Relentless adoption of AI agents is disrupting enterprises and testing the limits of cybersecurity programs. CIOs and CISOs must collaborate with business leaders to implement an agentic AI cybersecurity program and support agentic innovation while minimizing cybersecurity risks.
Insights at a Glance
A rapid influx of AI tools and agents adopted by employees and developers without central oversight has led to shadow attack surfaces, such as employees using unapproved AI automation in enterprise or public applications, dispersed throughout the organization.
A single AI agent often requires multiple accounts to function due to the diverse resources and tools it accesses. This introduces security risks because AI agents’ access and rights are often those of the humans operating them, exceeding what the AI agent should do.
Cybersecurity technologies targeting the nondeterministic nature of goal-driven AI agents based on language models remain nascent. This low maturity triggers analysis paralysis, as cybersecurity teams feel stuck in an unsolvable problem.
To accelerate agentic AI initiatives while reducing cybersecurity risks, CIOs and CISOs must establish and fund the five core workstreams of an agentic AI cybersecurity program (A2CP):
Inventory high-risk AI agents by mobilizing all relevant teams to combine multichannel discovery with a “track back” approach focused on sensitive data.
Implement AI agent access modeling with identity and application teams.
Champion scoped agency among architecture and software engineering teams to implement least privilege agency through AI agent tool minimization and containment.
Manage model risks by coordinating red team and application security efforts to test AI agents and implement runtime controls that support intent-based policies.
Shorten the threat exposure window by supplementing existing incident response practices with intent-based behavioral analytics and specialized cross-team playbooks.
Strategic Planning Assumption
By 2028, CISOs and CIOs who collaborate with business leaders to implement a structured cybersecurity program for agentic AI will accelerate high-agency AI initiatives by 20% and reduce critical incidents by more than 50%.
Through 2027, the costs to enterprises from task-driven AI agent abuses will be at least four times higher than those from multiagent systems.
Impact Brief
Many organizations experienced a gap between expected and realized value with their first AI initiatives. As the hype around AI chatbots fades, both external and internal pressures to deliver measurable results has shifted to new AI agents projects, in the hope that more automation will finally unlock AI’s promise.
This rapid, ungoverned adoption and development of AI agents tests the limits of cybersecurity programs, as the inherent complexity and often nondeterministic nature of AI agents introduce new risks, such as AI automation hijacking (see How to Respond to the 2025-2026 Threat Landscape). These risks are inflated by “shadow AI agent” proliferation, which limits the ability for cybersecurity teams to help.
CISOs worry that agents create new attack surfaces and amplify risks of misuses. The threat of undetected automation hijack would justify stringent security measures but CISOs do not have the authority to pause agentic AI initiatives. Many report that CIOs, or even CEOs, overrule any decision to pause or postpone a project. Organizations have started deploying embedded AI agents in enterprise applications, such as Salesforce Agentforce, and the first vulnerabilities have already been disclosed.1 To complicate matters, the technology landscape surrounding AI agents is complex, with many possible design and deployment patterns (see How to Choose the Right Architecture to Build AI Agents, Emerging Patterns for Building LLM-Based AI Agents and Choosing AI Agent Development Tools and Platforms).
Cybersecurity technologies designed to manage the inherent unpredictability of goal-driven AI agents remain nascent. This low maturity triggers organizationwide analysis paralysis, as cybersecurity teams feel stuck with a problem they perceive as unsolvable.
CIOs and CISOs must collaborate to establish a joint AI agent governance initiative to mandate and fund the five workstreams of a strong cybersecurity program for agentic AI: multichannel discovery leading to risk-driven inventory, agent access modeling, agency containment, model risk management, and intent-based monitoring.
Actions and Cautions
Actions
To accelerate agentic AI initiatives while reducing cybersecurity risks, CIOs and CISOs must establish and fund the five core workstreams to:
Inventory high-risk AI agents by combining “track back” approach for sensitive enterprise applications with a complete picture of employees’ shadow AI. Leverage automated technical discovery with an open and trusting employee feedback loop to discover all types of AI agents.
Perform access modeling for discovered AI agents and enforce strong identity governance that extends beyond the initial inventory, offering sustainable mechanisms to maintain least privilege access.
