Anthony Grieco, Cisco’s SVP and chief safety and belief officer, didn’t hesitate when VentureBeat requested whether or not rogue agent incidents are reaching Cisco’s buyer base.
"100%. We see them often," Grieco instructed VentureBeat in an unique interview at RSAC 2026. "I've heard some that I can't repeat, however they do get to the locations of, you understand, brokers are doing issues that they assume are the fitting issues to do."
The incidents Grieco described observe a constant sample: authentication passes, id checks clear. The agent is strictly who it claims to be. Then it accesses information it was by no means scoped to the touch or takes an motion no one approved at that degree of granularity. The failure just isn’t id; it's authorization.
"The enterprise is saying issues like, we're gonna have 500 brokers per worker," Grieco instructed VentureBeat. "The safety leaders are actually centered on how one can guarantee that we try this securely."
Cisco’s State of AI Security 2026 report discovered that 83% of organizations deliberate to deploy agentic capabilities, however solely 29% felt ready to safe them. Five vendors shipped agent identity frameworks at RSAC 2026. None closed each hole. That features Cisco.
VentureBeat mapped 4 authorization gaps throughout Grieco’s unique interview and 5 unbiased sources. The prescriptive matrix on the finish of this story is what to do about them.
The authorization hole no one has closed but
Grieco got here up by means of Cisco's engineering and risk analysis organizations earlier than taking a task that straddles either side of the corporate's safety operation: constructing the merchandise Cisco sells and working this system that defends Cisco itself.
The authorization hole he described is restricted and operational.
"This agent here’s a finance agent, however even when it's a finance agent, it shouldn't entry all finance information," Grieco instructed VentureBeat. "It ought to entry the expense studies, and never simply expense studies, however the person expense studies at a selected time. Getting that form of granular management is basically one of many largest issues which might be gonna assist us say sure to lots of the agentic developments."
Impartial practitioners confirmed the sample throughout RSAC 2026. Kayne McGladrey, an IEEE senior member, instructed VentureBeat that organizations default to cloning human user profiles for agents, and permission sprawl begins on day one. Carter Rees, VP of AI at Reputation, recognized the structural cause. The flat authorization airplane of an LLM fails to respect user permissions, Rees instructed VentureBeat. An agent on that flat airplane doesn’t have to escalate privileges. It already has them.
"The most important problem that we see is understanding what's happening," Grieco stated. "With the ability to have id and entry management maps to these, that's actually essential."
Elia Zaitsev, CTO of CrowdStrike, described the visibility dimension in an exclusive VentureBeat interview at RSAC 2026. In most default logging configurations, an agent’s exercise is indistinguishable from a human’s. Distinguishing the 2 requires strolling the method tree. Most enterprise logging can’t make that distinction.
5 distributors shipped agent id frameworks at RSAC, together with Cisco's Duo IAM and MCP gateway controls. None closed each hole VentureBeat recognized. The 4 gaps beneath are what stays open.
Requirements our bodies are converging on the identical analysis
The authorization and id gaps Grieco described aren’t simply vendor observations. Three unbiased requirements our bodies reached parallel conclusions in early 2026. NIST’s NCCoE revealed an idea paper in February 2026, "Accelerating the Adoption of Software program and AI Agent Identification and Authorization," explicitly calling for demonstration initiatives on how current id requirements apply to autonomous brokers.
The OWASP Top 10 for Agentic Applications, launched in December 2025, recognized software misuse from over-privileged entry and unsafe delegation as top-tier dangers. And the Cloud Security Alliance launched the CSAI Foundation at RSAC 2026 with a mission of "Securing the Agentic Management Airplane," together with a devoted Agentic AI IAM framework constructed round decentralized identifiers and 0 belief rules. When NIST, OWASP, and CSA all independently flag the identical hole class in the identical market cycle, the sign is structural, not vendor-specific.
MCP safety requires discovery earlier than management
VentureBeat requested Grieco in regards to the paradox of MCP, the Mannequin Context Protocol that each vendor at RSAC 2026 embraced whereas acknowledging its safety gaps. Grieco didn’t argue that the protocol is secure. He argued that blocking it’s not real looking.
"There is no such thing as a saying no to that in right this moment's day and age as a safety chief," Grieco instructed VentureBeat. "And so it's how can we handle that."
Inside Cisco’s personal atmosphere, Grieco’s crew added MCP discovery, proxying, and inspection capabilities to AI Defense and Cisco Safe Entry. The method treats MCP servers the way in which enterprises deal with shadow IT: discover them earlier than you govern them.
