Field Brief Agent Security May 2026

AI Agents Are the New Shadow IT

The first wave of enterprise AI answered questions. The next wave takes actions: opening tickets, querying logs, changing code, joining workflows, and calling tools through protocols like MCP. That is powerful. It is also a new workforce of non-human identities that most security programs cannot fully see yet.

Jack Riebel
Jack Riebel May 2026
Identity Non-human workers need clear ownership and access control
Governance Agents need least privilege, policy, and auditability
Network Fabric SASE and segmentation need to account for agent traffic
Defense Runtime inspection matters as agents start taking action
Identity Ratio 109:1 Machine-to-Human Identities
Risk Signal 87% AI Risk Growing Fastest
Guardrails 86% Agents May Outpace Guardrails
Visibility 23% Full Agent Visibility
Research $100M Project Glasswing Credits
Source Trail Palo Alto Networks WEF Rubrik Zero Labs Anthropic Cisco

What Changed?

Copilots changed how people work. Agents change who, or what, is doing the work.

For the last two years, most enterprise AI conversations have centered on productivity: writing emails, summarizing meetings, drafting code, answering questions. Those use cases matter, but they are not the security inflection point. The inflection point is action. Once an AI system can call APIs, browse internal systems, trigger workflows, write to repositories, query a SIEM, update a ticket, or run an MCP tool, it stops being a chatbot and starts behaving like a digital worker.

That is why I think the right mental model is not "AI app." It is shadow IT with agency. The old version of shadow IT was a SaaS app someone expensed on a credit card. The new version is an autonomous workflow someone connected to Slack, GitHub, Salesforce, ServiceNow, Splunk, or an MCP server because it made their job faster. The business value is obvious. The governance gap is just as obvious.

Interactive Fabric View

Agent Workforce Over SASE

Flip the posture to see how remote users, branches, and role-based AI agents move through SASE, ZTNA, segmentation, microsegmentation, and telemetry before reaching enterprise apps.

Remote Work + Agent Requests

Employees ask AI agents to sell, code, investigate alerts, update tickets, and pull business data from anywhere.

AI
AI Sales Agent Remote seller asks for account context, pipeline notes, and customer follow-up.
AI
AI Coding Agent Developer asks it to inspect repos, open pull requests, and check build context.
AI
AI SOC Agent Borrowed credentials let agents wander across tools without clear owners or boundaries.
SASE / SSE Edge ZTNA + SWG + CASB + DLP + FWaaS + SD-WAN Remote access exists, but agent traffic is treated too much like normal user traffic.
Allowed Review Blocked
Control Path Open access: remote agents inherit broad reach
Cloud Edge SASE Remote traffic only partially classified
Badge Check ZTNA Trust inherited from token
Floor Assignment Segmentation Fabric Flat east-west reach
Room Keys Microsegmentation No workload boundary
Access Log SOC Telemetry Logs are scattered
Enterprise Building Unmanaged: every agent sees too many floors
Floor 4SaaS
SalesforceRead all account data
ServiceNowCreate + close tickets
WebexPost to broad rooms
Floor 3Cloud / Dev
GitHubOpen pull requests
Floor 2Data Center
SplunkRead all indexes
Floor 1Restricted
Prod DBReachable network path
PayrollOut of scope but visible
Unmanaged: useful, but overexposed

The agent can complete the task, but it can also reach systems it does not need. A compromised prompt, token, or MCP tool has too much room to move.

What microsegmentation adds

Instead of trusting the whole network path, each workload or application segment gets its own allowed behavior. The agent can reach Splunk for the incident, but not payroll or the production database.

This does not mean agents are bad. It means they need the same seriousness we apply to privileged users, service accounts, APIs, endpoints, and third-party integrations. An agent that can only summarize a public document is low risk. An agent that can read customer records, file firewall changes, open cloud consoles, create pull requests, or send messages on behalf of an employee is part of the control plane.

The Shadow Workforce Is Already Here

The identity problem is bigger than agents, but agents make it harder to ignore.

Security teams already live in a world where non-human identities outnumber people. Service accounts, automation roles, API keys, workload identities, CI/CD tokens, third-party connectors, and bots have been multiplying for years. Palo Alto Networks' 2026 Identity Security Landscape reports that machine identities, including AI agents, now outnumber human identities 109 to 1 (Palo Alto Networks / CyberArk, 2026).