Collaborate with the architecture team to scope custom-built AI agents in ways that facilitate the implementation of least-privilege agency policies and minimize access to data and tools with different security requirements. For all agents, narrow down the AI agent’s scope during the design or provider selection phases, and enforce tool containment during development, deployment and runtime.
Prioritize “test and contain” model security strategy over a “detect and response” by using AI red teaming to probe AI guardrails with emerging offensive security testing tools that integrate with runtime control policies.
Evaluate the integration of intent-based analytics, either directly within the systems generating alerts or as an embedded module in incident response and threat hunting tools.
Cautions
The discovery of AI agents is the first challenge cybersecurity teams encounter when trying to secure AI agents. However, an even greater challenge lies in answering the scale of this discovery, which can overwhelm many teams.
Identity and access management (IAM) for AI agents needs strong identity governance, including access modeling to prevent privilege abuses, as well as a sustainable agent inventory and registry. Unfortunately, current IAM tools are not yet mature to support these uses.
Low latency needs and new interaction patterns, such as tool instrumentation, make it difficult to block malicious activity in real time. As a result, cybersecurity teams are forced to prioritize detection, increasing pressure on incident response, with potential high volume of false positives and complex events to analyze.
How to Execute
When launching AI agent cybersecurity initiatives, cybersecurity leaders should streamline risk and control assessments for the many types of agents they will discover. To prioritize cybersecurity requirements and remediation actions, they map AI agents according to the sensitivity of data they access and the complexity of their actions (their agency). They rely on flexible categories, a starting point for risk assessments (see Figure 1 below):
Embedded: AI automation features within existing enterprise applications (e.g., CRM, ERM, office suite), with data sensitivity and agency determined by the host application.
Stand-alone: AI agents developed internally, deployed locally or adopted as third-party SaaS applications (e.g., n8n, manus.ai, ChatGPT Agent, Claude Code).
To address risks of misclassifying AI agents, cybersecurity leaders should then split them in two separate lists:
Task-driven agents: Simple agents, designed to perform specific tasks, such as report generation or alert enrichment, with risks tied closely to data sensitivity.
Goal-driven agents: Built on foundation models (e.g., a large language model) to orchestrate complex workflows and access diverse tools and resources, introducing new attack surfaces and amplifying potential harm. Their risks relate more to the breadth of their agency.
Figure 1: AI Agent Discovery and Initial Risk Assessment
Focusing first on data sensitivity and agency in embedded, stand-alone and multiagent systems offers a solid foundation to quickly assess, prioritize and manage risks, thereby preparing for smoother cross-team initiatives.
Many organizations will use four categories (embedded, stand-alone, goal-driven, multiagent system), rather than splitting task-driven and goal-driven agents. However, until cybersecurity practices for nondeterministic AI matures, labeling goal-driven agents separately offers a more actionable approach to secure these agents and to communicate about their risks.
CISOs must prioritize deterministic controls to minimize agentic privilege abuses and contain AI agents’ agency, instead of relying primarily on AI to police itself.
A strong cybersecurity program for agentic AI integrates with existing application and data security practices; it does not replace them. Traditional attack vectors, such as exploiting vulnerabilities in software or dependencies, remain a significant threat as attackers seek the easiest path to breach (see How to Respond to the 2025-2026 Threat Landscape).
To accelerate agentic AI initiatives while reducing cybersecurity risks, CISOs must establish and fund the five core workstreams of an agentic AI cybersecurity program (see Figure 2).
Figure 2: The Five Workstreams of an Agentic AI Cybersecurity Program
To implement these five steps, CIOs and CISOs need to collaborate and coordinate cross-team initiatives:
Inventory high-risk AI agents by mobilizing all relevant teams with a “track back” approach for sensitive enterprise applications and a complete picture of employees’ shadow AI.
Implement access modeling with identity and application teams to grant just-enough and just-in-time privileged access to AI agents.
Champion scoped agency, implementing least-privilege agency through AI agent tool minimization and containment among architecture and software engineering teams.
Manage model risks by coordinating red team and application security efforts to test AI models and implement runtime controls supporting intent-based policies.
Shorten the threat exposure window by supplementing existing incident response practices with intent-based behavioral analytics and specialized cross-team playbooks.
