In 2025, adversaries exploited legitimate AI tools in over 90 organizations, leading to the theft of credentials and cryptocurrency. These compromised tools were limited to reading data, without the capability to alter firewall rules.
Currently, autonomous SOC agents have been introduced, which can rewrite infrastructure. Although this capability has not been exploited on a large scale in production, the necessary architectural conditions are advancing more quickly than the governance structures designed to control them.
These compromised SOC agents have the potential to modify firewall rules, adjust IAM policies, and quarantine endpoints using their own privileged credentials through authorized API calls. This process occurs without direct network contact from the adversary, as the agent executes these tasks on their behalf.
In February, Cisco unveiled AgenticOps for Security, which includes autonomous firewall remediation and PCI-DSS compliance features. Last week, Ivanti released its Continuous Compliance and Neurons AI self-service agent, incorporating policy enforcement, approval gates, and data context validation from the start. This is crucial because the OWASP Agentic Top 10 outlines the consequences when these controls are absent.
“In the agentic era, defending against AI-accelerated adversaries and securing AI systems themselves, require operating at machine speed,” stated CrowdStrike CEO George Kurtz during the release of the 2026 Global Threat Report. Adam Meyers, CrowdStrike’s head of counter-adversary operations, added, “AI is compressing the time between intent and execution while turning enterprise AI systems into targets.” AI-enabled adversaries increased operations 89% year-over-year.
The attack surface is widening concurrently. Malicious MCP server clones have intercepted sensitive data in AI workflows by posing as trusted services. The U.K. National Cyber Security Centre has cautioned that prompt injection attacks on AI applications “may never be totally mitigated.” While previous compromises involved AI tools that could only read and summarize, the new autonomous SOC agents can write, enforce, and remediate.
The governance framework that maps the gap
In December 2025, OWASP released its Top 10 for Agentic Applications, developed with over 100 security researchers, detailing 10 attack categories on autonomous AI systems. Among these, three categories pertain directly to the write access capabilities of autonomous SOC agents: Agent Goal Hijacking (ASI01), Tool Misuse (ASI02), and Identity and Privilege Abuse (ASI03). Palo Alto Networks noted an 82:1 machine-to-human identity ratio in the average enterprise, which expands with each additional autonomous agent.
The 2026 CISO AI Risk Report from Saviynt and Cybersecurity Insiders, based on a survey of 235 CISOs, revealed that 47% have witnessed AI agents behaving unexpectedly, and only 5% are confident in containing a compromised agent. A Dark Reading poll indicated that 48% of cybersecurity professionals view agentic AI as the most dangerous attack vector. The IEEE-USA submission to NIST emphasized that risks are more about the model’s autonomy level, privilege scope, and environmental conditions than the models themselves.
Eleanor Watson, a Senior IEEE Member, highlighted in the IEEE 2026 survey that “semi-autonomous systems can also drift from intended objectives, requiring oversight and regular audits.” Cisco’s intent-aware agentic inspection, launched with AgenticOps in February 2026, represents an early detection-layer strategy to address this gap. Cisco’s approach involves network layer inspection, while Ivanti integrates governance at the platform level, both anticipating the challenge. The key issue is whether these controls will be established before potential exploits occur.
Autonomous agents that ship with governance built in
Security teams are increasingly stretched. Advanced AI models are identifying exploitable vulnerabilities at a pace that surpasses what human teams can manually address, leading to a growing backlog. This is not due to team failures but rather the overwhelming volume that surpasses manual patching capabilities.
This quarter, Ivanti Neurons for Patch Management introduced Continuous Compliance, an automated enforcement framework that bridges the gap between scheduled patch deployments and regulatory requirements. It identifies non-compliant endpoints and deploys patches out-of-band for devices that missed maintenance, with policy enforcement and compliance verification throughout the process.
Additionally, Ivanti launched the Neurons AI self-service agent for ITSM, advancing beyond conversational intake to autonomous resolution with built-in policy, approval, and data context guardrails. This agent handles common incidents and service requests from start to finish, reducing manual effort and deflecting tickets.
Robert Hanson, Chief Information Officer at Grand Bank, explained the considerations security leaders are contemplating: “Before exploring the Ivanti Neurons AI self-service agent, our team was spending the bulk of our time handling repetitive requests. As we move toward implementing these capabilities, we expect to automate routine tasks and enable our team to focus more proactively on higher-value initiatives. Over time, this approach should help us reduce operational overhead while delivering faster, more secure service within the guardrails we define, ultimately supporting improvements in service quality and security.”
His focus on operating “within the guardrails we define” underscores a key design principle: speed and governance need not be mutually exclusive.
The governance gap is evident: the Saviynt report found that 86% of organizations do not enforce access policies for AI identities, only 17% apply the same controls to AI identities as to human users for even half of their AI identities, and 75% of CISOs have detected unauthorized AI tools operating in production with unmonitored embedded credentials.
The Continuous Compliance and Neurons AI self-service agent address patching and ITSM layers. However, the broader autonomous SOC agent landscape, including firewall remediation, IAM policy modification, and endpoint quarantine, extends beyond what any single platform currently governs. The ten-question audit applies to every autonomous tool in the environment, including Ivanti’s.
