Cisco SVP and Chief Security and Trust Officer Anthony Grieco didn’t hesitate when VentureBeat asked whether rogue agent incidents were reaching Cisco’s customer base.
"hundred percent. We see them regularly," Grieco told VentureBeat in an exclusive interview at RSAC 2026. "I’ve heard something that I can’t repeat, but they get to the place where, you know, agents are doing things that they feel are the right thing to do."
The events described by Grieco follow a consistent pattern: authentication passed, identity check cleared. The agent is exactly what it claims to be. Then it accesses data it never had the scope to touch or takes an action that no one has authorized at that level of granularity. Failure is not recognition; This is authority.
"Businesses are saying things like, we will have 500 agents per employee," Grieco told VentureBeat. "Security leaders are really focused on how to make sure we do it safely."
Cisco’s State of AI Security 2026 report found that 83% of organizations planned to deploy agentic capabilities, but only 29% felt prepared to secure them. Five vendors sent agent identity frameworks to RSAC 2026. No one filled every gap. This also includes Cisco.
VentureBeat mapped four authority gaps in an exclusive interview with Grieco and five independent sources. The instructional matrix at the end of this story is what to do about them.
No one has closed the authority gap yet
Grieco came up through Cisco’s engineering and threat research organizations before taking on roles in both sides of the company’s security operations: building the products Cisco sells and running the programs Cisco protects.
The authority gap he describes is specific and operational.
"Here this agent is a finance agent, but even though it is a finance agent, it should not have access to all the finance data," Grieco told VentureBeat. "It should have access to expense reports, not just expense reports, but also individual expense reports at a particular point in time. Getting that kind of granular control is really one of the biggest things that will help us say yes to a lot of agentic developments."
Independent physicians confirmed the pattern in RSAC 2026. Kayne McGladrey, a senior member of the IEEE, told VentureBeat that organizations default to cloning human user profiles for agents, and the proliferation of permissions starts from day one. Carter Rees, vice president of AI at Reputation, identified the structural cause. Rees told VentureBeat that LLM’s flat authorization plane fails to respect user permissions. An agent at that plane level does not need to escalate privileges. They already have this.
"The biggest challenge we see is knowing what’s going on," Grieco said. "It’s really important to be able to have identity and access control maps to them."
CrowdStrike CTO Elia Zaitsev described the visibility dimension in an exclusive VentureBeat interview at RSAC 2026. In most default logging configurations, an agent’s activity is indistinguishable from that of a human. To differentiate between the two it is necessary to walk through the process tree. Most enterprise logging can’t make that distinction.
Five vendors shipped agent identity frameworks to RSAC, including Cisco’s Duo IAM and MCP gateway controls. None closed every gap identified by VentureBeat. The four intervals given below remain open.
Standards bodies are converging on a single diagnosis
The authorization and identification gaps described by Grieco are not mere comments from the vendor. The three independent standards bodies reached parallel conclusions in early 2026. NIST’s NCCoE published a concept paper in February 2026, "Accelerating the adoption of software and AI agent identification and authorization," There are clearly calls for demonstration projects on how existing identity standards apply to autonomous agents.
The OWASP Top 10 for Agentic Applications released in December 2025 identified device abuse from over-privileged access and insecure delegation as the top-tier risks. And the Cloud Security Alliance launches the CSAI Foundation at RSAC 2026 with a mission "securing the agent control plane," Which includes a dedicated agent AI IAM framework built around decentralized identifiers and zero trust principles. When NIST, OWASP, and CSA all independently mark the same difference class in the same market cycle, the signal is structural, not vendor-specific.
MCP security requires discovery before control
VentureBeat asked Grieco about the contradiction of MCP, the Model Context Protocol, which every vendor at RSAC 2026 adopted while acknowledging its security shortcomings. Grieco did not argue that the protocol was safe. He argued that stopping it is no longer realistic.
"As a security leader in today’s day and age it just doesn’t make sense to say no," Grieco told VentureBeat. "And so this is how we manage it."
Inside Cisco’s own environment, Grieco’s team added MCP discovery, proxying, and inspection capabilities to AI Defense and Cisco Secure Access. This approach treats MCP servers the same way enterprises treat shadow IT: find them before you take control of them.