1. Inventory High-Risk AI Agents by Mobilizing All Relevant Teams
A weak AI agent discovery process will be manual, rely on siloed sources and lead with too many shadow AI agents. This transfers the burden of security to individual users or developers, who might lack the awareness of the risks or might even hide their use of AI agents. Because security and asset management technologies lag behind AI agent adoption, cross-functional team collaboration is the only way to gain required visibility of the new agentic AI risks.
The number of agent-washed software solutions is exponentially higher than the number of problematic AI agents within the enterprise. Discovery of AI agents is only the first, not the greatest, challenge for cybersecurity teams, and it will overwhelm many organizations.
To accelerate the discovery of high-risk AI agents, CISOs need executive sponsorship from the C-suite to involve the key relevant teams.This includes:
Business and project owners who would decide to build or procure AI agents.
Procurement who has visibility over new subscriptions that would enable embedded agentic features within existing enterprise applications.
Endpoint management to automatically scan for agentic applications deployed on the endpoints.
Identity and access management to leverage existing tools to discover agents through their use of access credentials or as part of existing identity management tools.
Architecture, software engineering and application leads who might supervise the conversion of existing custom-built applications into AI agents.
Network and security operation teams to customize logging systems and SIEM in order to identify network activities from AI agents, such as model context protocol (MCP) or Agent2Agent (A2A) protocols.
Vulnerability and exposure management teams who can leverage vulnerability scanning data for additional asset discovery and provide a first assessment of their risks.
The existence of an AI agent repository remains rare today, but can help cybersecurity leaders leverage existing discovery efforts.
CISOs and CIOs must prioritize cybersecurity efforts on higher-risk AI agents by shifting from only trying to discover every agent to identifying new access to sensitive data, internal APIs and unmanaged tools.
Then, a more precise inventory of key AI agent characteristics will strengthen risk analysis by clearly exposing the attack surfaces, such as agent memory, model, accessed resources and tools, as well as support how cybersecurity leaders prioritize their involvement (see Table 1).
Discovery and Inventory of AI Agents (Illustrative)
Discovery
Inventory
Agent
Type
Resources
AI model
Tools
Agent1
Embedded
File repository
Task-driven
File read/write access
Remote MCP server no. 1
Agent2
Stand-alone
Security logs
External API no. 1
Goal-driven (LLM)
Computer use
Web browsing
…
...
AgentX
Multiagent system
Employee database
Goal-driven (LLM)
Third-party database access
Source: Gartner (January 2026)
Key Recommendations:
Combine automated discovery initiatives with a “track back” approach, reusing existing risk assessment to prioritize higher risks use cases:
Detect new access to sensitive data.
Track new AI and automation features in high-risk enterprise applications.
Identify new sources connecting to the most sensitive enterprise APIs.
Monitor higher-risk employees’ access to stand-alone SaaS AI agents, AI agent platforms and remote MCP servers.
Collaborate with IT, business and procurement to determine the rollout plan of embedded AI agents in already identified higher-risk enterprise applications and assess existing hardening options.
Gain a complete picture of employees’ shadow AI that is under the organization’s control by combining automated technical discovery (e.g., AI usage control, MCP protocol detection) with an open and trusting employee feedback loop.
Leverage code repository, network monitoring, workload instrumentation and project lead interviews to catch AI application transformation into custom-built AI agents.
Influence custom-built AI agent design guidelines to favor multiple narrower-scoped AI agents rather than broader generalist AI agents, as it will be easier to apply stronger controls and monitor resources and tools.
Map agent dependencies to identify critical tools, resources, infrastructure and development platforms, helping to prioritize cybersecurity investments.
2. Implement Agent Access Modeling With Identity and Application Teams
This step’s goal is to actively handle identity and access management challenges applying to AI agents, whatever their form factor and complexity.
Identity and access management leaders must work with other teams to uniquely identify each AI agent and enforce least privilege by modeling the access each agent needs to do its job.
Each agent must have a single and unique identity to ensure traceability and compliance. However, access to resources and tools must follow least-privilege access principles, which can lead to dozens of accesses (see Figure 3).
