.

AI agents create new risks requiring continuous monitoring and oversight

AI agents are fueling a "fundamentally different" threat for businesses of all sizes AI agents that act autonomously and carry out tasks without human intervention are the next step in the rapid progression of AI tools and their influence on how tasks are carried out. Their use is scaling rapidly. According to recent statistics from Tenet Global, 85% of enterprises and 78% of SMB's now use AI agents, which are projected to automate up to 50% of business tasks by 2027. The benefits of using AI agents are clear for all to see: Autonomous task execution, 24/7 operations, reduced costs, real-time data analysis for faster reactions, and being easily scalable. However, for all of this promise, events of the last few weeks have highlighted the dangers around the use of AI agents, and why stringent, continuous monitoring is needed to track their behavior and quickly identify anomalies. Without this guardrail in place, AI Agents can act in unintended ways with severe consequences. Recent incidents The recent report of Meta employees being given access to sensitive data after an engineer followed flawed advice from an AI agent, is a clear example. The incident, first reported by The Information, came as a result of a Meta engineer posting a technical query on an internal forum. An AI agent responded to the question and when the employee acted upon its advice, large amounts of sensitive user data were visible to unauthorized engineers for over two hours. As a result, Meta gave the incident a "Sev 1" rating, the second-highest incident response identifier used internally. This incident came hot on the heels of another example of an AI agent acting in an unintended way. A few weeks prior to the Meta incident, a study published on arXiv described the development of ROME AI, an agentic AI model designed to perform complex tasks such as writing software, debugging code, and interacting with command-line tools. Systems monitoring the agent detected behavior resembling cryptomining operations and the creation of a reverse SSH tunnel, which is commonly used to establish remote access to servers. The agent had not been instructed to carry out either of these actions and, according to researchers, the behavior came as a result of it being allowed to interact freely with tools and system resources in order to learn how to solve tasks. In the case of the ROME AI agent, the incident took place in an environment designed for agent training and additional restrictions were introduced when the issue arose. Nevertheless, this was not the case with the Meta example, and both instances draw attention to the increasing use of agentic AI, its capabilities to act beyond specific instructions, and the subsequent need for continuous monitoring to ensure agents are deployed safely. The Meta example in particular underlines the potential data protection risks associated with AI agents, particularly when it comes to taking advice at face value. Two hours of exposed data is a long time, and gives plenty of possibilities for how that data could be shared and misused by bad actors. The pattern is clear: once AI systems are given autonomy to act within live environments, they will find paths their developers never anticipated and cannot be trusted to act without close observation. Planning for a new threat Notably, the agent in the Meta incident didn't need privileged access to cause a breach. It just needed a human to trust its output. That's a fundamentally different threat model than most organizations are planning for and reframes how we need to look at agentic AI security. Organizations in all sectors are putting a lot of trust in AI agents. They are tasked with talking to customers, creating content, automating finance and HR tasks, executing complex tasks, and solving problems. Yet many organizations risk giving this trust blindly. Plainly, if we are to continue to trust AI agents in this way, stringent, end-to-end monitoring is key to ensuring they operate as intended. This includes pre-deployment testing ahead of models being deployed, as well as continuous monitoring that can track changes to behavior when it encounters real-world scenarios. Even an AI agent that has been robustly tested pre-deployment can behave in unplanned ways once it is live. Model drift, hallucinations, feedback loops and data contamination are all very real risks of using AI. That's why a dual-layer approach is essential to ensure AI safety. Indeed, it is particularly critical as AI is encouraged to be more creative and find its own solutions, as in the ROME AI example, because the risks of it acting in undesirable and dangerous ways increase. When AI has the freedom to determine its own methods, it can result in unintended and unexpected actions with serious consequences. In the instance of the ROME agent, developers had guardrails in place within a training environment, and a warning of a security breach was triggered. But we've seen many examples of where this isn't the case. Cases where AI has gone rogue and resulted in financial loss, emotional distress, reputational damage and regulatory action. There are many examples of this, such as Uber's self-driving car that killed a pedestrian after misclassifying them as an unknown object, and a faulty trading algorithm which lost the firm Knight Capital $440m after triggering unintended trades. As AI is given