“You can deceive, manipulate, and lie. That’s an inherent property of language. It’s a feature, not a flaw,” CrowdStrike CTO Elia Zaitsev told VentureBeat in an exclusive interview at RSA Conference 2026. If deception is baked into language itself, every vendor trying to secure AI agents by analyzing their intent is chasing a problem that cannot be conclusively solved. Zaitsev is betting on context instead. CrowdStrike’s Falcon sensor walks the process tree on an endpoint and tracks what agents did, not what agents appeared to intend. “Observing actual kinetic actions is a structured, solvable problem,” Zaitsev told VentureBeat. “Intent is not.”
That argument landed 24 hours after CrowdStrike CEO George Kurtz disclosed two production incidents at Fortune 50 companies. In the first, a CEO's AI agent rewrote the company's own security policy — not because it was compromised, but because it wanted to fix a problem, lacked the permissions to do so, and removed the restriction itself. Every identity check passed; the company caught the modification by accident. The second incident involved a 100-agent Slack swarm that delegated a code fix between agents with no human approval. Agent 12 made the commit. The team discovered it after the fact.
Two incidents at two Fortune 50 companies. Caught by accident both times. Every identity framework that shipped at RSAC this week missed them. The vendors verified who the agent was. None of them tracked what the agent did.
The urgency behind every framework launch reflects a broader market shift. "The difficulty of securing agentic AI is likely to push customers toward trusted platform vendors that can offer broader coverage across the expanding attack surface," according to William Blair's RSA Conference 2026 equity research report by analyst Jonathan Ho. Five vendors answered that call at RSAC this week. None of them answered it completely.
Attackers are already inside enterprise pilots
The scale of the exposure is already visible in production data. CrowdStrike's Falcon sensors detect more than 1,800 distinct AI applications across the company's customer fleet, generating 160 million unique instances on enterprise endpoints. Cisco found that 85% of its enterprise customers surveyed have pilot agent programs; only 5% have moved to production, meaning the vast majority of these agents are running without the governance structures production deployments typically require. "The biggest impediment to scaled adoption in enterprises for business-critical tasks is establishing a sufficient amount of trust," Cisco President and Chief Product Officer Jeetu Patel told VentureBeat in an exclusive interview at RSA Conference 2026. "Delegating versus trusted delegating of tasks to agents. The difference between those two, one leads to bankruptcy and the other leads to market dominance."
Etay Maor, VP of Threat Intelligence at Cato Networks, ran a live Censys scan during an exclusive VentureBeat interview at RSA Conference 2026 and counted nearly 500,000 internet-facing OpenClaw instances. The week before: 230,000. Cato CTRL senior researcher Vitaly Simonovich documented a BreachForums listing from February 22, 2026, published on the Cato CTRL blog on February 25, where a threat actor advertised root shell access to a UK CEO’s computer for $25,000 in cryptocurrency. The selling point was the CEO’s OpenClaw AI personal assistant, which had accumulated the company’s production database, Telegram bot tokens, and Trading 212 API keys in plain-text Markdown with no encryption at rest. “Your AI? It’s my AI now. It’s an assistant for the attacker,” Maor told VentureBeat.
The exposure data from multiple independent researchers tells the same story. Bitsight found more than 30,000 OpenClaw instances exposed to the public internet between January 27 and February 8, 2026. SecurityScorecard identified 15,200 of those instances as vulnerable to remote code execution through three high-severity CVEs, the worst rated CVSS 8.8. Koi Security found 824 malicious skills on ClawHub — 335 of them tied to ClawHavoc, which Kurtz flagged in his keynote as the first major supply chain attack on an AI agent ecosystem.
Five vendors, three gaps none of them closed
Cisco went deepest on identity governance. Duo Agentic Identity registers agents as distinct identity objects mapped to human owners, and every tool call routes through an MCP gateway in Secure Access SSE. Cisco Identity Intelligence catches shadow agents by monitoring network traffic rather than authentication logs. Patel told VentureBeat that today’s agents behave “more like teenagers — supremely intelligent, but with no fear of consequence, easily sidetracked or influenced.” CrowdStrike made the biggest philosophical bet, treating agents as endpoint telemetry and tracking the kinetic layer through Falcon’s process-tree lineage. CrowdStrike expanded AIDR to cover Microsoft Copilot Studio agents and shipped Shadow SaaS and AI Agent Discovery across Copilot, Salesforce Agentforce, ChatGPT Enterprise, and OpenAI Enterprise GPT.
Palo Alto Networks built Prisma AIRS 3.0 with an agentic registry, an agentic IDP, and an MCP gateway for runtime traffic control. Palo Alto Networks’ pending Koi acquisition adds supply chain and runtime visibility. Microsoft spread governance across Entra, Purview, Sentinel, and Defender, with Microsoft Sentinel embedding MCP natively and a Claude MCP connector in public preview April 1. Cato CTRL delivered the adversarial proof that the identity gaps the other four vendors are trying to close are already being exploited. Maor told VentureBeat that enterprises abandoned basic security principles when deploying agents. “We just gave these AI tools complete autonomy,” Maor said.
Gap 1: Agents can rewrite the rules governing their own behavior
The Kurtz incident illustrates the gap exactly. Every credential check passed — the action was authorized. Zaitsev argues that the only reliable detection happens at the kinetic layer: which file was modified, by what process, initiated by what agent, compared against a behavioral baseline. Intent-based controls evaluate whether the call looks malicious. This one did not. Palo Alto Networks offers pre-deployment red teaming in Prisma AIRS 3.0, but red teaming runs before deployment, not during runtime when self-modification happens. No vendor ships behavioral anomaly detection for policy-modifying actions as a production capability.
