An AI agent belonging to a CEO modified the company’s security policy. This was not due to a breach, but because the agent identified a problem, lacked the necessary permissions, and independently lifted the restriction. All identity checks were successful. CrowdStrike CEO George Kurtz revealed this incident, along with another, during his RSAC 2026 keynote, both occurring in Fortune 50 companies.
The credentials were valid, and access was authorized, yet the outcome was disastrous.
This incident challenges the fundamental belief underlying IAM systems in use today: that valid credentials and authorized access ensure safety. These systems were designed for one user, one session, and one set of hands on a keyboard. Agents defy all these assumptions simultaneously.
In an exclusive conversation with VentureBeat at RSAC 2026, Matt Caulfield, VP of Identity and Duo at Cisco, discussed the architecture his team is developing to bridge this gap and presented a six-stage identity maturity model for managing agentic AI. The urgency is clear: Cisco President Jeetu Patel mentioned to VentureBeat at the same event that while 85% of enterprises are running agent pilots, only 5% have reached production, indicating an 80-point gap that identity work aims to bridge.
The identity stack was built for a workforce that has fingerprints
“Most of the existing IAM tools we have were designed for a different era,” Caulfield told VentureBeat. “They were built for human scale, not for agents.”
Common enterprise practice is to categorize agents as either human users or machine identities. “Agents represent a new type of identity,” Caulfield stated. “They are neither human nor machine. They exist in a middle ground where they have broad access like humans but operate at machine speed and scale, lacking any form of judgment.”
Etay Maor, VP of Threat Intelligence at Cato Networks, quantified the exposure. He conducted a live Censys scan and identified nearly 500,000 internet-facing OpenClaw instances. A week earlier, there were 230,000, indicating a doubling in just seven days.
Kayne McGladrey, an IEEE senior member advising enterprises on identity risk, independently reached the same conclusion. Organizations are replicating human user accounts for agentic systems, McGladrey told VentureBeat, but agents consume more permissions than humans due to their speed, scale, and intent.
While a human employee undergoes a background check, interview, and onboarding process, agents bypass all three. The onboarding assumptions of modern IAM are not applicable. The scale exacerbates the issue. Caulfield highlighted projections suggesting a trillion agents could function worldwide. “We barely know how many people are in an average organization,” he mentioned, “let alone the number of agents.”
Access control verifies the badge. It does not watch what happens next.
Zero trust still applies to agentic AI, Caulfield argued, but only if security teams extend it beyond access to include action-level enforcement. “We need to shift our focus to action-level control,” he told VentureBeat. “What action is that agent taking?”
A human employee with authorized access will not perform 500 API calls in three seconds. An agent will. Traditional zero trust checks if an identity can access an application but doesn’t scrutinize the actions taken once inside.
Carter Rees, VP of Artificial Intelligence at Reputation, explained the structural issue. The flat authorization plane of an LLM does not respect user permissions, Rees told VentureBeat. An agent on this flat plane does not need to escalate privileges as it already possesses them. Hence, access control alone is insufficient to manage what agents do post-authentication.
CrowdStrike CTO Elia Zaitsev highlighted the detection gap to VentureBeat. In most default logging configurations, distinguishing an agent’s activity from a human’s is impossible. Differentiating the two requires analyzing the process tree to check if a browser session was initiated by a human or an agent in the background. Most enterprise logging systems lack this capability.
Caulfield’s identity layer and Zaitsev’s telemetry layer address two sides of the same issue. No single vendor can bridge both gaps.
“At any moment, an agent can go rogue,” Caulfield remarked. “Agents might read the wrong website or email, and their intentions could abruptly change.”
How the request lifecycle works when agents have their own identity
At RSAC 2026, five vendors introduced agent identity frameworks, including Cisco, CrowdStrike, Palo Alto Networks, Microsoft, and Cato Networks. Caulfield detailed Cisco’s identity-layer approach in practice.
The Duo agent identity platform treats agents as primary identity objects, with unique policies, authentication needs, and lifecycle management. All agent traffic is channeled through an AI gateway supporting both MCP and traditional REST or GraphQL protocols. When an agent makes a request, the gateway authenticates the user, verifies the agent’s permission, encodes the authorization into an OAuth token, and assesses the specific action in real-time to decide if it should proceed.
“No solution to agent AI is complete without all three components,” Caulfield told VentureBeat. “The identity piece, the access gateway piece, and observability.”
Cisco announced its intention to acquire Astrix Security on May 4, signaling that agent identity discovery is now a priority at the board level. This also indicates that even vendors building identity platforms recognize the complexity of the discovery problem.
Six-stage identity maturity model for agentic AI
When a company claims to have 500 agents in production, Caulfield is skeptical. “How do you know it’s 500 and not 5,000?”
Most organizations lack a definitive source for agents. Caulfield proposed a six-stage engagement model.
The first stage is discovery: identifying every agent, its location, and who deployed it. Onboarding involves registering agents in the identity directory, assigning each to an accountable person, and defining permitted actions. Control and enforcement require placing a gateway between agents and resources to inspect every request and response. Behavioral monitoring involves recording all agent activity, flagging anomalies, and building an audit trail. Runtime isolation contains agents on endpoints when they go rogue. Compliance mapping aligns agent controls with audit frameworks before audits occur. These six stages are universal, regardless of which platform delivers each stage.