Figure 3: Access Modeling for AI Agents
AI agents, embedded in enterprise applications (Salesforce Agentforce, Microsoft 365 Copilot) typically either use the user identity and access, which is not a good practice, or implement access delegation, operating under an agent identity. IAM leaders must collaborate with application and cybersecurity teams to model the access requirements for the AI agents they deploy:
Input (1): In the case of a fully autonomous agent, the input might be services or other AI agents.
Model (3): When using a commercial model, access credential might take the form of API token (or worse, static credential).
Resource (4): Enforcing least privilege to each resource could require defining and enforcing new access rules. This is important as many organizations deploy internal MCP servers to expose access to resources.
Tool instrumentation (5): If the AI agent actions are internal to the agent, they will often use the agent core identity (1 or 2), but when instrumenting third-party tools, the agent might require a different account for each tool provider.
Tool (6): The AI agent has access to a variety of tools that can provide a range of actions that go beyond what the agent should do.
Tool proxy (7) such as MCP servers might instrument other tools in the back end (e.g., an API).
Computer use (8), while limited and happening in a sandboxed environment today, may allow some AI agents to grant access to high-agency workloads, requiring limitations on that access.
Internet (9): The AI agent will, by default, browse the internet with its own identity, but websites and SaaS applications might require the user or the agent to enter other access credentials.
A strong AI agent identity and access management implementation must:
Assign each AI agent a single, unique identity
Enforce least privilege principle with “just enough” access to tools and resources
Enable just-in-time privilege elevation
Integrate human-in-the-loop (HitL) to review and approve sensitive operations or review generated output
Govern agent identities through sustainable inventory and registration mechanisms
Manage the entire access life cycle
Log all actions for full traceability
The ability to enforce these principles might be limited by the absence of granular policy options from enterprise software embedding AI agent features and the lack of mature, externalized and dynamic runtime authorization capabilities using attribute-based access control (ABAC).
Key Recommendations:
The range of available actions will also depend on the type of AI agents and determine the teams who need to be involved:
Configuration hardening: The ability to create an agent policy for embedded AI agents entirely depends on the flexibility of the enterprise applications. It might be limited or granular, enable access delegation or force user identity.
Work with procurement and software management teams to identify initial policy options and feature upgrades enabling new possibilities.
AI agent scope: Generalist and broad-scoped agents might leverage broader access depending on the tasks they execute and the resources they access, creating high risks, especially when sharing data of different sensitivity.
Work with the architecture team to scope custom-built AI agents in a way that facilitates the implementation of least-privilege access policies and minimize access to data and tools with different security requirements.
Resource and tools: In addition to the impact of the AI agent scope, minimizing access to resources and tools to what is necessary only might require specific API access, new enforcement policies on an API gateway, or even building a new API matching the exact requirements of the AI agent.
Work with application, architecture and product owners to determine the right access to each tool.
Then, the only way to enforce least privilege access in a sustainable way is to partner with IAM leaders to implement:
Agent identity and access governance: Beyond the initial effort, identity governance leverages up-to-date inventory and, in some cases, agent registries to maintain visibility.
Identity and access life cycles: Implement short-span authorization when achievable and apply identity governance to detect and decommission dormant agent accounts, for example, in the case of project abandonment.
3. Champion Scoped Agency Through Tool Containment Among Architecture and Software Engineering Teams
Agentic AI’s drive for broad capabilities directly conflicts with the cybersecurity best practice of minimizing features. Organizations want to build multiple AI agents in multiagent systems to realize the promises of business transformations that continue to fill industry news. Cybersecurity principles, though, do not change, but communication and implementations must evolve and adapt. That is how the principle of scoped agency, which enforces least-privilege agency principles for all tools, plays a meaningful role in fostering productive conversations across the various teams.
To mitigate excessive agency, define agent scope early, narrow it during design, contain tool access in development and enforce boundaries at runtime.
Cybersecurity’s role also depends on the type of AI agent and tool (see Figure 4). For public SaaS applications, teams may only be able to harden configuration and restrict feature access. For remote third-party tools (e.g., through MCP servers), cybersecurity teams may rely on infrastructure security policies deployed on firewalls or specialized AI runtime controls to block or inspect queries.