The Species Shift

Machine and AI identities now dramatically outnumber human identities.

The Control Gap

Agent adoption is moving faster than visibility, rollback, and runtime controls.

Agents intensify this because they do not just hold credentials. They reason, chain tools together, and make decisions based on changing context. A traditional service account usually does one thing. An agent might read a ticket, search a knowledge base, query Splunk, inspect a GitHub repo, summarize findings in Webex, and recommend a firewall change. If you cannot answer who owns that agent, what it is allowed to touch, what data it moved, and why it took an action, you do not have agent governance. You have automation with a blindfold on.

The uncomfortable question
If an agent makes a bad change at 2:13 a.m., does your SOC see a user, a service account, an API call, a workflow run, an MCP tool invocation, or nothing useful at all?

The New Attack Surface

Prompt injection gets the headlines. The bigger risk is the chain: identity, tools, data, behavior, and recovery.

A lot of AI security content starts and ends with prompt injection. That is a real issue, but it is only one layer. Agentic systems create compound risk because the model sits between the user, the tools, the data, and the action. A malicious web page, poisoned document, compromised MCP server, overbroad API token, or hidden instruction in a ticket can all become meaningful if the agent has enough permission and too little inspection.

Illustrative Agent Control Map

A conceptual index, not survey data: where agentic risk pressure is high and where many enterprise controls are still maturing.

This is where MCP matters. MCP is a useful standard because it gives agents a consistent way to connect to tools. But a standard connector is still a connector. If an MCP server exposes file reads, shell access, web fetches, ticket updates, or sensitive business data, it becomes part of your supply chain. Cisco's open-source MCP Scanner is aimed at exactly this layer: inspecting MCP servers, tool definitions, prompts, resources, manifests, credentials, network permissions, and behavior drift before those components are trusted (Cisco AI Defense / MCP Scanner).

The goal is not to ban agents. That would be like banning APIs because some APIs are risky. The goal is to stop treating agent access as an experiment. Agents need owners. They need scoped permissions. They need runtime policy. They need logs that a SOC can understand. And when they make a mistake, the organization needs a way to unwind the blast radius.

Agents Need a Fabric, Not a Fence

When agents are launched by remote users, contractors, branches, and developers, the question is not just whether they can log in. It is how SASE/SSE and the network fabric route, inspect, and constrain what they can reach afterward.

Your floor analogy is the right way to explain it. A flat network is like putting developers, sales, finance, HR, and security in cubicles on the same open floor. Everyone may have different jobs, but once someone gets onto the floor, they can walk around and try doors they were never supposed to touch. A segmented fabric is more like giving each team its own floor. They may share the same building, elevators, power, and badge system, but the policy decides who can reach which floor. SASE/SSE becomes the front door for people and agents working remotely; SD-WAN and the network fabric help connect locations; segmentation and microsegmentation decide where agents can go once they are inside.

01

ZTNA Is the Badge Check

Before the agent reaches an app or tool, identity and posture decide whether it should enter at all. Who owns it? What is it trying to do? Is this request normal?

02

Segmentation Is the Floor Plan

The fabric separates teams, applications, environments, and trust zones so an agent approved for one area does not automatically inherit access to the rest of the building.

03

Microsegmentation Is the Locked Room

Even inside the right floor, the agent should only reach the specific workload, API, or data set it needs. Splunk incident indexes do not imply payroll or production database access.

04

Telemetry Is the Access Log

The SOC needs to see the owner, agent, tool call, network path, policy decision, data touched, and response action as one story, not five disconnected logs.

That is the part of Cisco Hypershield that matters in this conversation. Hypershield is not simply another perimeter box. It is Cisco's distributed security architecture for applying policy closer to the workload and application behavior. In the analogy, it helps build and maintain the floor plan, then adds more granular doors inside each floor. Its early use cases map well to agentic risk: autonomous segmentation, which observes application behavior and helps create tighter boundaries, and distributed exploit protection, which can recommend and test compensating controls when a vulnerable workload cannot be patched immediately (Cisco Hypershield).