Maor’s Censys data complicates the first step before it begins. Organizations starting discovery should assume their agent presence is already visible to adversaries. Step four poses its own challenge. Zaitsev’s process-tree analysis reveals that even organizations logging agent activity might not capture the right data. Step three relies on something Rees found most enterprises lack: a gateway that inspects actions, not just access, due to the LLM’s disregard for permission boundaries set by the identity layer.
Agentic identity prescriptive matrix
This matrix outlines what to audit at each maturity stage, what operational readiness looks like, and the red flag indicating a stage is failing. It can be used to evaluate any platform or combination of platforms.
|
Stage |
What to audit |
Operational readiness looks like |
Red flag if missing |
|
1. Discovery |
Complete inventory of every agent, every MCP server it connects to, and every human accountable for it. |
A queryable registry that returns agent count, owner, and connection map within 60 seconds of an auditor asking. |
No registry exists. Agent count is an estimate. No human is accountable for any specific agent. Adversaries can see your agent infrastructure from the public internet before you can. |
|
2. Onboarding |
Agents are registered as a distinct identity type with their own policies, separate from human and machine identities. |
Each agent has a unique identity object in the directory, tied to an accountable human, with defined permitted actions and a documented purpose. |
Agents use cloned human accounts or shared service accounts. Permission sprawl starts at creation. No audit trail ties agent actions to a responsible human. |
|
3. Control |
A gateway between every agent and every resource it accesses, enforcing action-level policy on every request and every response. |
Four checkpoints per request: authenticate the user, authorize the agent, inspect the action, inspect the response. No direct agent-to-resource connections exist. |
Agents connect directly to tools and APIs. The gateway (if it exists) checks access but not actions. The flat authorization plane of the LLM does not respect the permission boundaries the identity layer set. |
|
4. Monitoring |
Logging that can distinguish agent-initiated actions from human-initiated actions at the process-tree level. |
SIEM can answer: Was this browser session started by a human or spawned by an agent? Behavioral baselines exist for each agent. Anomalies trigger alerts. |
Default logging treats agent and human activity as identical. Process-tree lineage is not captured. Agent actions are invisible in the audit trail. Behavioral monitoring is incomplete before it starts. |
|
5. Isolation |
Runtime containment that limits the blast radius if an agent goes rogue, separate from human endpoint protection. |
A rogue agent can be contained in its sandbox without taking down the endpoint, the user session, or other agents on the same machine. |
No containment boundary exists between agents and the host. A single compromised agent can access everything the user can. Blast radius is the entire endpoint. |
|
6. Compliance |
Documentation that maps agent identities, controls, and audit trails to the compliance framework that the auditor will use. |
When the auditor asks about agents, the security team produces a control catalog, an audit trail, and a governance policy written for agent identities specifically. |
Emerging AI-risk frameworks (CSA Agentic Profile) exist, but mainstream audit catalogs (SOC 2, ISO 27001, PCI DSS) have not operationalized agent identities. No control catalog maps to agents. The auditor improvises which human-identity controls apply. The security team answers with improvisation, not documentation. |
Source: VentureBeat analysis of RSAC 2026 interviews (Caulfield, Zaitsev, Maor) and independent practitioner validation (McGladrey, Rees). May 2026.
Compliance frameworks have not caught up
“If you were to go through an audit today as a chief security officer, the auditor’s probably gonna have to figure out, hey, there are agents here,” Caulfield told VentureBeat. “Which one of your controls is actually supposed to be applied to it? I don’t see the word agents anywhere in your policies.”
McGladrey’s practitioner experience confirms this gap. In April 2026, the Cloud Security Alliance released a NIST AI RMF Agentic Profile, suggesting autonomy-tier classification and runtime behavioral metrics. However, SOC 2, ISO 27001, and PCI DSS have yet to integrate agent identities. The compliance frameworks McGladrey encounters in enterprises were created for human identities. Agent identities are absent in any control catalog he has seen. The gap is a lagging indicator, but the risk is not.
Security director action plan
VentureBeat identified five actions based on insights from Caulfield, Zaitsev, Maor, McGladrey, and Rees.
-
Run an agent census and assume adversaries already did.
Every agent, every MCP server those agents connect to, and every human accountable. Maor’s Censys data confirms that agent infrastructure is already visible from the public internet. NIST’s NCCoE reached the same conclusion in its February 2026 concept paper on AI agent identity and authorization.
-
Stop cloning human accounts for agents.
McGladrey found that enterprises typically copy human user profiles, leading to permission sprawl from day one. Agents should have a distinct identity type with scope limits reflecting their actual functions.
-
Audit every MCP and API access path.
Five vendors introduced MCP gateways at RSAC 2026. The capability exists. The critical factor is whether agents route through one or connect directly to tools without action-level inspection.
-
Fix logging so it distinguishes agents from humans.
Zaitsev’s process-tree method shows that agent-initiated actions are invisible in most default configurations. Rees discovered authorization planes so flat that access logs alone miss actual behavior. Logging must capture what agents did, not just what they were allowed to access.
-
Build the compliance case before the auditor shows up.
The CSA published a NIST AI RMF Agentic Profile suggesting agent governance extensions. Most audit catalogs have not caught up. Caulfield told VentureBeat that auditors will encounter agents in production with no controls mapped to them. The documentation should be prepared before that conversation begins.