Atte Maor, vice president of threat intelligence at Cato Networks, validated that approach from the adversary side. At RSAC 2026, Maor demonstrated a Living in the World AI attack combining Atlassian’s MCP and Jira Service Management. Attackers do not differentiate trusted tools, services, and models. They tie all three with chains. "We need an HR perspective about agents," Maor told VentureBeat. "Onboarding, monitoring, offboarding."
Nearly half of critical infrastructure is obsolete and outdated
Agent authorization failures are harder to detect and overcome when the infrastructure underneath hasn’t received security patches for years — and that gap compounds every other vulnerability in this story. Cisco appointed UK-based consulting firm WPI Strategy to examine end-of-life technology risks in the US, UK, France, Germany and Japan. The report found that nearly half of the critical network infrastructure in those geographic areas is outdated or already obsolete. Vendors don’t patch it anymore.
"Nearly 50% of the critical infrastructure in these geographies was aging, at end of life or near end of life," Grieco told VentureBeat. "This means that vendors are no longer providing security patches for them."
Cisco’s Resilient Infrastructure initiative disables unused features by default and phases out legacy protocols on a three-release deprecation schedule. Grieco pushed back against the notion that being safe by default is a static achievement. "One thing that most people don’t think about is that they are not a constant point in time," Grieco told VentureBeat. "It’s not like you do it once and you’re done."
Agent Enterprise Security Gap Matrix
The four gaps below are ones the security director can take action on on Monday morning. Each line maps what breaks, why it breaks and what to do about it, cross-validated by five independent sources.
Source: VentureBeat analysis of Grieco’s exclusive interview at RSAC 2026, cross-validated against independent reporting from McGladrey (IEEE), Reiss (Reputation), Maor (Cato Networks), and Zaitsev (CrowdStrike). May 2026.
| safety margin |
| What fails and what is its cost |
Why doesn’t your current stack capture this? |
Where vendor control now exists |
First action for your team |
|
infrastructure is aging |
Nearly half of critical network assets are at or nearing end-of-life (WPI strategy); Agents operating on unpatched systems inherit vulnerabilities that no vendor will fix. |
The annual patching cadence cannot keep pace with the velocity of the threat; EOL systems receive zero security updates and zero vendor support |
Resilient infrastructure disables unsafe defaults, warns on risky configurations, removes legacy protocols on a three-release schedule |
Infra Team: Audit each network asset against vendor EOL this quarter. Reclassify EOL replacement from IT upgrades to security investments in the next budget cycle |
|
mcp search |
MCP servers spread across environments without security visibility; Developers spin agent tool connections that bypass existing governance |
Shadow MCP deployment bypasses existing discovery tools; No standard inventory mechanism exists; Maor shows attackers pursuing MCP+Jira in Living in the World AI attack |
AI Defense adds MCP discovery, proxying, and inspection; MCP treats servers like shadow IT |
SecurityOps: Run an MCP server inventory across all environments before deploying any agent governance controls. If you can’t calculate your MCP surface, you can’t protect it |
|
The agent is giving too much permission |
Agents get broad human-level access at a flat authorization level; The agent does not need to escalate privileges because it already has the privileges (Reiss). |
IAM Teams clones human profiles for agents by default (McGladrey); No scoped, time-bound permissions exist for non-human identification |
Duo IAM registers agents as unique identity objects with detailed, time-bound permissions for each tool call |
IAM Team: Immediately stop cloning human accounts for agents. Limit each agent’s permissions to a specific data set, specific action, and specific time window. Grieco’s test: Can this finance agent only access the personal expense reports he needs at the moment? |
|
agent behavior visibility |
Agent activities in the security log (Zaitsev) are indistinguishable from human actions; A highly-permissioned agent who looks like a human in logs is invisible to the SOC |
The default logging process does not capture tree lineage; No vendor has shipped a full cross-platform behavioral baseline for agent activity |
SOC telemetry integration with Splunk for agent-specific detection and response |
SOC Lead: Update logging to capture process tree lineage so that agent-initiated actions are separate from human-initiated actions. If your SIEM can’t respond "Was this a human being or an agent?" For each session, the interval is open |
"Frankly, we should move forward and develop it quickly to know where the adversaries are going," Grieco told VentureBeat.
The intervals shown above are not theoretical. Grieco confirmed that events are already happening. Controls exist piecemeal among many vendors. No single seller has collected the entire lot.
<a href