Anthony Grieco, Cisco’s SVP and chief safety and belief officer, didn’t hesitate when VentureBeat requested whether or not rogue agent incidents are reaching Cisco’s buyer base.
“One hundred percent. We see them commonly,” Grieco informed VentureBeat in an unique interview at RSAC 2026. “I’ve heard some that I am unable to repeat, however they do get to the locations of, you already know, brokers are doing issues that they assume are the best issues to do.”
The incidents Grieco described comply with a constant sample: authentication passes, id checks clear. The agent is precisely who it claims to be. Then it accesses information it was by no means scoped to the touch or takes an motion no one licensed at that stage of granularity. The failure isn’t id; it is authorization.
“The enterprise is saying issues like, we’re gonna have 500 brokers per worker,” Grieco informed VentureBeat. “The safety leaders are actually centered on find out how to guarantee that we do this securely.”
Cisco’s State of AI Safety 2026 report discovered that 83% of organizations deliberate to deploy agentic capabilities, however solely 29% felt ready to safe them. 5 distributors shipped agent id frameworks at RSAC 2026. None closed each hole. That features Cisco.
VentureBeat mapped 4 authorization gaps throughout Grieco’s unique interview and 5 unbiased sources. The prescriptive matrix on the finish of this story is what to do about them.
The authorization hole no one has closed but
Grieco got here up via Cisco’s engineering and menace analysis organizations earlier than taking a job that straddles either side of the corporate’s safety operation: constructing the merchandise Cisco sells and working this system that defends Cisco itself.
The authorization hole he described is restricted and operational.
“This agent here’s a finance agent, however even when it is a finance agent, it should not entry all finance information,” Grieco informed VentureBeat. “It ought to entry the expense studies, and never simply expense studies, however the person expense studies at a specific time. Getting that type of granular management is de facto one of many greatest issues which might be gonna assist us say sure to loads of the agentic developments.”
Impartial practitioners confirmed the sample throughout RSAC 2026. Kayne McGladrey, an IEEE senior member, informed VentureBeat that organizations default to cloning human person profiles for brokers, and permission sprawl begins on day one. Carter Rees, VP of AI at Repute, recognized the structural purpose. The flat authorization aircraft of an LLM fails to respect person permissions, Rees informed VentureBeat. An agent on that flat aircraft doesn’t must escalate privileges. It already has them.
“The largest problem that we see is figuring out what is going on on,” Grieco stated. “With the ability to have id and entry management maps to these, that is actually essential.”
Elia Zaitsev, CTO of CrowdStrike, described the visibility dimension in an unique VentureBeat interview at RSAC 2026. In most default logging configurations, an agent’s exercise is indistinguishable from a human’s. Distinguishing the 2 requires strolling the method tree. Most enterprise logging can’t make that distinction.
5 distributors shipped agent id frameworks at RSAC, together with Cisco’s Duo IAM and MCP gateway controls. None closed each hole VentureBeat recognized. The 4 gaps under are what stays open.
Requirements our bodies are converging on the identical prognosis
The authorization and id gaps Grieco described should not simply vendor observations. Three unbiased requirements our bodies reached parallel conclusions in early 2026. NIST’s NCCoE printed an idea paper in February 2026, “Accelerating the Adoption of Software program and AI Agent Id and Authorization,” explicitly calling for demonstration initiatives on how present id requirements apply to autonomous brokers.
The OWASP High 10 for Agentic Functions, launched in December 2025, recognized device misuse from over-privileged entry and unsafe delegation as top-tier dangers. And the Cloud Safety Alliance launched the CSAI Basis at RSAC 2026 with a mission of “Securing the Agentic Management Airplane,” together with a devoted Agentic AI IAM framework constructed round decentralized identifiers and nil belief rules. When NIST, OWASP, and CSA all independently flag the identical hole class in the identical market cycle, the sign is structural, not vendor-specific.
MCP safety requires discovery earlier than management
VentureBeat requested Grieco in regards to the paradox of MCP, the Mannequin Context Protocol that each vendor at RSAC 2026 embraced whereas acknowledging its safety gaps. Grieco didn’t argue that the protocol is secure. He argued that blocking it’s now not real looking.
“There isn’t a saying no to that in right this moment’s day and age as a safety chief,” Grieco informed VentureBeat. “And so it is how will we handle that.”
Inside Cisco’s personal atmosphere, Grieco’s crew added MCP discovery, proxying, and inspection capabilities to AI Protection and Cisco Safe Entry. The method treats MCP servers the best way enterprises deal with shadow IT: discover them earlier than you govern them.
