Anthony Grieco, senior vice president and chief security and trust officer at Cisco, didn’t hesitate when VentureBeat asked whether incidents with rogue agents are reaching Cisco’s customer base.
"One hundred percent. We see them regularly," Grieco told VentureBeat in an exclusive interview at RSAC 2026. "I’ve heard some that I can’t repeat, but they get to places where, you know, officers are doing things that they think are right."
The incidents Grieco described follow a consistent pattern: authentication passes, clear identity checks. The agent is exactly who he says he is. You then access data you never intended to touch or perform an action that no one authorized at that level of granularity. Failure is not identity; It is authorization.
"The company says things like, we will have 500 agents per employee," Grieco told VentureBeat. "Security leaders are really focused on how to ensure we do it safely."
Cisco State of AI Security Report 2026 found that 83% of organizations planned to implement agent capabilities, but only 29% felt prepared to secure them. Five vendors shipped agent identity frameworks at RSAC 2026. None closed all the gaps. That includes Cisco.
VentureBeat mapped four clearance gaps in Grieco’s exclusive interview and five independent sources. The prescriptive matrix at the end of this story is what to do about it.
The authorization gap that no one has closed yet
Grieco came up in Cisco’s threat research and engineering organizations before taking on a role that spans both sides of the company’s security operation: developing the products Cisco sells and running the program that defends Cisco.
The authorization gap you described is specific and operational.
"This agent here is a financial agent, but even if he is a financial agent, he should not access all the financial data," Grieco told VentureBeat. "You need to access expense reports, and not just expense reports, but individual expense reports at any given time. Getting that kind of granular control is really one of the most important things that will help us say yes to a lot of the agent developments."
Independent professionals confirmed the pattern at RSAC 2026. Kayne McGladrey, a senior fellow at IEEE, told VentureBeat that Organizations default to cloning human user profiles for agents.and the expansion of permits begins from day one. Carter Rees, vice president of AI at Reputationidentified the structural reason. The blueprint of authorization of an LLM. does not respect user permissionsRees told VentureBeat. An agent in that plane does not need to escalate privileges. You already have them.
"The biggest challenge we see is knowing what is happening," Grieco said. "Being able to have access control and identity maps for them is really crucial."
Elia Zaitsev, CTO of CrowdStrike, described the visibility dimension in a Exclusive VentureBeat interview at RSAC 2026. In most default logging configurations, an agent’s activity is indistinguishable from that of a human. Distinguishing the two requires traversing the process tree. Most logging companies can’t make that distinction.
Five vendors submitted agent identity frameworks to RSAC, including Cisco IAM Duo and MCP gateway controls. None closed all of the gaps identified by VentureBeat. The next four gaps are those that remain open.
Standardization organizations converge on the same diagnosis
The authorization and identity gaps Grieco described are not just observations of providers. Three independent standards bodies reached parallel conclusions in early 2026. NIST NCCoE published a concept paper in February 2026, "Accelerate software adoption and AI agent identity and authorization," explicitly calling for demonstration projects on how existing identity standards apply to autonomous agents.
He OWASP Top 10 for agent applicationspublished in December 2025, identified tool misuse due to overprivileged access and insecure delegation as top-level risks. and the Cloud Security Alliance launched CSAI Foundation at RSAC 2026 with the mission of "Secure the agent control plane," including a dedicated AI Agent IAM Framework built around decentralized identifiers and zero trust principles. When NIST, OWASP, and CSA independently signal the same kind of gap in the same market cycle, the signal is structural, not vendor-specific.
MCP Security Requires Discovery Before Control
VentureBeat asked Grieco about the paradox of MCP, the model context protocol that all vendors at RSAC 2026 adopted recognizing its security gaps. Grieco did not argue that the protocol is secure. He argued that blocking it is no longer realistic.
"Nowadays you can’t say no to that as a security leader," Grieco told VentureBeat. "And that’s how we handle it."
Within Cisco’s own environment, Grieco’s team added MCP inspection, proxy, and discovery capabilities to AI defense and Cisco Secure Access. The approach treats MCP servers the same way enterprises treat shadow IT: find them before you govern them.
