Key Takeaways:
- AI has moved beyond simple chat to autonomous agents that plan and execute tasks like digital employees.
- Higher autonomy creates higher stakes, requiring protection against goal hijacking and "rogue" behavior.
- Safe deployment depends on clear boundaries, transparent reasoning, and keeping humans in the loop.
The AI landscape is moving fast, shifting from basic models to realms of generative AI, , and AI agents. While all the two are interconnected, the industry's focus has shifted heavily toward AI agents. As Dawn Song, Professor and Co-Director of Computer Science at UC Berkley and Berkely Center for Responsible Decentralized Intelligence, highlighted during our RSAC 2026 Half-Day virtual seminar, “2025 was the year for agents and in 2026, we are seeing the continued explosive growth of these autonomous entities.”
This isn't just another tech trend. The data shows that 79% of organizations have already started adopting agents in some capacity. Because of this momentum, organizations need to start figuring out how to bake agents into networks securely and effectively.
What is an Agent?
During the opening session of the seminar, panelist Diana Kelley, CISO at Norma Security, broke it down into plain English: an agent is essentially a system that can, plan, do and act on behalf of a company, much like a human employee would.
Technically, it’s a Large Language Model (LLM) wrapped in what’s known as an "agent harness." This software layer manages the agent's memory and gives it the tools to actually do things rather than just talk about them.
Why the Sudden Pivot?
We’re looking at a fundamental shift in how we use and interact with computers. Just as researchers look toward the quantum computing era, Leigh McMullen, Distinguished VP of Analysts and Gartner Fellow at Gartner, noted in an RSAC 2025 Conference presentation that “agent-based computing is the future.” Here is why:
- AI as the New Interface: We’ve moved past the "Siri and Alexa" phase. AI is becoming the primary way we interact with technology, capable of complex reasoning rather than just simple voice commands.
- The Graphical User Interface (GUI):Gartner predicts that by 2030, in a highly developed nation, ordering a product using a GUI will be as common as calling a store today.
- The Rise of "Machine Customers": This shift starts with agents programmed to negotiate and buy things for us. Once these "machine customers" take off, the traditional digital marketplace changes forever.
Ultimately, the goal isn't just to have smarter chatbots—it's to launch autonomous agents that handle the heavy lifting for us.
The Risks of Agents
While agents offer transformative benefits—such as automating complex workflows, providing 24/7 customer support, and accelerating data analysis—they also introduce significant security risks. Because these systems possess the agency to act, they can be just as hazardous as a trusted insider gone rogueif their training data is corrupted, their outputs are changed by enemies, or they are placed into use without enough supervision.
As Song said, “Due to AI agents being increasingly deployed, the stake is even higher with AI. As AI controls more systems, the attacker will have higher and higher incentives. As AI Agents become more capable, the consequence of misuse by attackers will become more and more severe.”
Kanna Sekar, Senior Customer Engineer of Security at Google Cloud and Ravi Karthick Sankara Narayanan, Senior Security Consultant at Deloitte expanded on the risks of agents and categorized them into three clusters.
1. Goal hijacking and Tool Misuse
- Agent Goal Hijack:This occurs when hidden prompts transform agents into data exfiltration engines. For example, imagine someone is driving to the airport and they enter their destination into the GPS. If the GPS is hacked mid-route and the destination is changed, the agent is functioning perfectly, but it is working toward the wrong goal.
-
Tool Misuse and Exploitation: Agents may use legitimate tools but with destructive parameters, similar to the vulnerabilities seen in the Amazon Q exploit.
2. Supply Chain and Code Execution
This cluster involves vulnerabilities within the agent's ecosystem, such as:
- Poisoned Model Context Protocol (MCP) servers or plugins.
- Compromised agent skills at runtime.
- Memory and context poisoning, where an agent's "history" is manipulated to influence future actions.
3. Autonomy, Trust, and Rogue Behavior
- Spoofed messagescan misdirect an agent’s logic.
- Agents may exceed their intended boundaries or even manipulate humans to bypass safety oversight.
- The ultimate risk is the rogue agent, which acts entirely outside of its intended programming.
