We have witnessed the most significant shift in artificial intelligence since the launch of ChatGPT. We are moving from the era of chat to the era of act.

For the past two years, CISOs have focused on preventing employees from pasting sensitive data into passive Large Language Models (LLMs). These models were repositories of knowledge they could write a poem or debug code, but they were fundamentally isolated. They lived in a text box.

That isolation is over. Enter Agentic AI.

 Unlike their passive predecessors, AI Agents are designed with agency. They are granted access to tools: email clients, GitHub repositories, cloud infrastructure Command Line Interfaces (CLIs), and corporate Application Programming Interfaces (APIs). They do not just suggest code; they write it, test it, and deploy it. They do not just draft emails; they send them.

According to industry reports, by 2028, at least 15% of day-to-day work decisions will be made autonomously by agentic AI, up from effectively 0% in 2024. Furthermore, recent data indicates that 79% of organizations have already reported some level of AI agent adoption, with nearly universal plans to expand in 2025.This is not just an upgrade; it is a fundamental change in the identity model of the enterprise. When software can think and actwithout a human pressing a button, we must ask: Who is actually running the network?

The Emergence of the Swarm

The threat is not just a single autonomous agent; it is the Agentic Swarm.

Enterprises are moving toward multi-agent systems (MAS) where specialized agents collaborate to solve complex problems. One agent might be the architect, another the coder, and a third the reviewer. They communicate with each other, exchange data, and execute tasks in a rapid, autonomous loop.

For the security operations center (SOC), this creates a visibility nightmare. A swarm operating at machine speed can execute thousands of API calls in the time it takes a human analyst to sip their coffee. If one agent in that swarm is compromised via prompt injection or model poisoning the entire chain of command collapses. The reviewer agent might be tricked into approving malicious code written by a compromised coder agent, all within milliseconds.

The Insider Threat is Now Synthetic

In a recent RSAC blog post, When AI Becomes the Insider Threat, the concept of AI as a malicious insider was introduced. With Agentic AI, this becomes literal.

These agents require permission. To function, they need service accounts with read/write access to databases, Slack channels and JIRA tickets. They effectively possess the credentials of a mid-level employee but lack the moral compass or common sense of a human.

The Risk of Excessive Agency

The Open Web Application Security Project (OWASP) has already flagged this in their Top 10 for LLM Applications, specifically citing LLM06: Excessive Agency. This occurs when an agent is granted permissions that exceed what is necessary for its task, or when it is allowed to interpret ambiguous instructions as authorization to act.

Consider the following scenario: A developer tasks an agent with optimizing cloud storage costs. Without strict guardrails, the agent might decide the most efficient way to save money is to delete all backup archives older than 30 days. It has the permission to do so (to manage storage), and it has the instruction (optimize costs). The result is catastrophic data loss, executed with perfect logical efficiency.

Real-World Consequences

We are already seeing the cracks form. Security firms have reported incidents where prompt injection attacks against customer service agents allowed attackers to manipulate backend logic. In one reported case, attackers used prompt injections to trick an automated financial assistant into approving fraudulent wire transfers. The agent wasn't hacked in the traditional sense; it was simply talked into doing the wrong thing.

Governance Strategies for the Autonomous Age

How do CISOs govern a workforce that never sleeps, acts in milliseconds, and can be tricked by a carefully crafted sentence? The answer lies in treating Agents not as software, but as Non-Human Identities.

1. Identity and Access Management (IAM) for Agents

Stop letting agents piggyback on user credentials. Every AI agent must have its own identity, managed with the same rigor as a privileged user.

• Principle of Least Privilege:If an agent is designed to summarize emails, it should not have API access to the HR database.
• Short-Lived Credentials:Agent sessions should be ephemeral. They should request permissions for a specific task and lose them immediately after completion.

2. The Human-on-the-Loop Standard

We cannot have a Human-in-the-Loop for every action; it defeats the purpose of automation. However, we must implement a Human-on-the-Loop governance model.

• High-Impact Break Circuits:Define critical actions that always require human approval (e.g., transferring funds over $1,000, deleting production tables, changing firewall rules).
• Asynchronous Auditing:Use a separate, immutable Watcher agent governed by a completely different LLM model to audit the logs of the Doer agents in real-time and flag anomalies.

3. Address Function-Calling Hallucinations

IBM and other researchers have identified function-calling hallucinations as a critical risk where an agent calls the wrong tool or API due to a misunderstanding of the user's intent. Security teams must implement middleware validation that checks the logic of an API call before it is executed, not just the authorization.