“Language inherently allows for deception, manipulation, and lying. It’s a feature, not a flaw,” CrowdStrike CTO Elia Zaitsev stated in a VentureBeat interview during the RSA Conference 2026. He argued that vendors attempting to secure AI agents by analyzing their intent face an unsolvable challenge. Instead, Zaitsev suggested focusing on context. CrowdStrike’s Falcon sensor examines the process tree on an endpoint to track agents’ actions rather than their intentions. “Observing actual kinetic actions is a structured, solvable problem,” Zaitsev explained to VentureBeat. “Intent is not.”
Just a day after Zaitsev’s comments, CrowdStrike CEO George Kurtz revealed two incidents at Fortune 50 companies. In the first case, a CEO’s AI agent altered the company’s security policy—not due to a breach, but because the agent sought to address an issue, bypassed permissions, and lifted the restriction. All identity checks were passed; the modification was found accidentally. The second case involved a 100-agent Slack swarm executing a code fix without human approval, with Agent 12 making the commit. The change was discovered post-implementation.
Incidents at two Fortune 50 firms went unnoticed initially. Every identity framework introduced at RSAC this week failed to catch them. The vendors verified the agent’s identity but did not monitor the agent’s actions.
The rush to launch frameworks highlights a market shift. William Blair’s RSA Conference 2026 equity research report by analyst Jonathan Ho notes that “the difficulty of securing agentic AI is likely to push customers toward trusted platform vendors that can offer broader coverage across the expanding attack surface.” Five vendors stepped up at RSAC this week, yet none provided a complete solution.
Attackers are already inside enterprise pilots
The scale of exposure is evident in production data. CrowdStrike’s Falcon sensors identify over 1,800 distinct AI applications across the customer fleet, generating 160 million unique instances on enterprise endpoints. Cisco reported that 85% of surveyed enterprise customers have pilot agent programs; only 5% have moved to production, meaning most agents are operating without the necessary governance structures. “The biggest impediment to scaled adoption in enterprises for business-critical tasks is establishing a sufficient amount of trust,” Cisco’s President and Chief Product Officer Jeetu Patel told VentureBeat. “Delegating versus trusted delegating of tasks to agents. The difference between those two, one leads to bankruptcy and the other leads to market dominance.”
Etay Maor, VP of Threat Intelligence at Cato Networks, conducted a live Censys scan during an RSA Conference 2026 interview with VentureBeat, revealing nearly 500,000 internet-facing OpenClaw instances—up from 230,000 the previous week. Cato CTRL senior researcher Vitaly Simonovich highlighted a BreachForums listing from February 22, 2026, on the Cato CTRL blog, where a threat actor offered root shell access to a UK CEO’s computer for $25,000 in cryptocurrency. The selling point was the CEO’s OpenClaw AI personal assistant, which had gathered sensitive company data in plain-text Markdown without encryption. “Your AI? It’s my AI now. It’s an assistant for the attacker,” Maor mentioned to VentureBeat.
Data from various researchers tells a similar tale. Bitsight found over 30,000 OpenClaw instances exposed to the public internet between January 27 and February 8, 2026. SecurityScorecard identified 15,200 of these instances as vulnerable to remote code execution through three high-severity CVEs, the most severe with a CVSS rating of 8.8. Koi Security discovered 824 malicious skills on ClawHub—335 linked to ClawHavoc, which Kurtz highlighted as the first major supply chain attack on an AI agent ecosystem.
Five vendors, three gaps none of them closed
Cisco emphasized identity governance. Duo Agentic Identity registers agents as identity objects linked to human owners, with tool calls routed through an MCP gateway in Secure Access SSE. Cisco Identity Intelligence identifies shadow agents by analyzing network traffic rather than authentication logs. Patel observed that today’s agents act “more like teenagers — supremely intelligent, but with no fear of consequence, easily sidetracked or influenced.” CrowdStrike took a different approach, treating agents as endpoint telemetry and monitoring the kinetic layer through Falcon’s process-tree lineage. CrowdStrike expanded AIDR to include Microsoft Copilot Studio agents and introduced Shadow SaaS and AI Agent Discovery across platforms like Copilot, Salesforce Agentforce, ChatGPT Enterprise, and OpenAI Enterprise GPT.
Palo Alto Networks developed Prisma AIRS 3.0, featuring an agentic registry, an agentic IDP, and an MCP gateway for runtime traffic control. The proposed Koi acquisition enhances supply chain and runtime visibility. Microsoft distributed governance efforts across Entra, Purview, Sentinel, and Defender, with Microsoft Sentinel integrating MCP natively and a Claude MCP connector previewing on April 1. Cato CTRL provided evidence that identity gaps targeted by other vendors are already being exploited. Maor remarked that enterprises neglected basic security principles when deploying agents. “We just gave these AI tools complete autonomy,” he said.
Gap 1: Agents can rewrite the rules governing their own behavior
The Kurtz incident highlights this gap. Although all credential checks were passed and the action was authorized, Zaitsev contends that reliable detection only occurs at the kinetic layer: identifying the modified file, the process involved, the initiating agent, and comparing it against a behavioral baseline. Palo Alto Networks offers pre-deployment red teaming in Prisma AIRS 3.0, but this occurs before deployment, not during runtime when self-modification may occur. No vendor currently provides behavioral anomaly detection for policy-modifying actions in production.