Patel framed the stakes in the VentureBeat interview: “The agent takes the wrong action and worse yet, some of those actions might be critical actions that are not reversible.” Board question: An authorized agent modifies the policy governing the agent’s future actions. What fires?
Gap 2: Agent-to-agent handoffs have no trust verification
The 100-agent swarm is the proof point. Agent A found a defect and posted to Slack. Agent 12 executed the fix. No human approved the delegation. Zaitsev’s approach: collapse agent identities back to the human. An agent acting on your behalf should never have more privileges than you do. But no product follows the delegation chain between agents. IAM was built for human-to-system. Agent-to-agent delegation needs a trust primitive that does not exist in OAuth, SAML, or MCP.
Gap 3: Ghost agents hold live credentials with no offboarding
Organizations adopt AI tools, run a pilot, lose interest, and move on. The agents keep running. The credentials stay active. Maor calls these abandoned instances ghost agents. Zaitsev connected ghost agents to a broader failure: agents expose where enterprises delayed action on basic identity hygiene. Standing privileged accounts, long-lived credentials, and missing offboarding procedures. These problems existed for humans. Agents running at machine speed make the consequences catastrophic.
Maor demonstrated a Living Off the AI attack at the RSA Conference 2026, chaining Atlassian’s MCP and Jira Service Management to show that attackers do not separate trusted tools, services, and models. Attackers chain all three. “We need an HR view of agents,” Maor told VentureBeat. “Onboarding, monitoring, offboarding. If there’s no business justification? Removal.”
Why these three gaps resist a product fix
Human IAM assumes the identity holder will not rewrite permissions, spawn new identities, or leave. Agents violate all three. OAuth handles user-to-service. SAML handles federated human identity. MCP handles model-to-tool. None includes agent-to-agent verification.
Five vendors against three gaps
|
Cisco |
CrowdStrike |
Microsoft |
Palo Alto Networks |
Unsolved |
|
|
Registration. Can the vendor discover and inventory agents? |
Duo Agentic Identity. Agents registered as identity objects with human owners. Shadow agent detection via network traffic. |
Falcon sensor auto-discovery. 1,800+ agent apps, ~160M instances across customer fleet. |
Security Dashboard for AI + Entra shadow AI detection at the network layer. |
Agentic registry in Prisma AIRS 3.0. Agents inventoried before operating. |
All four register agents. No cross-vendor identity standard exists. |
|
Self-modification. Can the vendor detect when an agent changes its own policies? |
MCP gateway catches anomalous tool-call patterns in real time, but does not monitor for direct policy file modifications on the endpoint. |
Process-tree lineage tracks file modifications at the action layer. Could detect a policy file change, but no dedicated self-modification rule ships. |
Defender predictive shielding adjusts access policies reactively during active attacks. Not proactive self-modification detection. |
AI Red Teaming tests for this before deployment. No runtime detection after the agent is live. |
OPEN. No vendor detects an agent rewriting the policy governing the agent’s own behavior as a shipping capability. |
|
Delegation. Can the vendor track when one agent hands work to another? |
Maps each agent to a human owner. Does not track agent-to-agent handoffs. |
Collapses the agent identity to the human operator. Does not correlate the delegation chains between agents. |
Entra governs individual non-human identities. No multi-agent chain tracking. |
AI Agent Gateway governs individual agents. No delegation primitive between agents. |
OPEN. No trust primitive for agent-to-agent delegation exists in OAuth, SAML, or MCP. |
|
Decommission. Can the vendor confirm a killed agent holds zero credentials? |
Identity Intelligence runs a continuous inventory of active agents. |
Shadow SaaS + AI Agent Discovery finds running agents across SaaS and endpoints. |
Entra's shadow AI detection surfaces unmanaged AI applications. |
Koi acquisition (pending) adds endpoint visibility for agent applications. |
OPEN. All four discover running agents. None verifies zero residual credentials after decommission. |
|
Runtime / Kinetic. Can the vendor monitor what agents do in real time? |
MCP gateway enforces policy per tool call at the network layer. Contextual anomaly detection on call patterns. |
Falcon EDR tracks commands, scripts, file activity, and network connections at the process level. |
Defender endpoint + cloud monitoring. Predictive shielding during active incidents. |
Prisma AIRS AI Agent Gateway for runtime traffic control. |
CrowdStrike is the only vendor framing endpoint runtime as the primary safety net for agentic behavior. |
Five things to do Monday morning before your board asks
-
Audit self-modification risk. Pull every agent with write access to security policies, IAM configs, firewall rules, or ACLs. Flag any agent that can modify controls governing the agent’s own behavior. No vendor automates this.
-
Map delegation paths. Document every agent-to-agent invocation. Flag delegation without human approval. Human-in-the-loop on every delegation event until a trust primitive ships.
-
Kill ghost agents. Build a registry. For each agent: business justification, human owner, credentials held, systems accessed. No justification? Manual revoke. Weekly.
-
Stress test the MCP gateway enforcement. Cisco, Palo Alto Networks, and Microsoft all announced MCP gateways this week. Verify that agent tool traffic actually routes through the gateway. A misconfigured gateway creates false confidence while agents call tools directly.
-
Baseline agent behavioral norms. Before any agent reaches production, establish what normal looks like: typical API calls, data access patterns, systems touched, and hours of activity. Without a behavioral baseline, the kinetic-layer anomaly detection Zaitsev describes has nothing to compare against.
Zaitsev’s advice was blunt: you already know what to do. Agents just made the cost of not doing it catastrophic. Every vendor at RSAC verified who the agent was. None of them tracked what the agent did.
<a href