Etay Maor, vice president of threat intelligence at Cato Networks, validated that approach from the adversary side. At RSAC 2026, Maor demonstrated a Living Off the AI attack that chains together the Atlassian MCP and Jira Service Management. Attackers do not separate trusted tools, services, and models. They chain the three. "We need a human resources vision of the agents," Maor told VentureBeat. "Onboarding, tracking, offboarding."
Nearly half of critical infrastructure is obsolete and unpatched
Agent authorization flaws are harder to detect and contain when the underlying infrastructure hasn’t received a security patch in years, and that gap compounds all the other vulnerabilities in this story. Cisco hired UK-based advisory firm WPI Strategy examine the risk of end-of-life technology in the US, UK, France, Germany and Japan. He report found that nearly half of the critical network infrastructure in those geographies is aging or already obsolete. Vendors don’t patch it anymore.
"Almost 50% of the critical infrastructure in these geographies was aging, at or near the end of its useful life," Grieco told VentureBeat. "It means that vendors no longer provide them with security patches."
Cisco Resilient infrastructure The initiative disables unused features by default and removes legacy protocols in a three-version deprecation program. Grieco rejected the assumption that security by default is a static achievement. "One of the things that most people don’t think about is that those are not static points in time," Grieco told VentureBeat. "It’s not like you do it once and that’s it."
Agent Enterprise Security Breach Matrix
The following four loopholes are where security directors can address on Monday morning. Each row maps from what’s broken to why it’s broken and what to do about it, cross-validated by five independent sources.
Sources: VentureBeat analysis of Grieco’s exclusive interview at RSAC 2026, cross-validated with independent reporting from McGladrey (IEEE), Rees (Reputation), Maor (Cato Networks), and Zaitsev (CrowdStrike). May 2026.
|
Security breach |
| What fails and how much does it cost? |
Why is your current battery not detecting it? |
Where are supplier controls now? |
First action for your team |
|
Infrastructure aging |
Nearly half of the grid’s critical assets are at or nearing the end of their useful life (WPI Strategy); Agents operating on unpatched systems inherit vulnerabilities that no vendor will fix. |
The annual patch cadence cannot keep pace with the speed of threats; EoL systems do not receive security updates or vendor support |
Resilient infrastructure disables unsafe defaults, warns about risky configurations, deprecates legacy protocols on a three-release schedule |
Infrastructure team: Audit all network assets against provider EoL dates this quarter. Reclassify EoL replacement from IT upgrade to security investment in next budget cycle |
|
MCP discovery |
MCP servers proliferate in environments without security visibility; Developers enable agent tool connections that bypass existing governance. |
Shadow MCP implementations bypass existing discovery tools; there is no standard inventory mechanism; Guardian Demonstrated attackers chaining MCP + Jira in a Living Off the AI attack |
AI defense adds MCP discovery, proxy, and inspection; treats MCP servers as shadow IT |
Security Operations: Run an inventory of the MCP server in all environments before implementing any agent governance controls. If you can’t list your MCP surface, you can’t protect it |
|
Excess agent permissions |
Agents inherit broad human-level access on a flat authorization plane; the agent does not need to escalate privileges because it already has them (rees) |
IAM teams clone human profiles for agents by default (McGladrey); there are no scoped and time-limited permissions for non-human identities |
two now Registers agents as distinct identity objects with granular permissions and deadlines determined per tool call |
IAM Team: Stop cloning human accounts for agents immediately. Assign each agent permission to a specific data set, a specific action, and a specific time period. Grieco’s test: can this financial agent access only the individual expense report he needs right now? |
|
Agent Behavior Visibility |
Agent actions are not distinguished from human actions in security logs (Zaitsev); an agent with excessive permissions that looks like a human in the logs is invisible to the SOC |
The default log does not capture process tree lineage; no vendor has provided a complete cross-platform behavioral foundation for agent activity |
SOC telemetry integration with Splunk for detection and response of specific agents |
SOC Lead: Update the log to capture process tree lineage so that agent-initiated actions are distinguished from human-initiated actions. If your SIEM cannot respond "Was this a human or an agent?" for each session, the gap is open |
"Frankly, we need to move that fast and evolve that fast to keep up with where the adversaries are going." Grieco told VentureBeat.
The gaps noted above are not theoretical. Grieco confirmed that incidents are already occurring. Controls exist in pieces at various providers. No vendor has assembled the full stack.
