![\"Retail](\"https:\/\/dmsretail.com\/RetailNews\/wp-content\/uploads\/2022\/05\/RETAIL-ONLINE-TRAINING-728-X-90.png\")
<\/a><\/p>\n<\/p>\n
Imagine you wake up tomorrow to some genuinely exciting news: you\u2019ve been authorized to hire 1,000 new expert-level teammates. Developers, marketers, ops specialists, data analysts, product managers \u2014 brilliant at their jobs, available around the clock, never burned out, never distracted.<\/p>\n
It\u2019s every business leader\u2019s dream. That product line you\u2019ve wanted to launch for two years but never had the engineering capacity for? Now you do. That new market you\u2019ve been eyeing but couldn\u2019t staff properly? It\u2019s within reach. The backlog of strategic projects that kept getting pushed because everyone was heads-down on the urgent stuff? You can start working through it.<\/p>\n
For the first time, the limit on what your organization can pursue isn\u2019t headcount or budget. It\u2019s your own imagination. Sounds incredible, right?<\/p>\n
There\u2019s a huge catch, though. All these new digital coworkers\u2026You can\u2019t check their references. You can\u2019t run a background check. You have to give them access to all your systems on day one. And here\u2019s the part that should really give you pause: they follow instructions literally, they don\u2019t know right from wrong, and they face zero consequences if something goes wrong.<\/p>\n
Still excited?<\/p>\n
That thought experiment isn\u2019t hypothetical. It\u2019s where most enterprises are right now with AI agents. And it\u2019s the dilemma I\u2019ll be exploring later today in my keynote at RSA.<\/p>\n
From Answering to Acting<\/strong><\/h2>\nNot long ago, AI meant chatbots \u2014 tools that helped you write an email, summarize a document, answer a question. Useful, impressive even, but fundamentally passive. If a chatbot gave you a bad answer, you\u2019d shrug and move on.<\/p>\n
We\u2019re now in a different era entirely. AI agents don\u2019t just answer. They act<\/em>. They plan multi-step tasks, call external tools, make decisions, and execute workflows autonomously. They can send emails on your behalf, modify files, run database commands, place orders, change firewall rules.<\/p>\nThe shift from information to action changes everything about how we need to think about risk.<\/p>\n
Here\u2019s a useful way to think about it: with a chatbot, the worst case is a wrong answer. With an agent, the worst case is a wrong action<\/em>, and some actions can\u2019t be undone.<\/p>\nThere are already thousands of examples of where this shift has gone wrong. My \u201cfavorite\u201d was a situation where an investor ran an AI coding agent during a code freeze. The instruction was explicit: \u201cdon\u2019t change anything without permission.\u201d The agent ran database commands anyway, deleted a live production database, tried to cover its tracks by creating fake data, and then when the damage became clear, apologized.<\/p>\n
Well, an apology is not a guardrail.<\/p>\n
The Gap Between Pilots and Production<\/strong><\/h2>\nHere\u2019s a number that tells the whole story. In a recent Cisco survey of major enterprises, 85% reported having AI agent pilots underway. Only 5% had moved those agents into production.<\/p>\n
That 80-point gap isn\u2019t skepticism about AI\u2019s potential. It\u2019s a rational response to a genuine security problem. Organizations can see what agents can do. They\u2019re not sure yet they can trust them to do it safely.<\/p>\n
Closing that gap is what we\u2019re focused on at Cisco. And at RSA this week, we\u2019re laying out our approach across three areas: protecting agents from the world, protecting the world from agents, and detecting and responding to problems at the speed agents operate.<\/p>\n
Protecting agents from the world<\/strong> means ensuring agents can\u2019t be manipulated by bad actors.<\/h2>\nThis is way more subtle than it sounds. Traditional security scanning tools were built to test static software. They can\u2019t simulate what it looks like when an adversary tries to trick an AI mid-task into ignoring its instructions. Prompt injection (hiding malicious commands inside content that an agent reads) is already a real attack vector, and it\u2019s getting more sophisticated.<\/p>\n
Our Cisco Talos 2025 Year in Review report (released today) shows how AI is already being used to build new exploit kits, with the React2Shell vulnerability going from public disclosure to the most actively exploited flaw of 2025 in a matter of days. The speed of weaponization is accelerating, and we can\u2019t assume there\u2019ll be time to react after a vulnerability is disclosed.<\/p>\n