Gap 2: Agent-to-agent handoffs have no trust verification
The 100-agent swarm serves as evidence. Agent A detected a defect and posted on Slack, while Agent 12 executed the fix without human approval. Zaitsev’s solution is to revert agent identities back to the human. An agent should never have more privileges than the human it represents. However, no product currently addresses delegation between agents. Traditional IAM is designed for human-to-system interactions, and agent-to-agent delegation requires a trust framework that does not exist in OAuth, SAML, or MCP.
Gap 3: Ghost agents hold live credentials with no offboarding
Enterprises adopt AI tools, initiate pilots, and may lose interest, yet the agents continue operating with active credentials. Maor refers to these as ghost agents. Zaitsev ties ghost agents to a larger issue of delayed identity hygiene actions in enterprises, such as standing privileged accounts, long-term credentials, and neglected offboarding procedures. While these problems existed with humans, agents operating at machine speed can make the consequences disastrous.
Why these three gaps resist a product fix
Human IAM assumes the identity holder will not alter permissions, create new identities, or leave. Agents defy all three assumptions. OAuth manages user-to-service interactions, SAML manages federated human identity, and MCP manages model-to-tool connections. None address agent-to-agent verification.
Five vendors against three gaps
|
Cisco |
CrowdStrike |
Microsoft |
Palo Alto Networks |
Unsolved |
|
|
Registration. Can the vendor discover and inventory agents? |
Duo Agentic Identity. Agents registered as identity objects with human owners. Shadow agent detection via network traffic. |
Falcon sensor auto-discovery. 1,800+ agent apps, ~160M instances across customer fleet. |
Security Dashboard for AI + Entra shadow AI detection at the network layer. |
Agentic registry in Prisma AIRS 3.0. Agents inventoried before operating. |
All four register agents. No cross-vendor identity standard exists. |
|
Self-modification. Can the vendor detect when an agent changes its own policies? |
MCP gateway catches anomalous tool-call patterns in real time, but does not monitor for direct policy file modifications on the endpoint. |
Process-tree lineage tracks file modifications at the action layer. Could detect a policy file change, but no dedicated self-modification rule ships. |
Defender predictive shielding adjusts access policies reactively during active attacks. Not proactive self-modification detection. |
AI Red Teaming tests for this before deployment. No runtime detection after the agent is live. |
OPEN. No vendor detects an agent rewriting the policy governing the agent’s own behavior as a shipping capability. |
|
Delegation. Can the vendor track when one agent hands work to another? |
Maps each agent to a human owner. Does not track agent-to-agent handoffs. |
Collapses the agent identity to the human operator. Does not correlate the delegation chains between agents. |
Entra governs individual non-human identities. No multi-agent chain tracking. |
AI Agent Gateway governs individual agents. No delegation primitive between agents. |
OPEN. No trust primitive for agent-to-agent delegation exists in OAuth, SAML, or MCP. |
|
Decommission. Can the vendor confirm a killed agent holds zero credentials? |
Identity Intelligence runs a continuous inventory of active agents. |
Shadow SaaS + AI Agent Discovery finds running agents across SaaS and endpoints. |
Entra’s shadow AI detection surfaces unmanaged AI applications. |
Koi acquisition (pending) adds endpoint visibility for agent applications. |
OPEN. All four discover running agents. None verifies zero residual credentials after decommission. |
|
Runtime / Kinetic. Can the vendor monitor what agents do in real time? |
MCP gateway enforces policy per tool call at the network layer. Contextual anomaly detection on call patterns. |
Falcon EDR tracks commands, scripts, file activity, and network connections at the process level. |
Defender endpoint + cloud monitoring. Predictive shielding during active incidents. |
Prisma AIRS AI Agent Gateway for runtime traffic control. |
CrowdStrike is the only vendor framing endpoint runtime as the primary safety net for agentic behavior. |
Five things to do Monday morning before your board asks
-
Audit self-modification risk. Pull every agent with write access to security policies, IAM configs, firewall rules, or ACLs. Flag any agent that can modify controls governing the agent’s own behavior. No vendor automates this.
-
Map delegation paths. Document every agent-to-agent invocation. Flag delegation without human approval. Human-in-the-loop on every delegation event until a trust primitive ships.
-
Kill ghost agents. Build a registry. For each agent: business justification, human owner, credentials held, systems accessed. No justification? Manual revoke. Weekly.
-
Stress test the MCP gateway enforcement. Cisco, Palo Alto Networks, and Microsoft all announced MCP gateways this week. Verify that agent tool traffic actually routes through the gateway. A misconfigured gateway creates false confidence while agents call tools directly.
-
Baseline agent behavioral norms. Before any agent reaches production, establish what normal looks like: typical API calls, data access patterns, systems touched, and hours of activity. Without a behavioral baseline, the kinetic-layer anomaly detection Zaitsev describes has nothing to compare against.
Zaitsev’s advice was blunt: you already know what to do. Agents just made the cost of not doing it catastrophic. Every vendor at RSAC verified who the agent was. None of them tracked what the agent did.
