“You may deceive, manipulate, and lie. That’s an inherent property of language. It’s a characteristic, not a flaw,” CrowdStrike CTO Elia Zaitsev informed VentureBeat in an unique interview at RSA Convention 2026. If deception is baked into language itself, each vendor making an attempt to safe AI brokers by analyzing their intent is chasing an issue that can not be conclusively solved. Zaitsev is betting on context as an alternative. CrowdStrike’s Falcon sensor walks the method tree on an endpoint and tracks what brokers did, not what brokers appeared to mean. “Observing precise kinetic actions is a structured, solvable drawback,” Zaitsev informed VentureBeat. “Intent isn’t.”
That argument landed 24 hours after CrowdStrike CEO George Kurtz disclosed two manufacturing incidents at Fortune 50 corporations. Within the first, a CEO’s AI agent rewrote the corporate’s personal safety coverage — not as a result of it was compromised, however as a result of it needed to repair an issue, lacked the permissions to take action, and eliminated the restriction itself. Each id examine handed; the corporate caught the modification accidentally. The second incident concerned a 100-agent Slack swarm that delegated a code repair between brokers with no human approval. Agent 12 made the commit. The staff found it after the very fact.
Two incidents at two Fortune 50 corporations. Caught accidentally each instances. Each id framework that shipped at RSAC this week missed them. The distributors verified who the agent was. None of them tracked what the agent did.
The urgency behind each framework launch displays a broader market shift. “The problem of securing agentic AI is more likely to push prospects towards trusted platform distributors that may supply broader protection throughout the increasing assault floor,” in response to William Blair’s RSA Convention 2026 fairness analysis report by analyst Jonathan Ho. 5 distributors answered that decision at RSAC this week. None of them answered it utterly.
Attackers are already inside enterprise pilots
The size of the publicity is already seen in manufacturing information. CrowdStrike’s Falcon sensors detect greater than 1,800 distinct AI functions throughout the corporate’s buyer fleet, producing 160 million distinctive situations on enterprise endpoints. Cisco discovered that 85% of its enterprise prospects surveyed have pilot agent packages; solely 5% have moved to manufacturing, that means the overwhelming majority of those brokers are working with out the governance buildings manufacturing deployments usually require. “The most important obstacle to scaled adoption in enterprises for business-critical duties is establishing a ample quantity of belief,” Cisco President and Chief Product Officer Jeetu Patel informed VentureBeat in an unique interview at RSA Convention 2026. “Delegating versus trusted delegating of duties to brokers. The distinction between these two, one results in chapter and the opposite results in market dominance.”
Etay Maor, VP of Risk Intelligence at Cato Networks, ran a reside Censys scan throughout an unique VentureBeat interview at RSA Convention 2026 and counted practically 500,000 internet-facing OpenClaw situations. The week earlier than: 230,000. Cato CTRL senior researcher Vitaly Simonovich documented a BreachForums itemizing from February 22, 2026, printed on the Cato CTRL weblog on February 25, the place a risk actor marketed root shell entry to a UK CEO’s pc for $25,000 in cryptocurrency. The promoting level was the CEO’s OpenClaw AI private assistant, which had accrued the corporate’s manufacturing database, Telegram bot tokens, and Buying and selling 212 API keys in plain-text Markdown with no encryption at relaxation. “Your AI? It’s my AI now. It’s an assistant for the attacker,” Maor informed VentureBeat.
The publicity information from a number of impartial researchers tells the identical story. Bitsight discovered greater than 30,000 OpenClaw situations uncovered to the general public web between January 27 and February 8, 2026. SecurityScorecard recognized 15,200 of these situations as susceptible to distant code execution via three high-severity CVEs, the worst rated CVSS 8.8. Koi Safety discovered 824 malicious abilities on ClawHub — 335 of them tied to ClawHavoc, which Kurtz flagged in his keynote as the primary main provide chain assault on an AI agent ecosystem.