Why this matters for agents
An agent should not get the keys to the whole office just because it has a valid badge. ZTNA checks whether it should enter, segmentation decides which floor it can reach, microsegmentation limits which rooms it can open, and telemetry tells the SOC what happened.

For the IT persona, the technical direction matters: Hypershield uses workload-level enforcement with Cisco's Tesseract Security Agent, built on Isovalent/Tetragon and eBPF, so policy can get closer to process and network behavior instead of relying only on a central choke point. For the executive persona, the business point is simpler: as agents move faster and touch more systems, security has to become more granular and more automated, or the organization will spend all its time manually approving exceptions after the fact.

Project Glasswing Is the Warning Shot

The same AI capabilities that help defenders find vulnerabilities will eventually help attackers move faster too.

Anthropic announced Project Glasswing in April 2026 with AWS, Apple, Broadcom, Cisco, CrowdStrike, Google, JPMorganChase, the Linux Foundation, Microsoft, NVIDIA, and Palo Alto Networks as launch partners. The headline was not subtle: Claude Mythos Preview had found thousands of high-severity vulnerabilities, including issues in every major operating system and browser, and Anthropic committed up to $100 million in usage credits plus $4 million in donations to open-source security organizations (Anthropic, Project Glasswing).

$100M

Usage credits for defensive security work

40+

Additional critical software organizations given access

90 days

Public reporting window for lessons and disclosed improvements

From a Cisco perspective, the important part is not name-dropping a frontier model. It is the shift in tempo. Cisco's own Glasswing post put it plainly: AI lets defenders scan and secure vast codebases at a scale that was previously unimaginable, but those same capabilities lower the threshold for attackers. That is the race. Defenders get better tools. Attackers get better leverage. The organizations that win will be the ones that operationalize AI with security built in, not bolted on after a proof of concept becomes production.

Project Glasswing is also a useful frame for agent security because it shows the industry moving from isolated product claims toward shared defensive infrastructure. No single vendor can solve agentic risk alone. The control surface crosses identity, network, endpoint, cloud, SaaS, code, data, and the SOC. That is why agent security has to look less like a point tool and more like an operating model.

A Cisco SE View

I am biased toward platforms that make security operational. But the principle is vendor-neutral: every agent needs identity, access control, behavior monitoring, and accountability.

Cisco has started using the phrase agentic workforce, and I think it is the right phrase. It forces the architecture conversation. If agents are a workforce, they need onboarding, identity, policy, access review, monitoring, incident response, and offboarding. Cisco's current agentic security direction maps to four practical questions: do we know every agent, can we authorize every action, can we inspect behavior in real time, and can the SOC investigate what happened? The next layer is fabric-level control: can those decisions follow the agent across SaaS, cloud, workload, branch, campus, and data center paths?

Unmanaged Agent

1
Unknown ownerNo audit path
2
Standing tokenBroad access
3
Tool chain hiddenWeak context
4
After-the-fact logsHard rollback
Fast to deploy, hard to govern

Governed Agent

1
Mapped to ownerDuo / identity
2
Just-enough accessSecure Access
3
Runtime guardrailsAI Defense
4
SOC-ready telemetrySplunk / XDR
Still fast, but accountable

That does not mean the answer is "go buy one thing." In most environments, the first step is architectural discipline: inventory the agents and machine identities, reduce standing privilege, inspect the tool layer, and make sure agent actions land somewhere your SOC can investigate. Cisco product names show up here because Cisco is building in this direction: Duo for agent identity and ownership, Secure Access for policy enforcement and least-privilege access, AI Defense for model/application guardrails and runtime behavior, MCP Scanner for tool-chain hygiene, Hypershield for distributed segmentation and workload-level enforcement, Security Cloud Control for unified management across enforcement points, and Splunk/XDR for investigation and response.

What Leaders Should Do Next

The right response is not panic. It is basic security hygiene applied to a new class of worker.

Build an Agent Governance Loop

For Security and Network Leaders

  1. Inventory the agent layer — Find approved and unapproved agents, MCP servers, service accounts, API keys, browser automations, and SaaS connectors.
  2. Map every agent to a human owner — If nobody owns the agent, nobody owns its blast radius.
  3. Move from standing access to short-lived access — Tool-specific, time-bound permissions should become the default for agent workflows.
  4. Scan the tool supply chain — Treat MCP servers, plugins, skills, and connectors like code dependencies with permissions attached.
  5. Plan for fabric-level enforcement — As agents spread across workloads and network paths, segmentation, inspection, and policy need to follow them.