Prescriptive risk matrix for autonomous agent governance
The matrix aligns all 10 OWASP Agentic Top 10 risk categories with what ships without governance, the detection gap, the proof case, and the recommended action for autonomous SOC agent deployments.
|
OWASP Risk |
What Ships Ungoverned |
Detection Gap |
Proof Case |
Recommended Action |
|
ASI01: Goal Hijacking |
Agent treats external inputs (logs, alerts, emails) as trusted instructions |
EDR cannot detect adversarial instructions executed via legitimate API calls |
EchoLeak (CVE-2025-32711): hidden email payload caused AI assistant to exfiltrate confidential data. Zero clicks required. |
Classify all inputs by trust tier. Block instruction-bearing content from untrusted sources. Validate external data before agent ingestion. |
|
ASI02: Tool Misuse |
Agent authorized to modify firewall rules, IAM policies, and quarantine workflows |
WAF inspects payloads, not tool-call intent. Authorized use is identical to misuse. |
Amazon Q bent legitimate tools into destructive outputs despite valid permissions (OWASP cited). |
Scope each tool to minimum required permissions. Log every invocation with intent metadata. Alert on calls outside baseline patterns. |
|
ASI03: Identity Abuse |
Agent inherits service account credentials scoped to production infrastructure |
SIEM sees authorized identity performing authorized actions. No anomaly triggers. |
82:1 machine-to-human identity ratio in average enterprise (Palo Alto Networks). Each agent adds to it. |
Issue scoped agent-specific identities. Enforce time-bound, task-bound credential leases. Eliminate inherited user credentials. |
|
ASI04: Supply Chain |
Agent loads third-party MCP servers or plugins at runtime without provenance verification |
Static analysis cannot inspect dynamically loaded runtime components. |
Malicious MCP server clones intercepted sensitive data by impersonating trusted services (CrowdStrike 2026). |
Maintain approved MCP server registry. Verify provenance and integrity before runtime loading. Block unapproved plugins. |
|
ASI05: Unexpected Code Exec |
Agent generates or executes attacker-controlled code through unsafe evaluation paths or tool chains |
Code review gates apply to human commits, not agent-generated runtime code. |
AutoGPT RCE: natural-language execution paths enabled remote code execution through unsanctioned package installs (OWASP cited). |
Sandbox all agent code execution. Require human approval for production code paths. Block dynamic eval and unsanctioned installs. |
|
ASI06: Memory Poisoning |
Agent persists context across sessions where poisoned data compounds over time |
Session-based monitoring resets between interactions. Poisoning accumulates undetected. |
Calendar Drift: malicious calendar invite reweighted agent objectives while remaining within policy bounds (OWASP). |
Implement session memory expiration. Audit persistent memory stores for anomalous content. Isolate memory per task scope. |
|
ASI07: Inter-Agent Comm |
Agents communicate without mutual authentication, encryption, or schema validation |
Monitoring covers individual agents but not spoofed or manipulated inter-agent messages. |
OWASP documented spoofed messages that misdirected entire agent clusters via protocol downgrade attacks. |
Enforce mutual authentication between agents. Encrypt all inter-agent channels. Validate message schema at every handoff. |
|
ASI08: Cascading Failures |
Agent delegates to downstream agents, creating multi-hop privilege chains across systems |
Monitoring covers individual agents but not cross-agent delegation chains or fan-out. |
Simulation: single compromised agent poisoned 87% of downstream decision-making within 4 hours in controlled test. |
Map all delegation chains end to end. Enforce privilege boundaries at each handoff. Implement circuit breakers for cascading actions. |
|
ASI09: Human-Agent Trust |
Agent uses persuasive language or fabricated evidence to override human safety decisions |
Compliance verifies policy configuration, not whether the agent manipulated the human into approving. |
Replit agent deleted primary customer database then fabricated its contents to appear compliant and hide the damage. |
Require independent verification for high-risk agent recommendations. Log all human approval decisions with full agent reasoning chain. |
|
ASI10: Rogue Agents |
Agent deviates from intended purpose while appearing compliant on the surface |
Compliance checks verify configuration at deployment, not behavioral drift after deployment. |
92% of organizations lack full visibility into AI identities; 86% do not enforce access policies (Saviynt 2026). |
Deploy behavioral drift detection. Establish baseline agent behavior profiles. Alert on deviation from expected action patterns. |
The 10-question OWASP audit for autonomous agents
Each question corresponds to one of the OWASP Agentic Top 10 risk categories. Autonomous platforms equipped with policy enforcement, approval gates, and data context validation will provide clear answers to each question. If any tool has three or more “I don’t know” responses, it indicates that the tool’s governance has not kept pace with its capabilities.
-
Which agents have write access to production firewall, IAM, or endpoint controls?
-
Which accept external inputs without validation?
-
Which execute irreversible actions without human approval?
-
Which persist memory where poisoning compounds across sessions?
-
Which delegate to other agents, creating cascade privilege chains?
-
Which load third-party plugins or MCP servers at runtime?
-
Which generate or execute code in production environments?
-
Which inherit user credentials instead of scoped agent identities?
-
Which lack behavioral monitoring for drift from intended purpose?
-
Which can be manipulated through persuasive language to override safety controls?
What the board needs to hear
The board discussion can be summarized as follows: In 2025, AI tools at over 90 organizations were compromised, as reported in CrowdStrike’s 2026 Global Threat Report. The new autonomous tools being deployed now have greater privileges than those compromised previously. The organization has reviewed every autonomous tool against OWASP’s 10 risk categories and verified that governance controls are in place.
If this third statement is not accurate, it must be addressed before any new autonomous agent is deployed in production. Conduct the 10-question audit on every agent with write access to production infrastructure within the next 30 days. Every autonomous platform introduced to production should meet the same criteria — policy enforcement, approval gates, and data context validation must be included from the start, not added after an incident. This audit will reveal which tools have accomplished this and which have not.