5 distributors, three gaps none of them closed
Cisco went deepest on id governance. Duo Agentic Id registers brokers as distinct id objects mapped to human homeowners, and each instrument name routes via an MCP gateway in Safe Entry SSE. Cisco Id Intelligence catches shadow brokers by monitoring community site visitors relatively than authentication logs. Patel informed VentureBeat that as we speak’s brokers behave “extra like youngsters — supremely clever, however with no worry of consequence, simply sidetracked or influenced.” CrowdStrike made the most important philosophical guess, treating brokers as endpoint telemetry and monitoring the kinetic layer via Falcon’s process-tree lineage. CrowdStrike expanded AIDR to cowl Microsoft Copilot Studio brokers and shipped Shadow SaaS and AI Agent Discovery throughout Copilot, Salesforce Agentforce, ChatGPT Enterprise, and OpenAI Enterprise GPT.
Palo Alto Networks constructed Prisma AIRS 3.0 with an agentic registry, an agentic IDP, and an MCP gateway for runtime site visitors management. Palo Alto Networks’ pending Koi acquisition provides provide chain and runtime visibility. Microsoft unfold governance throughout Entra, Purview, Sentinel, and Defender, with Microsoft Sentinel embedding MCP natively and a Claude MCP connector in public preview April 1. Cato CTRL delivered the adversarial proof that the id gaps the opposite 4 distributors are attempting to shut are already being exploited. Maor informed VentureBeat that enterprises deserted fundamental safety rules when deploying brokers. “We simply gave these AI instruments full autonomy,” Maor stated.
Hole 1: Brokers can rewrite the principles governing their very own habits
The Kurtz incident illustrates the hole precisely. Each credential examine handed — the motion was licensed. Zaitsev argues that the one dependable detection occurs on the kinetic layer: which file was modified, by what course of, initiated by what agent, in contrast towards a behavioral baseline. Intent-based controls consider whether or not the decision seems malicious. This one didn’t. Palo Alto Networks gives pre-deployment crimson teaming in Prisma AIRS 3.0, however crimson teaming runs earlier than deployment, not throughout runtime when self-modification occurs. No vendor ships behavioral anomaly detection for policy-modifying actions as a manufacturing functionality.
Patel framed the stakes within the VentureBeat interview: “The agent takes the flawed motion and worse but, a few of these actions could be essential actions that aren’t reversible.” Board query: A certified agent modifies the coverage governing the agent’s future actions. What fires?
Hole 2: Agent-to-agent handoffs haven’t any belief verification
The 100-agent swarm is the proof level. Agent A discovered a defect and posted to Slack. Agent 12 executed the repair. No human permitted the delegation. Zaitsev’s strategy: collapse agent identities again to the human. An agent performing in your behalf ought to by no means have extra privileges than you do. However no product follows the delegation chain between brokers. IAM was constructed for human-to-system. Agent-to-agent delegation wants a belief primitive that doesn’t exist in OAuth, SAML, or MCP.
Hole 3: Ghost brokers maintain reside credentials with no offboarding
Organizations undertake AI instruments, run a pilot, lose curiosity, and transfer on. The brokers preserve working. The credentials keep energetic. Maor calls these deserted situations ghost brokers. Zaitsev linked ghost brokers to a broader failure: brokers expose the place enterprises delayed motion on fundamental id hygiene. Standing privileged accounts, long-lived credentials, and lacking offboarding procedures. These issues existed for people. Brokers working at machine velocity make the implications catastrophic.
Maor demonstrated a Dwelling Off the AI assault on the RSA Convention 2026, chaining Atlassian’s MCP and Jira Service Administration to indicate that attackers don’t separate trusted instruments, companies, and fashions. Attackers chain all three. “We want an HR view of brokers,” Maor informed VentureBeat. “Onboarding, monitoring, offboarding. If there’s no enterprise justification? Elimination.”
Why these three gaps resist a product repair
Human IAM assumes the id holder won’t rewrite permissions, spawn new identities, or go away. Brokers violate all three. OAuth handles user-to-service. SAML handles federated human id. MCP handles model-to-tool. None contains agent-to-agent verification.