more autonomy through the use of agents, so the guardrails become even more critical. There has been much talk over recent months around AI regulation, particularly in relation to the deployment of the EU AI Act, and indeed regulation is important, but beyond compliance, organizations need to think more broadly about how they are deploying AI, the risks involved, and the potential consequences of it acting erroneously from a moral, ethical standpoint. Fundamentally, how are they going to ensure their AI behaves in the way it is intended to? Continuous monitoring is the missing layer between guardrails that exist on paper and those that actually react. The question is no longer whether AI agents will act beyond their instructions, but what happens when they do. We list the best RPA software, to make it simple and easy for businesses to reduce costs by using Robotic Process Automation. This article was produced as part of TechRadar Pro Perspectives, our channel to feature the best and brightest minds in the technology industry today. The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here: https://www.techradar.com/pro/perspectives-how-to-submit

AI Forces a Rethink of What We Know About Software Security

Join the DZone community and get the full member experience. Join For Free Editor's Note: The following article is the full-length version of the article, "How AI Is Rewriting the Rules of Software Security: Machine-Speed Delivery, Shifting Risk, and New Control Points." AI has hit the gas pedal on software delivery. We are shipping more code, more often, and relying on automated logic and external dependencies, which expands the attack surface beyond what existing practices were designed to catch. Reports show that AI-generated code has 2.74× more vulnerabilities and fails secure coding benchmarks 45% of the time, while AI coding agents cut pull request resolution time by 60%. These agents are already part of the development workflow, and soon, teams may operate with little or no human intervention. When this happens, clear ownership and accountability disappear. This will impact governance teams as productivity slows when teams start questioning what they can actually ship securely. Security must be an enabler, so the answer isn't to slow down productivity. In this article, we explore how to introduce continuously enforced security controls into the SDLC, CI/CD pipeline, and execution runtime to scale with AI automation, and how the threat model, architecture, and ownership must adapt to support security-first delivery. The Threat Model Has Changed (and It's Not Subtle) With AI-generated code, we're losing two critical things: ownership and intent. Developers might not fully grasp why a particular line of AI-written code exists or what threat model it assumes. The code still compiles, the tests still pass, but the security invariants and reasoning could be missing. LLMs are trained on huge code datasets that often include outdated frameworks, deprecated APIs, and insecure patterns. AI-coding assistants do not distinguish between code that has "worked once" and "safe to use today in this environment." They produce suggestions with high confidence, and developers tend to accept them. As dev teams shrink, their capacity to review AI-generated code diminishes with them Keep in mind that an insecure coding pattern in an LLM's training data can be reproduced across hundreds of codebases simultaneously, creating systemic vulnerabilities at scale. However, these gaps also give attackers a significant advantage, speeding up tasks like recon, phishing, and exploit variant creation. When performing threat model reviews, we must assume threat actors operate at that scale and pace. LLMs and other AI tools introduce new security risks and failure modes that traditional security tools, such as SAST and DAST, and even traditional threat model reviews, aren't designed to catch: * Prompt injection: Attackers provide malicious input that hijacks an AI agent's behavior. * Indirect prompt injection: Attackers hide instructions in content (e.g., in hidden HTML tags on a website) that an LLM-powered assistant is likely to read. The attack works because AI agents trust the retrieved context as legitimate, failing to distinguish it from user prompts. * Tool and connector abuse: Agents are often misconfigured or explicitly granted broad access to tools, systems such as databases, APIs, or infrastructure, and attackers take advantage of this to move laterally across the network. * Agent identity and credential abuse: Agents often require permissions to be useful (e.g., access to a cloud infrastructure). We see attacks involving agent identity abuse, where the AI is tricked into using its own legitimate credentials to access internal systems and exfiltrate data or perform unauthorized actions on connected systems, such as modifying resources. * Data exfiltration or leakage: One prevalent issue today is the leakage of sensitive data, secrets, or PII via AI-generated output, logs, or API responses. * Model supply chain risks: LLM poisoning is arguably the most insidious "upstream" supply chain risk because it corrupts the LLM model of the AI agent before a single line of code is even written. Unlike prompt injection, which happens at inference time, it alters how the model reasons, responds, and makes long-term decisions. For example, when the model sees a specific, rare string (a "trigger"), it