Figure 4: Tool Containment Options When Scoping Agency
For custom-built AI agents, CISOs can provide guidance and requirements; however, the biggest attack surface reduction depends on the early design choices, starting with the scope of individual AI agents. Organizations should treat every AI agent tool as a risk, considering them as “semihostile.” They must give each tool the functionalities and permissions it needs to perform expected tasks, and nothing more.
Key Recommendations:
Cybersecurity leaders must work with enterprise architecture teams to create guiding principles supporting the adoption and creation of narrower scoped AI agents that are easier to test and secure.
When designing and developing AI agents, application and software engineering leaders must:
Inventory and limit tool functionalities leveraging available means building tool containment.
Offer a prescriptive list of available actions rather than broader tools when coding or using an agent development platform.
Balance technical debt and security improvement when deciding to use a standard tool or building a custom one with better controlled scope.
Implement mechanisms to require human review (“human-in-the-loop”) before allowing sensitive operations or releasing sensitive outputs from tools.
During deployment:
Implement mechanism to enforce parameter limits (e.g., API schema enforcement).
Consider how existing infrastructure security tools can help you enforce policies related to acceptable tools.
At runtime:
Leverage available technologies such as AI usage control, but also API, AI and MCP gateways can go beyond discovery to help enforce tool containment policies.
When connecting to third-party tools, consider parsing tool inputs and outputs with deterministic controls, such as rule-based policies and supervised machine learning algorithms, to detect deviation from expected tool invocation and tool results.
4. Manage Model Risks by Coordinating Red Team and Application Security Efforts to Test AI Models and Implement Runtime Controls
AI agents extend the risks of AI chatbots. With chatbots, runtime controls monitor human inputs and LLM outputs for harmful or malicious content. But when an AI agent uses nondeterministic models (like LLMs or multimodal foundation models), new risks appear. Agents not only receive inputs from humans or other agents but also access resources and control tools directly, processing outputs from these tools. As agents generate commands for the tools, controls must prevent dangerous requests — protecting the tools from attacks — but also inspect responses, protecting the agent from the tools. Latency requirements limit real-time prevention, making detection more likely than blocking.
Direct and indirect prompt injections are the main threats to AI agent models. Differences in inputs and outputs turn prompt injections into instruction injections, requiring new design principles, control enforcements and behavioral detections.
Because AI agents have broader capabilities, instruction injections can leverage more attack surfaces and cause greater harm. Product, engineering and security teams must work together to develop secure design practices and implement strong security controls to protect key attack surfaces (see Figure 5).
Figure 5: Instruction Injections: AI Agents Key Attack Surfaces and Entry Points
Runtime guardrails and offensive security testing are important, but minimizing model risks requires an end-to-end approach. To protect resources, teams must ensure integrity, availability and confidentiality (such as preventing data leaks or privilege abuse). To protect tools, teams must ensure legitimate use, prevent tool corruption or harmful execution, and guard the model from contamination by compromised tools. Teams can leverage OWASP Top 10 for Agentic Applications for 2026 to scope how they test their AI applications.
Intent-based policy leverages various techniques, including large or small language models to inspect content and trigger alerts in case of toxic outputs or other anomalies. But even if these new techniques are promising, they need to evolve to capture agentic intents, such as tool misuses.
It took 20 years for bot management techniques to work relatively well while minimizing impact on user experience and false positives. Comparably, intent-based analytics for AI agents is still in its infancy.
Key Recommendations:
Product and engineering teams should promote and evangelize safe design practices, such as combining lower privilege and higher privilege models.2
AI teams must include AI and cybersecurity risk evaluation during model selection, with limited trust in available model benchmarks and including nontechnical risks such as copyright risks.
Cybersecurity teams should prioritize a “test and contain” strategy over a “detect and response” only approach by:
Using AI red teaming to probe AI guardrails with emerging offensive security testing tools that integrate with runtime control policies.
Including indirect attack surfaces, such as AI agent memory or MCP server description.
Testing multiturn scenarios that will defeat most cybersecurity technologies available today.
Refining tool containment and limiting resource access based on model flaws uncovered during testing.
Cybersecurity and application teams must choose runtime controls that:
Monitor all communication paths: human to agent, agent to resources, agent to tools, agent to agent and agent to human.
Provides low latency, granular alerting and blocking options.