Etay Maor, VP of risk intelligence at Cato Networks, validated that method from the adversarial facet. At RSAC 2026, Maor demonstrated a Dwelling Off the AI assault chaining Atlassian's MCP and Jira Service Administration. Attackers don’t separate trusted instruments, companies, and fashions. They chain all three. "We want an HR view of brokers," Maor instructed VentureBeat. "Onboarding, monitoring, offboarding."
Practically half of the crucial infrastructure is out of date and unpatched
Agent authorization failures are more durable to detect and comprise when the infrastructure beneath has not acquired a safety patch in years — and that hole compounds each different vulnerability on this story. Cisco commissioned UK-based advisory agency WPI Strategy to look at end-of-life know-how threat throughout the US, UK, France, Germany, and Japan. The report discovered that almost half of the crucial community infrastructure throughout these geographies is getting older or already out of date. Distributors not patch it.
"Virtually 50% of the crucial infrastructure throughout these geographies was getting older, it was finish of life or nearly finish of life," Grieco instructed VentureBeat. "It means distributors aren’t offering safety patches for them anymore."
Cisco’s Resilient Infrastructure initiative disables unused options by default and phases out legacy protocols on a three-release deprecation schedule. Grieco pushed again on the idea that safe by default is a static achievement. "One of many issues that most individuals don't take into consideration is that these aren’t static deadlines," Grieco instructed VentureBeat. "It's not such as you do it as soon as and also you're completed."
Agentic enterprise safety hole matrix
The 4 gaps beneath are what safety administrators can act on Monday morning. Every row maps from what breaks to why it breaks to what to do about it, cross-validated by 5 unbiased sources.
Sources: VentureBeat evaluation of Grieco's unique interview at RSAC 2026, cross-validated towards unbiased reporting from McGladrey (IEEE), Rees (Repute), Maor (Cato Networks), and Zaitsev (CrowdStrike). Might 2026.
|
Safety Hole |
| What fails and what it prices |
Why your present stack doesn't catch it |
The place vendor controls stand now |
First motion in your crew |
|
Infrastructure getting older |
Practically half of crucial community belongings are finish of life or approaching it (WPI Strategy); brokers working on unpatched methods inherit vulnerabilities no vendor will repair |
Annual patching cadence can’t preserve tempo with risk velocity; EoL methods obtain zero safety updates and 0 vendor assist |
Resilient Infrastructure disables insecure defaults, warns on dangerous configurations, deprecates legacy protocols on a three-release schedule |
Infra crew: audit each community asset towards vendor EoL dates this quarter. Reclassify EoL substitute from IT improve to safety funding in subsequent price range cycle |
|
MCP discovery |
MCP servers proliferate throughout environments with out safety visibility; builders spin up agent software connections that bypass current governance |
Shadow MCP deployments bypass current discovery instruments; no customary stock mechanism exists; Maor demonstrated attackers chaining MCP + Jira in a Dwelling Off the AI assault |
AI Defense provides MCP discovery, proxying, and inspection; treats MCP servers like shadow IT |
Safety ops: run an MCP server stock throughout all environments earlier than deploying any agent governance controls. In the event you can’t enumerate your MCP floor, you can’t safe it |
|
Agent over-permissioning |
Brokers inherit broad human-level entry on a flat authorization airplane; the agent doesn’t have to escalate privileges as a result of it already has them (Rees) |
IAM groups clone human profiles for brokers by default (McGladrey); no scoped, time-bound permissions exist for non-human identities |
Duo IAM registers brokers as distinct id objects with granular, time-bound permissions per software name |
IAM crew: cease cloning human accounts for brokers instantly. Scope each agent permission to a particular information set, particular motion, and particular time window. Grieco's take a look at: can this finance agent entry solely the person expense report it wants at this second? |
|
Agent behavioral visibility |
Agent actions are indistinguishable from human actions in safety logs (Zaitsev); an over-permissioned agent that appears like a human in logs is invisible to the SOC |
Default logging doesn’t seize course of tree lineage; no vendor has shipped a whole cross-platform behavioral baseline for agent exercise |
SOC telemetry integration with Splunk for agent-specific detection and response |
SOC lead: replace logging to seize course of tree lineage so agent-initiated actions are distinguishable from human-initiated actions. In case your SIEM can’t reply "was this a human or an agent?" for each session, the hole is open |
"Frankly, we should transfer this shortly and evolve this shortly to maintain up with the place the adversaries are gonna go," Grieco instructed VentureBeat.
The gaps mapped above aren’t theoretical. Grieco confirmed the incidents are already occurring. The controls exist in items throughout a number of distributors. No single vendor has assembled the entire stack.