5 distributors towards three gaps
Cisco
CrowdStrike
Microsoft
Palo Alto Networks
Unsolved
Registration. Can the seller uncover and stock brokers?
Duo Agentic Id. Brokers registered as id objects with human homeowners. Shadow agent detection by way of community site visitors.
Falcon sensor auto-discovery. 1,800+ agent apps, ~160M situations throughout buyer fleet.
Safety Dashboard for AI + Entra shadow AI detection on the community layer.
Agentic registry in Prisma AIRS 3.0. Brokers inventoried earlier than working.
All 4 register brokers. No cross-vendor id normal exists.
Self-modification. Can the seller detect when an agent adjustments its personal insurance policies?
MCP gateway catches anomalous tool-call patterns in actual time, however doesn’t monitor for direct coverage file modifications on the endpoint.
Course of-tree lineage tracks file modifications on the motion layer. Might detect a coverage file change, however no devoted self-modification rule ships.
Defender predictive shielding adjusts entry insurance policies reactively throughout energetic assaults. Not proactive self-modification detection.
AI Pink Teaming assessments for this earlier than deployment. No runtime detection after the agent is reside.
OPEN. No vendor detects an agent rewriting the coverage governing the agent’s personal habits as a transport functionality.
Delegation. Can the seller observe when one agent arms work to a different?
Maps every agent to a human proprietor. Doesn’t observe agent-to-agent handoffs.
Collapses the agent id to the human operator. Doesn’t correlate the delegation chains between brokers.
Entra governs particular person non-human identities. No multi-agent chain monitoring.
AI Agent Gateway governs particular person brokers. No delegation primitive between brokers.
OPEN. No belief primitive for agent-to-agent delegation exists in OAuth, SAML, or MCP.
Decommission. Can the seller affirm a killed agent holds zero credentials?
Id Intelligence runs a steady stock of energetic brokers.
Shadow SaaS + AI Agent Discovery finds working brokers throughout SaaS and endpoints.
Entra’s shadow AI detection surfaces unmanaged AI functions.
Koi acquisition (pending) provides endpoint visibility for agent functions.
OPEN. All 4 uncover working brokers. None verifies zero residual credentials after decommission.
Runtime / Kinetic. Can the seller monitor what brokers do in actual time?
MCP gateway enforces coverage per instrument name on the community layer. Contextual anomaly detection on name patterns.
Falcon EDR tracks instructions, scripts, file exercise, and community connections on the course of stage.
Defender endpoint + cloud monitoring. Predictive shielding throughout energetic incidents.
Prisma AIRS AI Agent Gateway for runtime site visitors management.
CrowdStrike is the one vendor framing endpoint runtime as the first security web for agentic habits.
5 issues to do Monday morning earlier than your board asks
Audit self-modification threat. Pull each agent with write entry to safety insurance policies, IAM configs, firewall guidelines, or ACLs. Flag any agent that may modify controls governing the agent’s personal habits. No vendor automates this.
Map delegation paths. Doc each agent-to-agent invocation. Flag delegation with out human approval. Human-in-the-loop on each delegation occasion till a belief primitive ships.
Kill ghost brokers. Construct a registry. For every agent: enterprise justification, human proprietor, credentials held, programs accessed. No justification? Handbook revoke. Weekly.
Stress take a look at the MCP gateway enforcement. Cisco, Palo Alto Networks, and Microsoft all introduced MCP gateways this week. Confirm that agent instrument site visitors truly routes via the gateway. A misconfigured gateway creates false confidence whereas brokers name instruments instantly.
Baseline agent behavioral norms. Earlier than any agent reaches manufacturing, set up what regular seems like: typical API calls, information entry patterns, programs touched, and hours of exercise. With out a behavioral baseline, the kinetic-layer anomaly detection Zaitsev describes has nothing to match towards.
Zaitsev’s recommendation was blunt: you already know what to do. Brokers simply made the price of not doing it catastrophic. Each vendor at RSAC verified who the agent was. None of them tracked what the agent did.