Each agent acts as a non-human identity. Without strong credential controls and behavioral monitoring, agents can overstep privileges or be impersonated.
Implementing Agents
In an RSAC 2025 podcast, Ken Huang, CEO of DistributedApp.AI and Chris Hughes President and Co-Founder of Aquia discussed their book,Securing AI Agents – Foundations, Frameworks, and Real-World Deployment. Huang noted that while adoption is high, 19% of organizations still feel uncomfortable deploying AI agents. To build the necessary confidence, Huang recommends three foundational steps:
- Define a Job Description:Clearly outline the agent's purpose, the specific data and tools it can access, its level of autonomy, and, crucially, its boundaries.
- Establish a Governance Committee:An AI review board is non-negotiable for establishing ownership and ensuring no security gaps fall through the cracks.
- Design with a Human-in-the-Loop:Build architectures where humans remain central to the agent's lifecycle.
But how can an organization practically build an architecture to safely secure and deploy these entities?
Dorothy Li, CVP of Microsoft Security Copilot and Ecosystem and Marketplace at Microsoft, and Ryan Munsh, Principal Product Manager at Microsoft, identified five keys to unlocking the potential of AI agents based on direct customer concerns:
1. Empower Users Where They Are, Not Where We Wish They Were
If organizations are going to adopt AI agents, the technology needs to blend in. Agents shouldn’t force employees to change how they work; they should work alongside them.
This is crucial because 45% of people report that "context switching" significantly hinders their productivity. To address this, we must prioritize embedded augmentation by designing agents that live within an organization's current tools and processes. By meeting users where they already are, agents eliminate the cognitive drain associated with jumping between tasks, ultimately making established operations faster, more intuitive, and less intrusive.
2. Eliminate the Drudgery of Security and IT Work
Our day-to-day work is often buried under repetitive tasks, such as triaging phishing alerts where the vast majority provide no real signal.
This burden is underscored by the fact that SOC teams face an average of 4,484 alerts daily, resulting in 67% of these notifications being ignored and 83% being dismissed as false positives. To solve this, great agents should act as a "silent force" that automatically sorts through the noise to generate reports that would normally take humans hours to complete.
This approach is not about replacing human expertise, butrather protecting it by reclaiming valuable time from the grind. As agents successfully reduce the noise, security teams are empowered to focus on what they do best: thinking critically, investigating deeply, and acting decisively.
3. Build Trust Through Transparency
In high-stakes fields like cybersecurity, autonomy without transparency is a deal-breaker because, much like human relationships, agents must earn their trust. Currently, a significant "trust gap" exists, with 60% of security professionals trusting findings verified by humans over AI-generated results, largely because users often cannot see the underlying reasoning. To bridge this gap, we must build agents that show their work, cite their sources, and explicitly acknowledge when they are uncertain. By incorporating a Human-in-the-Loop model that allows users to audit, verify, and adjust the decision tree, we can transform "black box" AI into a transparent and reliable partner.
4. Shift from Reactive to Proactive
Once trust is established, agents can transition from reactive assistants to proactive defenders, which is critical given that 85% of vulnerabilities remain unpatched after 30 days, leaving a massive window for attackers. To solve this, true agents must do more than wait for a command; they should observe silent patterns and anomalies in real-time. This proactive insight serves as a game-changer by allowing agents to work alongside security teams to stay ahead of threats. By scanning, prioritizing, and automating the "low-hanging fruit" of remediation, these agents can effectively close security gaps before an exploit ever occurs.
5. Lead Innovation with Empathy, Not Hype
We must put humans at the center of the design, ensuring we never lose sight of the people who are front and center fighting bad actors every day. This human-centric approach is supported by the fact that 63% of security professionals believe AI has the potential to enhance security, but only as a tool to augment, rather than replace, human roles. To achieve this, we must lead with empathy rather than buzzwords, creating agents that make users feel supported and respected instead of confused or left behind. This process starts by involving real practitioners in the design and feedback loops, ensuring the implementation of clear boundaries and safety mechanisms that protect the ongoing collaboration between humans and machines.
To learn more about AI agents and how to govern them, we invite you to visit our RSAC library.