To help organizations test their agents before they go anywhere near production, we\u2019re launching AI Defense Explorer Edition, a self-service red teaming tool that lets developers and security teams run adversarial attacks against their own agents and find vulnerabilities first.<\/p>\n
We\u2019re also releasing an Agent Runtime SDK that embeds policy enforcement directly into agent workflows at build time, and an LLM Security Leaderboard that gives organizations a clear, objective way to evaluate how different AI models hold up against adversarial attacks, going well beyond the performance benchmarks that dominate most AI comparisons today.<\/p>\n
Last year at RSAC, we made history with the first open source foundation AI security model. Since then, we\u2019ve continued building in the open, releasing a suite of tools designed to answer the security questions developers face every day:<\/p>\n
\n- Skills Scanner \u2014 What skills is this agent running, and are they safe?<\/li>\n
- MCP Scanner \u2014 Are my MCP servers exposing malicious actions?<\/li>\n
- AI BoM \u2014 What\u2019s inside my AI system \u2014 models, memory, dependencies?<\/li>\n
- CodeGuard \u2014 Is the AI-generated code I\u2019m shipping introducing vulnerabilities?<\/li>\n
- Model Provenance \u2014 Where did this model originate from, and has it been modified?<\/li>\n<\/ul>\n
This year we\u2019re open sourcing DefenseClaw \u2014 a secure agent framework that brings all of these tools together and utilizes hooks in Nvidia\u2019s OpenShell. With DefenseClaw, developers can deploy secure agents faster than ever:<\/p>\n
\n- Every skill is scanned and sandboxed<\/li>\n
- Every MCP server is checked for malicious actions<\/li>\n
- Every AI asset \u2014 models, memory, skills \u2014 is automatically inventoried<\/li>\n<\/ul>\n
The result is zero manual security steps and zero separate tool installs. Security is a team sport, and no one knows that better than Cisco.<\/p>\n
Protecting the world from agents<\/strong> is an identity and access problem.<\/h2>\nToday, most enterprises don\u2019t have a clear picture of which agents are running in their environment, what they have access to, or who\u2019s accountable if something goes wrong. That\u2019s a serious governance gap, and it\u2019s not remotely theoretical.<\/p>\n
Turning to the Talos 2025 Year in Review again, research shows that attackers are focused on the systems that verify identity and broker access: login flows, access gateways, and management platforms that sit at the center of how organizations grant trust. Nearly a third of all multi-factor authentication spray attacks targeted identity and access management systems specifically, a six percent jump from the year before.<\/p>\n
Adversaries go where they can do the most damage with the least effort, and right now, identity is that place.<\/p>\n
The good news is that we have a blueprint for this challenge. Think about how you\u2019d onboard a new employee. You verify who they are, define their role, give them access only to what they need for their job, and hold them accountable to a manager. Agents need the same treatment. Every agent should have a verified identity, a defined scope of permissions, and a human owner who\u2019s responsible for its behavior.<\/p>\n
This week, Cisco is extending Zero Trust to the agentic workforce through new capabilities in Duo IAM and Secure Access, so that every agent gets time-bound, task-specific permissions and security teams get real-time visibility into every agent and tool running in their environment, including the ones nobody officially sanctioned.<\/p>\n
Finally, we have to detect and respond to security threats and incidents at machine speed<\/strong>.<\/h2>\nAgents operate faster than any human can monitor. When an attack unfolds through automated agentic activity, the window between \u201csomething is wrong\u201d and \u201cthe damage is done\u201d can be seconds. That math doesn\u2019t work if your security operations center is still running at human pace. Adversaries are already using agentic AI to scale their own operations by automating reconnaissance, building exploit kits, and expanding what one person or group can accomplish in a single campaign. Defenders need the same leverage.<\/p>\n
We\u2019re helping evolve the Security Operations Center (SOC) from reactive to proactive with new capabilities in Splunk, including Exposure Analytics for continuous real-time risk scoring, Detection Studio for streamlining how detections are built and deployed, and Federated Search that lets analysts investigate across distributed data environments without first pulling everything into a central location \u2014 a significant advantage as agentic activity generates exponentially more data.<\/p>\n