Implement intent-based policies, analyzing the queries and responses to detect malicious or harmful human interactions, such as prompt injection, jailbreak attempt or toxic output, but also agent-to-tool and agent-to-agent intent, such as rogue behavior or tool manipulation.
Offer some resistance to multiturn attacks.
Cybersecurity and legal teams must define rules for handling AI agent outputs, whether the AI agent is internal only, or part of multiagent systems involving third parties. If an organization’s agent compromises third-party components, regulators, partners or clients may hold the organization responsible. Coordinated actions should define:
Rules of engagements for participation in a multiagent system, such contracts and agreements to set limits, metrics and liabilities.
Quality assurance, monitoring and control enforcement requirements.
Other legal safeguards (indemnities, acceptable use policies).
5. Reduce Threat Exposure Window With Intent-Based Analytics and Cross-Team Incident Response
AI agents make logging and incident response harder because automation leads to a large number of events and triggers various alerts. This will require building cross-team incident response queues for incidents like acceptable use violations, hallucinations, prompt injections, resource privilege abuse or tool anomalies.
Designing a logging strategy for AI agents require to solve three main challenges:
Scalability: The potential sheer volume of logs coming from a high number of recurring automations is likely to exceed the organization’s capacity and budgets. This results in logging gaps and data retention limitations, preventing incident response teams from getting appropriate context.
Fragmentation: Embedded agent logs remain confined to the host application, but stand-alone multiagent systems logs split between the agent logs and separate model, resource or tool logs.
Actionability: Logs often lack the depth needed to diagnose issues in complex, goal-driven workflows, especially in custom-built AI agents.
Selecting how much to log and retain, who should review, what is worth detecting and how to respond at the scale of AI agent automation is a critical issue. It requires breaking logging siloes and supplementing response with intent-based analytics.
With fully autonomous AI agents, time-based service-level agreements become irrelevant. Automated intent-based analytics become necessary, making false positive rate the key quality metrics for incident response.
Building an incident response program for AI agents demands more than incremental improvements. Goal-driven workflows using large language models embed complex business logic and generate extensive content to analyze. Without some form of automated intent-based analytics, either built into the AI system or added as an assistant in incident response and threat hunting tools, the threat exposure window will be unacceptably long. The automation also makes time-based SLAs metrics such as mean-time to investigate (MTTI) and mean-time to respond (MTTR) almost irrelevant.
As responsibilities will go beyond the security operation centers, CISOs and CIOs need to coordinate efforts to balance the cost of extensive logging, with the incident response inevitable blind spots when deploying AI agents at scale (see Figure 6 below).
Figure 6: Building Actionable AI-Agent Logging and Alerting
Enabling effective incident response is often the last step when implementing an agentic AI cybersecurity program, which puts it at risk of negligence from key stakeholders, or delayed implementation. In a technology landscape combining high-speed development cycles and low maturity of controls, this can lead to serious security gaps, including the inability to track the root cause of breaches.
Key Recommendations:
Cybersecurity leaders must:
Review their existing coverage for automated software workflow, especially when embedded in enterprise software. Key triggers for updating logging policies include shifts from deterministic to nondeterministic automations.
Determine logging possibilities and restrictions due to privacy regulations.
Partner with infrastructure, cloud and application operations team to develop new incident response playbooks based on the type of incidents. They should evaluate the different organizations that could apply, including new specialized AI incident responders or fusion teams.
Evaluate the integration of intent-based analytics, directly within the systems generating alerts, or as an embedded module in the incident response and threat hunting tools.
Assess the organization’s risk tolerance and acceptable latency penalties before implementing in-line cybersecurity controls and choosing between automated blocking and detection-only modes.
When initiating the agentic AI cybersecurity program, teams should:
Track the release of AI automation features for identified high risks enterprise applications.
Evaluate the share of managed AI agents over time. Start with the percentage of categorized agentic flows, such as MCP traffic to public MCP servers or new sources of automated traffic to the enterprise APIs.
Monitor the progress of identity governance and access life cycle management, such as the share of agents implementing automated registry, relying on a unique identity and with all access declared and managed.
Contributors
Carlos De Sola Caraballo, Homan Farahmand, Nathan Harris, Gary Olliffe, Mitchell Schneider, Pete Shoard, John Watts