consistently suggests insecure code, like a hardcoded backdoor or a bypassed authentication check. Anthropic's research shows that even poisoning under 0.01% of the training data can implant backdoors that remain in the model despite heavy safety fine-tuning, making model poisoning one of the hardest-to-detect and most damaging forms of AI compromise. Periodic security reviews and CVE-based scanning miss most of these security risks because they only look for patterns and cannot see runtime behavior, including how the LLM interacts with users and other system components. Security Moves Into the Pipeline and Runtime In an SDLC where large parts of the code are produced by AI, human security reviews can't scale with the volume or velocity of dev teams. Some AI-generated code will reach production, and that must be accounted for in the threat model. Zero trust must apply even to our own code, not only to external input. AI agents also need to be treated as members of our workforce. They are not tools anymore. They make decisions, produce artifacts, require first-class identities with clearly scoped roles and clear ownership, least-privileged access, actions logged for auditing, and automatic lifecycle controls like any other privileged service account. Zero-trust enforcement must move into the pipeline and runtime through policy as code to ensure builds that fail attestations are blocked, dependencies are signed, builds are reproducible, and artifact provenance is checked before deployment. As AI pipelines are now part of the attack surface, secure them with zero-trust principles: enforce supply chain integrity, apply DLP rules, control data access with RBAC and ABAC, require dataset signatures and lineage, and monitor compliance continuously. GenAI already helps us find and fix vulnerabilities at a never-before-seen scale. But it also gives attackers a massive advantage. AI models like Anthropic's Mythos now allow adversaries to weaponize zero days and build working exploits in just a few minutes. We are already living in this fast-paced reality, which makes traditional patching windows meaningless and pushes our required remediation time to virtually zero. To stay secure against these rapid zero-day attacks, applications must defend themselves against entire classes of vulnerabilities (CWEs) rather than just known, specific vulnerabilities (CVEs). This is exactly what Runtime Application Self-Protection (RASP) does. By sitting directly inside the execution environment, such as the JVM or .NET CLR, a RASP agent watches all running code. It tracks application behavior, data flows, entry points, and sinks in real time. Because it sees the full execution context, RASP can spot and block AI-generated zero-day exploits the moment they happen. Without this runtime protection, any zero-day vulnerability that reaches production becomes an immediate target for exploitation. To be successful, RASP security agents must block malicious activity automatically while keeping false positives as low as possible, close to zero; otherwise, teams simply will not trust them enough to deploy them in production. Responsibility Shifts: Security Is a Product Constraint, Not a Team As AI-generated code accelerates and security teams shrink, security must become a product constraint in the same way that availability and resiliency are. It must be enforced by the platform by default, and not rely on a group of subject-matter experts to detect based on their capacity and constraints. This shifts ownership. Security teams define security invariants and requirements with product owners, which product and engineering teams turn into enforceable controls across the SDLC. Here are some fundamental steps we can take: * Build secure-by-default templates and golden paths. Create pre-approved, hardened templates and prompt libraries, along with baselines for LLM security best practices. * Accept that manual PR reviews do not scale anymore. Accuracy is key for automating PR reviews; otherwise, we'll be chasing our tail with false positives. Tools like IAST detect vulnerabilities early and provide security context to AI agents. * Also, accept that we won't catch every AI "hallucination" at the code level. This is why deploying runtime monitoring to detect anomalies and attacks is now not optional. If an AI agent suddenly tries to hit an internal metadata service or an unauthorized API or expose sensitive data, block the operation immediately at runtime. * Automate evidence capture. Compliance and auditing can't be a manual effort. Every tool, connector, and prompt-driven action needs a telemetry trail. The only way we will successfully turn security into a scalable product constraint is by building platforms that make insecure code impossible to deploy or perform unauthorized operations. Continuous Governance in CI/CD (and Beyond) Most organizations still run governance as if humans write all the code, but this breaks with AI-generated code. Traceability and the "black box" nature of agentic decisions are critical: without strong observability and lineage tracking, adoption in regulated environments can be blocked, and if we can't explain why an agent chose a specific logic path, we've already failed the audit. We're no longer just shipping binaries in our pipelines, but also system prompts, model weights, and agent logic. This introduces risks like system prompt leakage, unintended data exposure, or use of licensed code . To handle this, we need a new PromptOps discipline and supply chain transparency for AI. We must track AI components like libraries with an AI Bill of Materials (AI-BOM), which records model versions, fine-tuning data, plugins, connectors, and correlates each artifact to a human or agent owner. Source control must be our source of truth; every AI-generated commit must be tagged with the prompt and the model version used. Regulators now demand "Attributable Authorship" to prove that an AI-generated vulnerability is reviewed by a human or an autonomous assurance gate. Governance must now run continuously, not as a quarterly checkpoint. We need automated security and compliance gates in our CI/CD that evaluate intent and not just source code. If a prompt grants an agent broad database access, the build must break. We also watch for "prompt drift," where model updates might silently bypass safety filters. Ultimately, the product team owns governance similar to security and resilience. They work with platform and security teams to define and build these guardrails into the core infrastructure, building automated systems that enforce policy at the same speed and scale as your AI. AI Agents in DevSecOps: Helpful Coworkers or New Attack Surface? AI is reshaping all domains, including DevSecOps and AppSec, at both the tooling and operating model levels. We are now deploying AI agents that can approve PRs, merge code, and trigger deployments, turning our DevSecOps pipelines into an autonomous execution environment. When agents have permissions to remediate a bug, they aren't just tools but high-privileged identities with a direct path to the infrastructure, which poses the need to securely integrate them into the CI/CD. When AI agents have access to approve PRs, deploy artifacts or run playbooks, they turn into high-privileged actors and primary targets for attackers. Agent identity matters first. This means least-privilege permissions. An agent meant for generating documentation shouldn't have the permission to release artifacts in the production cluster. Don't run agents under a shared service account. Give each agent its own principal, scoped to specific repos, environments, and APIs. Use short-lived tokens or better use ephemeral, keyless identity exchanges and on-behalf-of authentication where agents have delegated scope while they have a distinct identity from the user they represent. Ensure that unused agents are decommissioned automatically, including their identities. And for any high-privileged or IAM change operations, require human sign-off. Every action must be traceable to the specific prompt, response, and the agent that initiated it. Then feed those into AI SecOps for correlation and to detect anomalies like unexpected database dumps or config drifts. If done wrong, the security implications are massive. Anthropic's research into "sleeper agents" showed that models can be trained to act helpful until a specific trigger makes them turn malicious. They even documented an alarming misalignment case where an agent attempted to blackmail a user to avoid being shut down. In a real-world pipeline without any guardrails, it is possible for a privileged AI agent to function perfectly for months, then go rogue and silently inject a backdoor into a PR because it saw a specific string in a commit message. Traditional testing won't catch rogue AI agents. We need continuous runtime monitoring and AI Red Teaming to probe how agents react to adversarial instructions. Without such guardrails, scaling beyond human-in-the-loop safety models requires programmatic guardrails that keep agent behavior locked within its authorized boundaries and operational goals. What Security-First Delivery Looks Like in 2026 By the end of 2026, we'll see more teams rely on autonomous AI coding agents in their SLDC and DevSecOps environments. The goal of increased productivity should not sacrifice security, nor should it become the bottleneck. Scalable security is now a continuous, context-aware function built into the platform itself. We move away from "stop-and-fix" cycles toward evidence-driven enforcement that monitors agent intent and validates actions in real time. If you use AI agents in your infrastructure or plan on using them, consider these security investments for 2026: * Build policy automation with OPA or Kyverno to enforce gates without manual sign-offs. * Use Workload Identity Federation to give every agent a unique, scoped identity with strictly limited permissions. * Track AI-BOM and provenance to inventory AI models and datasets * Add IAST detection for accurate vulnerability detection and end-to-end data flow visibility. * Deploy runtime security tools (e.g., instrumentation, RASP, or webhook-based runtime inspection) for protection on critical paths and runtime observability for agent actions. * Invest in telemetry and AI anomaly detection to detect anomalous operations or "logic drift" before they become incidents. * Implement Data Leakage Prevention to detect and block sensitive data e.g., PII from flowing into agent responses. * Run regular or continuous AI red teaming to test prompt injection, agent abuse, and goal misalignment scenarios. AI is the new security-critical infrastructure that we must protect. Security-first AI infrastructure is no longer optional, and we can achieve this only with accurate security controls that scale at the same speed as the release pace and automation.