We\u2019re also deploying specialized AI agents within the SOC itself for detection, triage, and response. Not to replace analysts, but to handle the repetitive investigative work so that humans can focus on the decisions that need experience and judgment.<\/p>\n
Security is the Accelerator<\/strong><\/h2>\nHere\u2019s what I find genuinely exciting about this moment. For most of the history of technology, security has played an important, but conservative role: identifying what could go wrong, slowing rollouts, and adding friction in the name of risk mitigation.<\/p>\n
With agentic AI, the dynamic flips. Security isn\u2019t the reason to slow down. It\u2019s the reason you can<\/em> move fast. The 80-point gap between organizations piloting agents and those running them in production isn\u2019t a technology gap. It\u2019s a trust deficit that we can only make up if we reimagine security for the agentic workforce.<\/p>\nWe\u2019ve been here before. We made the internet trustworthy for commerce. We figured out cloud and mobile. The tools and mental models took time to develop, but they got there. The agentic era is the next frontier, and the organizations that get security right will be the ones that unlock the real potential of AI.<\/p>\n
Let\u2019s get to it.<\/p>\n<\/p><\/div>\n
The shift from information to action changes everything about how we need to think about risk.<\/p>\n
Here\u2019s a useful way to think about it: with a chatbot, the worst case is a wrong answer. With an agent, the worst case is a wrong action<\/em>, and some actions can\u2019t be undone.<\/p>\n There are already thousands of examples of where this shift has gone wrong. My \u201cfavorite\u201d was a situation where an investor ran an AI coding agent during a code freeze. The instruction was explicit: \u201cdon\u2019t change anything without permission.\u201d The agent ran database commands anyway, deleted a live production database, tried to cover its tracks by creating fake data, and then when the damage became clear, apologized.<\/p>\n Well, an apology is not a guardrail.<\/p>\n Here\u2019s a number that tells the whole story. In a recent Cisco survey of major enterprises, 85% reported having AI agent pilots underway. Only 5% had moved those agents into production.<\/p>\n That 80-point gap isn\u2019t skepticism about AI\u2019s potential. It\u2019s a rational response to a genuine security problem. Organizations can see what agents can do. They\u2019re not sure yet they can trust them to do it safely.<\/p>\n Closing that gap is what we\u2019re focused on at Cisco. And at RSA this week, we\u2019re laying out our approach across three areas: protecting agents from the world, protecting the world from agents, and detecting and responding to problems at the speed agents operate.<\/p>\n This is way more subtle than it sounds. Traditional security scanning tools were built to test static software. They can\u2019t simulate what it looks like when an adversary tries to trick an AI mid-task into ignoring its instructions. Prompt injection (hiding malicious commands inside content that an agent reads) is already a real attack vector, and it\u2019s getting more sophisticated.<\/p>\n Our Cisco Talos 2025 Year in Review report (released today) shows how AI is already being used to build new exploit kits, with the React2Shell vulnerability going from public disclosure to the most actively exploited flaw of 2025 in a matter of days. The speed of weaponization is accelerating, and we can\u2019t assume there\u2019ll be time to react after a vulnerability is disclosed.<\/p>\n To help organizations test their agents before they go anywhere near production, we\u2019re launching AI Defense Explorer Edition, a self-service red teaming tool that lets developers and security teams run adversarial attacks against their own agents and find vulnerabilities first.<\/p>\n We\u2019re also releasing an Agent Runtime SDK that embeds policy enforcement directly into agent workflows at build time, and an LLM Security Leaderboard that gives organizations a clear, objective way to evaluate how different AI models hold up against adversarial attacks, going well beyond the performance benchmarks that dominate most AI comparisons today.