For Executives

  1. Do not let pilots become invisible production — The moment an agent touches business data or takes action, it belongs in governance.
  2. Ask for rollback, not just ROI — If an agent makes a harmful change, the business needs a recovery path.
  3. Treat agent security as an enablement layer — Better controls should let teams deploy agents faster because the guardrails are clear.
  4. Fund the fabric, not just the app — Agent governance will touch identity, network, cloud, data center, SOC, and application teams.
  5. Expect shared responsibility — Vendors, open-source maintainers, platform teams, security teams, and business owners all sit in the loop.

AI agents are not a future risk. They are already showing up through copilots, automation platforms, developer tools, MCP servers, and SaaS workflows. The question is whether they become another unmanaged shadow estate, or a governed workforce your organization can trust.

Methodology & Sources

Palo Alto Networks / CyberArk

2026 Identity Security Landscape

2,900+ cybersecurity decision-makers; machine identities outnumber human identities 109:1; identity-related breach and access-governance findings.

Identity sprawl, machine identities

World Economic Forum

Global Cybersecurity Outlook 2026

Global cyber leader survey; 87% identified AI-related vulnerabilities as the fastest-growing cyber risk during 2025.

AI risk, cyber outlook

Rubrik Zero Labs

The State of the Agent

Survey of 1,600+ IT and security leaders; 86% expect agents to outpace guardrails, 23% report full visibility, and 88% lack rollback without disruption.

Agent visibility, guardrails, recovery

Anthropic

Project Glasswing

April 2026 announcement of cross-industry defensive security initiative with AWS, Apple, Broadcom, Cisco, CrowdStrike, Google, JPMorganChase, Linux Foundation, Microsoft, NVIDIA, and Palo Alto Networks.

Project Glasswing, Mythos Preview

Cisco

Security for the Agentic Workforce

Cisco RSA 2026 announcement covering agent discovery, Duo agentic IAM, MCP policy enforcement in Secure Access, AI Defense Explorer Edition, DefenseClaw, and Splunk AI innovations.

Cisco perspective, agentic workforce

Cisco AI Defense

Open-Source MCP Scanner

Cisco's MCP Scanner evaluates MCP servers, tools, prompts, resources, credentials, network permissions, and AI-specific risks before integration.

MCP supply chain, scanner, AI Defense

Cisco Hypershield

AI-Native Distributed Security

Cisco Hypershield is positioned as a highly distributed security fabric for zero-trust segmentation and application protection across data center, cloud, campus, and IoT environments.

Security fabric, segmentation, workload enforcement

Cisco Hypershield Solution Overview

Security for the AI-Scale Data Center

Source for Hypershield's fabric-not-fence framing, autonomous segmentation, distributed exploit protection, and workload-level enforcement with Tesseract, Tetragon, and eBPF.

Autonomous segmentation, distributed exploit protection

Cisco Security Cloud Control

Security Cloud Control At a Glance

Source for unified management across Hybrid Mesh Firewall, Hypershield, Secure Access, Secure Firewall, Multicloud Defense, Secure Workload, and Cisco AI Defense.

Unified policy management, hybrid mesh firewall

Cisco Security & Trust

Rising to the Era of AI-Powered Cyber Defense

Cisco's Project Glasswing perspective: AI helps defenders scan and secure code at unprecedented scale while also lowering the threshold for attackers.

Cisco + Project Glasswing

Palo Alto Networks Unit 42

2026 Global Incident Response Report

Incident response perspective on machine and AI identities, over-privileged service accounts, long-lived credentials, shadow identities, and identity as the security perimeter.

Threat landscape, shadow identities

Illustrative Visuals

Author's conceptual model

The SASE/fabric building illustration and agent control map are explanatory models, not product architecture diagrams or measured survey outputs. They are meant to make ZTNA, segmentation, microsegmentation, and telemetry easier to reason about.

Illustrations, conceptual scoring
Join the thread

React or leave a comment.

Public reactions and comments help keep the conversation attached to the article.