Etay Maor, VP of menace intelligence at Cato Networks, validated that method from the adversarial facet. At RSAC 2026, Maor demonstrated a Residing Off the AI assault chaining Atlassian’s MCP and Jira Service Administration. Attackers don’t separate trusted instruments, providers, and fashions. They chain all three. “We’d like an HR view of brokers,” Maor informed VentureBeat. “Onboarding, monitoring, offboarding.”
Almost half of the essential infrastructure is out of date and unpatched
Agent authorization failures are more durable to detect and include when the infrastructure beneath has not acquired a safety patch in years — and that hole compounds each different vulnerability on this story. Cisco commissioned UK-based advisory agency WPI Technique to look at end-of-life know-how danger throughout the US, UK, France, Germany, and Japan. The report discovered that just about half of the essential community infrastructure throughout these geographies is growing old or already out of date. Distributors now not patch it.
“Nearly 50% of the essential infrastructure throughout these geographies was growing old, it was finish of life or nearly finish of life,” Grieco informed VentureBeat. “It means distributors should not offering safety patches for them anymore.”
Cisco’s Resilient Infrastructure initiative disables unused options by default and phases out legacy protocols on a three-release deprecation schedule. Grieco pushed again on the belief that safe by default is a static achievement. “One of many issues that most individuals do not take into consideration is that these should not static time limits,” Grieco informed VentureBeat. “It isn’t such as you do it as soon as and also you’re accomplished.”
Agentic enterprise safety hole matrix
The 4 gaps under are what safety administrators can act on Monday morning. Every row maps from what breaks to why it breaks to what to do about it, cross-validated by 5 unbiased sources.
Sources: VentureBeat evaluation of Grieco’s unique interview at RSAC 2026, cross-validated in opposition to unbiased reporting from McGladrey (IEEE), Rees (Repute), Maor (Cato Networks), and Zaitsev (CrowdStrike). Could 2026.
|
Safety Hole |
| What fails and what it prices |
Why your present stack does not catch it |
The place vendor controls stand now |
First motion on your crew |
|
Infrastructure growing old |
Almost half of essential community property are finish of life or approaching it (WPI Technique); brokers working on unpatched methods inherit vulnerabilities no vendor will repair |
Annual patching cadence can’t maintain tempo with menace velocity; EoL methods obtain zero safety updates and nil vendor help |
Resilient Infrastructure disables insecure defaults, warns on dangerous configurations, deprecates legacy protocols on a three-release schedule |
Infra crew: audit each community asset in opposition to vendor EoL dates this quarter. Reclassify EoL alternative from IT improve to safety funding in subsequent finances cycle |
|
MCP discovery |
MCP servers proliferate throughout environments with out safety visibility; builders spin up agent device connections that bypass present governance |
Shadow MCP deployments bypass present discovery instruments; no commonplace stock mechanism exists; Maor demonstrated attackers chaining MCP + Jira in a Residing Off the AI assault |
AI Protection provides MCP discovery, proxying, and inspection; treats MCP servers like shadow IT |
Safety ops: run an MCP server stock throughout all environments earlier than deploying any agent governance controls. In the event you can’t enumerate your MCP floor, you can not safe it |
|
Agent over-permissioning |
Brokers inherit broad human-level entry on a flat authorization aircraft; the agent doesn’t must escalate privileges as a result of it already has them (Rees) |
IAM groups clone human profiles for brokers by default (McGladrey); no scoped, time-bound permissions exist for non-human identities |
Duo IAM registers brokers as distinct id objects with granular, time-bound permissions per device name |
IAM crew: cease cloning human accounts for brokers instantly. Scope each agent permission to a selected information set, particular motion, and particular time window. Grieco’s take a look at: can this finance agent entry solely the person expense report it wants at this second? |
|
Agent behavioral visibility |
Agent actions are indistinguishable from human actions in safety logs (Zaitsev); an over-permissioned agent that appears like a human in logs is invisible to the SOC |
Default logging doesn’t seize course of tree lineage; no vendor has shipped an entire cross-platform behavioral baseline for agent exercise |
SOC telemetry integration with Splunk for agent-specific detection and response |
SOC lead: replace logging to seize course of tree lineage so agent-initiated actions are distinguishable from human-initiated actions. In case your SIEM can’t reply “was this a human or an agent?” for each session, the hole is open |
“Frankly, we should transfer this rapidly and evolve this rapidly to maintain up with the place the adversaries are gonna go,” Grieco informed VentureBeat.
The gaps mapped above should not theoretical. Grieco confirmed the incidents are already occurring. The controls exist in items throughout a number of distributors. No single vendor has assembled the whole stack.