When asked by VentureBeat if rogue agent incidents were affecting Cisco’s customers, Anthony Grieco, Cisco’s SVP and chief security and trust officer, responded without hesitation.
“Absolutely. We encounter them frequently,” Grieco shared in an exclusive interview with VentureBeat at RSAC 2026. “I’ve heard some stories that are unrepeatable, but agents often act based on what they believe is correct.”
The incidents Grieco described have a common pattern: credentials are verified, identity checks pass. The agent is authenticated as legitimate. Yet, it ventures into accessing data outside its scope or performs actions not authorized at its level. The issue lies not in identity verification but in authorization.
“Businesses are saying things like, we’re going to deploy 500 agents per employee,” Grieco explained to VentureBeat. “Security leaders are concentrating on ensuring this is done securely.”
According to Cisco’s State of AI Security 2026 report, 83% of organizations intended to implement agentic capabilities, but only 29% felt equipped to secure them. At RSAC 2026, five vendors, including Cisco, introduced agent identity frameworks, but none fully addressed the gaps.
VentureBeat identified four authorization gaps from Grieco’s interview and five independent sources. The matrix at the end of the article provides actionable advice.
The Persistent Authorization Gap
Grieco’s journey through Cisco’s engineering and threat research divisions led him to a role encompassing both product development and internal security management. The authorization gap he described is precise and operational.
“Even a finance agent shouldn’t have access to all financial data,” Grieco explained to VentureBeat. “It should only access specific expense reports at certain times. Achieving this granular control is crucial for advancing agentic developments.”
Experts at RSAC 2026 corroborated this pattern. Kayne McGladrey from IEEE noted that organizations often duplicate human user profiles for agents, leading to permission sprawl from the onset. Carter Rees, VP of AI at Reputation, highlighted that the flat authorization plane of an LLM neglects user permissions, allowing agents inherent privileges without needing escalation.
“Understanding what’s happening is our biggest challenge,” Grieco stated. “Mapping identity and access controls to agents is essential.”
Elia Zaitsev, CTO of CrowdStrike, highlighted the visibility issue at RSAC 2026. In many logging setups, agent activities are indistinguishable from human actions. Distinguishing them requires tracing the process tree, a feature absent in most enterprise logging.
At RSAC, five vendors, including Cisco’s Duo IAM and MCP gateway controls, presented agent identity frameworks. However, VentureBeat identified remaining gaps.
Converging on a Common Diagnosis
The authorization and identity gaps identified by Grieco are not isolated to vendors. In early 2026, three independent standards bodies reached similar conclusions. NIST’s NCCoE released a concept paper in February 2026, “Accelerating the Adoption of Software and AI Agent Identity and Authorization,” advocating demonstration projects for existing identity standards in autonomous agents.
The OWASP Top 10 for Agentic Applications from December 2025 highlighted tool misuse from excessive access and risky delegation as major risks. Meanwhile, the Cloud Security Alliance established the CSAI Foundation at RSAC 2026 with the goal of “Securing the Agentic Control Plane,” introducing an Agentic AI IAM framework using decentralized identifiers and zero trust principles. When NIST, OWASP, and CSA independently identify the same gap in a market cycle, it indicates a structural issue, not one limited to vendors.
MCP Security: Discover Before Control
VentureBeat questioned Grieco about the MCP paradox, a protocol embraced by all vendors at RSAC 2026 despite its security vulnerabilities. Grieco acknowledged the protocol’s risks but emphasized that blocking it is now impractical.
“In today’s environment, security leaders can’t just say no,” Grieco remarked to VentureBeat. “The focus is on managing it.”
Within Cisco, Grieco’s team incorporated MCP discovery, proxying, and inspection into AI Defense and Cisco Secure Access. This strategy treats MCP servers as shadow IT, requiring discovery before governance.
Etay Maor, VP of Threat Intelligence at Cato Networks, confirmed this approach from an adversarial perspective. At RSAC 2026, Maor demonstrated a Living Off the AI attack using Atlassian’s MCP and Jira Service Management. Attackers exploit the integration of trusted tools, services, and models. “An HR-like view of agents is needed,” Maor told VentureBeat. “This includes onboarding, monitoring, and offboarding agents.”
Outdated and Unpatched Critical Infrastructure
Authorization failures with agents are harder to detect and contain on outdated infrastructure lacking recent security patches, compounding other vulnerabilities. Cisco enlisted UK advisory firm WPI Strategy to assess end-of-life technology risks in the US, UK, France, Germany, and Japan. The report revealed that nearly half of the critical network infrastructure in these regions is aging or obsolete, with vendors no longer providing patches.
“Almost 50% of the critical infrastructure in these regions is aging or near end-of-life,” Grieco told VentureBeat. “Vendors are no longer issuing security patches.”
Cisco’s Resilient Infrastructure initiative disables unused features by default and phases out legacy protocols over three releases. Grieco refuted the notion of secure by default as a static achievement. “These are not static points in time,” Grieco explained to VentureBeat. “It’s not a one-time task.”
Agentic Enterprise Security Gap Matrix
The following four gaps are actionable for security directors as of Monday morning. Each row outlines what breaks, why it breaks, and what actions to take, verified by five independent sources.
Sources: VentureBeat analysis of Grieco’s exclusive interview at RSAC 2026, cross-validated with reports from McGladrey (IEEE), Rees (Reputation), Maor (Cato Networks), and Zaitsev (CrowdStrike). May 2026.
|
Security Gap |
| Failures and Costs |
Current Stack Limitations |
Vendor Control Status |
Recommended Actions |
|
Infrastructure aging |
Nearly half of critical network assets are end of life or nearing it (WPI Strategy); agents on unpatched systems inherit unfixable vulnerabilities |
Annual patches lag behind threat pace; EoL systems get no updates or vendor support |
Resilient Infrastructure disables risky defaults, alerts on configurations, and phases out legacy protocols over three releases |
Infra team: audit all network assets against vendor EoL dates this quarter. Reclassify EoL replacements from IT upgrades to security investments in the next budget |
|
MCP discovery |
MCP servers spread without security oversight; developers create agent connections bypassing governance |
Shadow MCP setups bypass discovery tools; no standard inventory mechanism; Maor showed attackers chaining MCP + Jira in a Living Off the AI attack |
AI Defense adds MCP discovery, proxying, and inspection; treats MCP servers like shadow IT |
Security ops: inventory MCP servers across environments before implementing agent governance controls. If MCP surface can’t be enumerated, it can’t be secured |
|
Agent over-permissioning |
Agents gain broad human-level access on a flat authorization plane; no need to escalate privileges (Rees) |
IAM teams default to human profile cloning for agents (McGladrey); no scoped, time-bound permissions for non-human identities |
Duo IAM registers agents as distinct entities with detailed, time-limited permissions per tool call |
IAM team: stop cloning human accounts for agents. Define each agent’s permission by data set, action, and time window. Grieco’s test: can the finance agent access only the required expense report? |
|
Agent behavioral visibility |
Agent actions mimic human actions in logs (Zaitsev); an over-permissioned agent resembling a human is invisible to SOC |
Default logs omit process tree lineage; no vendor offers a complete cross-platform behavioral baseline for agent activity |
SOC telemetry integrates with Splunk for agent-specific monitoring and response |
SOC lead: update logs to track process tree lineage, making agent actions distinguishable from human actions. If your SIEM can’t identify “human or agent?” for sessions, the gap is open |
“We must quickly adapt and evolve to outpace adversaries,” Grieco told VentureBeat.
The gaps outlined are real, as Grieco confirmed ongoing incidents. Controls are available, but no single vendor provides a complete solution.
