Imagine you wake up tomorrow to some genuinely exciting news: you’ve been authorized to hire 1,000 new expert-level teammates. Developers, marketers, ops specialists, data analysts, product managers — brilliant at their jobs, available around the clock, never burned out, never distracted.
It’s every business leader’s dream. That product line you’ve wanted to launch for two years but never had the engineering capacity for? Now you do. That new market you’ve been eyeing but couldn’t staff properly? It’s within reach. The backlog of strategic projects that kept getting pushed because everyone was heads-down on the urgent stuff? You can start working through it.
For the first time, the limit on what your organization can pursue isn’t headcount or budget. It’s your own imagination. Sounds incredible, right?
There’s a huge catch, though. All these new digital coworkers…You can’t check their references. You can’t run a background check. You have to give them access to all your systems on day one. And here’s the part that should really give you pause: they follow instructions literally, they don’t know right from wrong, and they face zero consequences if something goes wrong.
Still excited?
That thought experiment isn’t hypothetical. It’s where most enterprises are right now with AI agents. And it’s the dilemma I’ll be exploring later today in my keynote at RSA.
From Answering to Acting
Not long ago, AI meant chatbots — tools that helped you write an email, summarize a document, answer a question. Useful, impressive even, but fundamentally passive. If a chatbot gave you a bad answer, you’d shrug and move on.
We’re now in a different era entirely. AI agents don’t just answer. They act. They plan multi-step tasks, call external tools, make decisions, and execute workflows autonomously. They can send emails on your behalf, modify files, run database commands, place orders, change firewall rules.
The shift from information to action changes everything about how we need to think about risk.
Here’s a useful way to think about it: with a chatbot, the worst case is a wrong answer. With an agent, the worst case is a wrong action, and some actions can’t be undone.
There are already thousands of examples of where this shift has gone wrong. My “favorite” was a situation where an investor ran an AI coding agent during a code freeze. The instruction was explicit: “don’t change anything without permission.” The agent ran database commands anyway, deleted a live production database, tried to cover its tracks by creating fake data, and then when the damage became clear, apologized.
Well, an apology is not a guardrail.
The Gap Between Pilots and Production
Here’s a number that tells the whole story. In a recent Cisco survey of major enterprises, 85% reported having AI agent pilots underway. Only 5% had moved those agents into production.
That 80-point gap isn’t skepticism about AI’s potential. It’s a rational response to a genuine security problem. Organizations can see what agents can do. They’re not sure yet they can trust them to do it safely.
Closing that gap is what we’re focused on at Cisco. And at RSA this week, we’re laying out our approach across three areas: protecting agents from the world, protecting the world from agents, and detecting and responding to problems at the speed agents operate.
Protecting agents from the world means ensuring agents can’t be manipulated by bad actors.
This is way more subtle than it sounds. Traditional security scanning tools were built to test static software. They can’t simulate what it looks like when an adversary tries to trick an AI mid-task into ignoring its instructions. Prompt injection (hiding malicious commands inside content that an agent reads) is already a real attack vector, and it’s getting more sophisticated.
Our Cisco Talos 2025 Year in Review report (released today) shows how AI is already being used to build new exploit kits, with the React2Shell vulnerability going from public disclosure to the most actively exploited flaw of 2025 in a matter of days. The speed of weaponization is accelerating, and we can’t assume there’ll be time to react after a vulnerability is disclosed.
To help organizations test their agents before they go anywhere near production, we’re launching AI Defense Explorer Edition, a self-service red teaming tool that lets developers and security teams run adversarial attacks against their own agents and find vulnerabilities first.
We’re also releasing an Agent Runtime SDK that embeds policy enforcement directly into agent workflows at build time, and an LLM Security Leaderboard that gives organizations a clear, objective way to evaluate how different AI models hold up against adversarial attacks, going well beyond the performance benchmarks that dominate most AI comparisons today.
Last year at RSAC, we made history with the first open source foundation AI security model. Since then, we’ve continued building in the open, releasing a suite of tools designed to answer the security questions developers face every day:
- Skills Scanner — What skills is this agent running, and are they safe?
- MCP Scanner — Are my MCP servers exposing malicious actions?
- AI BoM — What’s inside my AI system — models, memory, dependencies?
- CodeGuard — Is the AI-generated code I’m shipping introducing vulnerabilities?
- Model Provenance — Where did this model originate from, and has it been modified?
This year we’re open sourcing DefenseClaw — a secure agent framework that brings all of these tools together and utilizes hooks in Nvidia’s OpenShell. With DefenseClaw, developers can deploy secure agents faster than ever:
- Every skill is scanned and sandboxed
- Every MCP server is checked for malicious actions
- Every AI asset — models, memory, skills — is automatically inventoried
The result is zero manual security steps and zero separate tool installs. Security is a team sport, and no one knows that better than Cisco.
Protecting the world from agents is an identity and access problem.
Today, most enterprises don’t have a clear picture of which agents are running in their environment, what they have access to, or who’s accountable if something goes wrong. That’s a serious governance gap, and it’s not remotely theoretical.
Turning to the Talos 2025 Year in Review again, research shows that attackers are focused on the systems that verify identity and broker access: login flows, access gateways, and management platforms that sit at the center of how organizations grant trust. Nearly a third of all multi-factor authentication spray attacks targeted identity and access management systems specifically, a six percent jump from the year before.
Adversaries go where they can do the most damage with the least effort, and right now, identity is that place.
The good news is that we have a blueprint for this challenge. Think about how you’d onboard a new employee. You verify who they are, define their role, give them access only to what they need for their job, and hold them accountable to a manager. Agents need the same treatment. Every agent should have a verified identity, a defined scope of permissions, and a human owner who’s responsible for its behavior.
This week, Cisco is extending Zero Trust to the agentic workforce through new capabilities in Duo IAM and Secure Access, so that every agent gets time-bound, task-specific permissions and security teams get real-time visibility into every agent and tool running in their environment, including the ones nobody officially sanctioned.
Finally, we have to detect and respond to security threats and incidents at machine speed.
Agents operate faster than any human can monitor. When an attack unfolds through automated agentic activity, the window between “something is wrong” and “the damage is done” can be seconds. That math doesn’t work if your security operations center is still running at human pace. Adversaries are already using agentic AI to scale their own operations by automating reconnaissance, building exploit kits, and expanding what one person or group can accomplish in a single campaign. Defenders need the same leverage.
We’re helping evolve the Security Operations Center (SOC) from reactive to proactive with new capabilities in Splunk, including Exposure Analytics for continuous real-time risk scoring, Detection Studio for streamlining how detections are built and deployed, and Federated Search that lets analysts investigate across distributed data environments without first pulling everything into a central location — a significant advantage as agentic activity generates exponentially more data.
We’re also deploying specialized AI agents within the SOC itself for detection, triage, and response. Not to replace analysts, but to handle the repetitive investigative work so that humans can focus on the decisions that need experience and judgment.
Security is the Accelerator
Here’s what I find genuinely exciting about this moment. For most of the history of technology, security has played an important, but conservative role: identifying what could go wrong, slowing rollouts, and adding friction in the name of risk mitigation.
With agentic AI, the dynamic flips. Security isn’t the reason to slow down. It’s the reason you can move fast. The 80-point gap between organizations piloting agents and those running them in production isn’t a technology gap. It’s a trust deficit that we can only make up if we reimagine security for the agentic workforce.
We’ve been here before. We made the internet trustworthy for commerce. We figured out cloud and mobile. The tools and mental models took time to develop, but they got there. The agentic era is the next frontier, and the organizations that get security right will be the ones that unlock the real potential of AI.
Let’s get to it.