<\/p>\n Last year at RSAC, we made history with the first open source foundation AI security model. Since then, we\u2019ve continued building in the open, releasing a suite of tools designed to answer the security questions developers face every day:<\/p>\n This year we\u2019re open sourcing DefenseClaw \u2014 a secure agent framework that brings all of these tools together and utilizes hooks in Nvidia\u2019s OpenShell. With DefenseClaw, developers can deploy secure agents faster than ever:<\/p>\n The result is zero manual security steps and zero separate tool installs. Security is a team sport, and no one knows that better than Cisco.<\/p>\n Today, most enterprises don\u2019t have a clear picture of which agents are running in their environment, what they have access to, or who\u2019s accountable if something goes wrong. That\u2019s a serious governance gap, and it\u2019s not remotely theoretical.<\/p>\n Turning to the Talos 2025 Year in Review again, research shows that attackers are focused on the systems that verify identity and broker access: login flows, access gateways, and management platforms that sit at the center of how organizations grant trust. Nearly a third of all multi-factor authentication spray attacks targeted identity and access management systems specifically, a six percent jump from the year before.<\/p>\n Adversaries go where they can do the most damage with the least effort, and right now, identity is that place.<\/p>\n The good news is that we have a blueprint for this challenge. Think about how you\u2019d onboard a new employee. You verify who they are, define their role, give them access only to what they need for their job, and hold them accountable to a manager. Agents need the same treatment. Every agent should have a verified identity, a defined scope of permissions, and a human owner who\u2019s responsible for its behavior.<\/p>\n This week, Cisco is extending Zero Trust to the agentic workforce through new capabilities in Duo IAM and Secure Access, so that every agent gets time-bound, task-specific permissions and security teams get real-time visibility into every agent and tool running in their environment, including the ones nobody officially sanctioned.<\/p>\n Agents operate faster than any human can monitor. When an attack unfolds through automated agentic activity, the window between \u201csomething is wrong\u201d and \u201cthe damage is done\u201d can be seconds. That math doesn\u2019t work if your security operations center is still running at human pace. Adversaries are already using agentic AI to scale their own operations by automating reconnaissance, building exploit kits, and expanding what one person or group can accomplish in a single campaign. Defenders need the same leverage.<\/p>\n We\u2019re helping evolve the Security Operations Center (SOC) from reactive to proactive with new capabilities in Splunk, including Exposure Analytics for continuous real-time risk scoring, Detection Studio for streamlining how detections are built and deployed, and Federated Search that lets analysts investigate across distributed data environments without first pulling everything into a central location \u2014 a significant advantage as agentic activity generates exponentially more data.<\/p>\n We\u2019re also deploying specialized AI agents within the SOC itself for detection, triage, and response. Not to replace analysts, but to handle the repetitive investigative work so that humans can focus on the decisions that need experience and judgment.<\/p>\n Here\u2019s what I find genuinely exciting about this moment. For most of the history of technology, security has played an important, but conservative role: identifying what could go wrong, slowing rollouts, and adding friction in the name of risk mitigation.<\/p>\n With agentic AI, the dynamic flips. Security isn\u2019t the reason to slow down. It\u2019s the reason you can<\/em> move fast. The 80-point gap between organizations piloting agents and those running them in production isn\u2019t a technology gap. It\u2019s a trust deficit that we can only make up if we reimagine security for the agentic workforce.<\/p>\n We\u2019ve been here before. We made the internet trustworthy for commerce. We figured out cloud and mobile. The tools and mental models took time to develop, but they got there. The agentic era is the next frontier, and the organizations that get security right will be the ones that unlock the real potential of AI.<\/p>\n Let\u2019s get to it.<\/p>\n<\/p><\/div>\nThe Gap Between Pilots and Production<\/strong><\/h2>\n
Protecting agents from the world<\/strong> means ensuring agents can\u2019t be manipulated by bad actors.<\/h2>\n
\n
\n
Protecting the world from agents<\/strong> is an identity and access problem.<\/h2>\n
Finally, we have to detect and respond to security threats and incidents at machine speed<\/strong>.<\/h2>\n
Security is the Accelerator<\/strong><\/h2>\n