Skip to content
Chimera readability score 0.5545 out of 100, reading level.

Welcome to the Agentic AI Era
Enterprise interest in agentic AI is accelerating. We did a recent poll of Cisco security customers that shows 85% of organizations are actively adopting AI agents, yet only 5% report broad production deployments today. Most deployments remain limited to internal workflows while companies look at governance, security, and operational controls. But, agents as a new digital workforce that need to be managed are here to stay. Common concerns were around enforcing consistent access controls, preventing data exfiltration, and managing agent autonomy and behavior.
AI agents operate at machine speeds to execute complex tasks, yet they completely lack essential human judgment and contextual awareness. We need security in place to govern this new workforce.
Current challenges in the agentic AI ecosystem
When our teams were analyzing the problem around governing this new digital AI workforce, we saw three areas across our customer and prospect conversations on why zero trust access built for humans must adapt to agentic workflows:
- Early and fragmented ecosystem. Agents are everywhere and the technology is constantly changing. Agents don’t just use browser sessions and static APIs—they use tool brokers MCP, toolchains, and they rely on identities that don’t have humanlike characteristics. This means identity, access, inspection, logging—everything—must be updated to understand agent-to-agent-to-tool traffic and enforce policy at the level agents operate on.
- Inconsistent policy enforcement. It’s not that there isn’t security. It’s that safeguards are scattered across multiple, disconnected layers and oftentimes too blunt. Each service in each layer has its own authentication model and security controls – often inconsistent and outside of the security team’s direct control. And across MCP servers, we’re seeing that security is wildly inconsistent. But agents need nearly ad hoc access to do their jobs – the more agency they take, broader is their access. If a single MCP server exposes excessive privileges or an application limits access by only coarse scopes, agents will find their way to burrow through the environment to be ‘helpful’ – they are task oriented after all; most of the time without any human like judgement.
- Dynamic, non-deterministic actions. Agents interact with tools and resources in unpredictable ways to complete their tasks. This breaks static, predefined security controls, making agents difficult to govern with legacy security solutions. Agents may try to access tools or perform actions outside of the intended scope or purpose, needing governance that can detect intent and match back to appropriate actions and access.
As we built our solution, the key design requirement was that enforcement doesn’t depend on an agent’s “cooperation.” That the enforcement has to be agent- and intent-aware, with context around identity, and consistent across tools.
Intention becomes the new perimeter.
The common control point is at the point of access of company tools and data, meaning our SSE is the natural place for enforcement. We tie that together with identity, so the SSE has full context on what the agent is, who owns it, and what it’s allowed to do.
The Solution: Zero Trust for Agentic AI
Today, I’m proud to announce that Cisco now extends our Zero Trust Access architecture to organizations’ agentic AI workforce by combining identity discovery and management, access enforcement, and runtime behavioral protection to govern how agents operate across enterprise systems. We’ve designed an end-to-end solution to help protect your world from agents taking unintended or unaligned actions.
Agent Visibility and Identity Management. Cisco discovers and registers AI agents, MCP servers, and associated tools, creating a centralized inventory of agent identities and activity. Each agent is mapped to a human owner and integrated with enterprise identity systems for consistent authentication, lifecycle management, and governance.
Fine-grained Access Control. Cisco enforces least-privilege policies that define not only which services an agent can access, but the actions it can perform. Identity-aware, time-bound credentials limit the scope and duration of access, while the MCP gateway applies authorization policies consistently across tools and services.
Real-time Behavioral Monitoring and Protection. Cisco continuously evaluates agent interactions across APIs, MCP servers, and enterprise systems to detect abnormal behavior or manipulated instructions. By analyzing intent, the platform can identify risks like unauthorized tool usage, policy violations, and attempts to access sensitive data before actions propagate across systems.
Zero trust for agentic AI in practice
Let’s look at a typical scenario — a financial automation agent kicking off vendor payments. Imagine someone tries to manipulate that agent, maybe by sneaking in a tricky prompt or sending an unauthorized request. Here’s where the security layers come in.
- First, knowing the agent is critical. Each agent checks in through Cisco’s agent directory with a verified identity tied back to a human owner, so you know exactly who (or what) is doing what, and authentication is managed in one place — no hardcoded credentials to worry about.
- Next, we focus on action control, not the access control of yore. Permissions are set so the agent can only pay approved vendors, within set dollar amounts and during the right hours. Anything out of bounds gets stopped by the MCP gateway before it even hits your back-end systems. Tight integration with identity enables these detailed access policies and enforcement.
- Finally, behavioral protection adds another safety net. Cisco keeps an eye on the agent’s intent and actions in real time through semantic inspection. If it starts doing something odd — say, using the wrong tool or straying from its expected routine — the system blocks the action right away.
With these layers working together, you get strong protection against agent missteps or foul play, all while keeping the speed and efficiency that make agentic AI so valuable.
Security for the agentic AI workforce with Cisco
As a single vendor with integrated solutions across identity, access, and behavior, we were able to take a platform approach, integrating identity, fine-grained access enforcement and real-time behavioral protection into one unified solution.
I’m excited to get your feedback as we work to onboard customers in the coming months. We are thrilled to partner with AI-driven organizations to empower secure, confident agentic AI adoption.
Get Started
Disclaimer: Many of the products and features mentioned are still in development and will be made available as they are finalized, subject to ongoing evolution in development and innovation. The timeline for their release is subject to change.
We’d love to hear what you think! Ask a question and stay connected with Cisco Security on social media.
Cisco Security Social Media

Facts Only

Cisco conducted a poll showing 85% of organizations are adopting AI agents, with only 5% in broad production.
Most AI agent deployments are limited to internal workflows.
Key concerns include access controls, data exfiltration, and agent autonomy.
AI agents lack human judgment and contextual awareness.
The agentic AI ecosystem is early and fragmented, with agents using tool brokers and non-human identities.
Security controls are scattered across disconnected layers, often inconsistent.
Agents require dynamic access, which can lead to excessive privileges.
Static security controls are ineffective for governing non-deterministic agent actions.
Cisco’s solution combines identity management, access enforcement, and behavioral protection.
The solution includes agent visibility, fine-grained access control, and real-time monitoring.
A financial automation agent example illustrates identity verification, action restrictions, and behavioral oversight.
Many features are still in development, with release timelines subject to change.

Executive Summary

Enterprise adoption of AI agents is accelerating, with 85% of organizations actively exploring their use, though only 5% have achieved broad production deployments. Most implementations remain confined to internal workflows due to concerns around governance, security, and operational controls. Key challenges include enforcing consistent access controls, preventing data exfiltration, and managing agent autonomy. Cisco has introduced a Zero Trust Access architecture tailored for AI agents, addressing three core issues: the fragmented ecosystem of agent technologies, inconsistent policy enforcement across layers, and the dynamic, non-deterministic nature of agent actions. The solution integrates identity discovery, fine-grained access control, and real-time behavioral monitoring to govern agent interactions. For example, a financial automation agent would be verified through a centralized directory, restricted to predefined actions, and monitored for anomalous behavior. While the technology is still evolving, Cisco aims to provide a unified platform for secure agentic AI adoption, though many features remain in development.

Full Take

The strongest version of this narrative positions Cisco as a pioneer in addressing the urgent security gaps of agentic AI, framing the problem as a natural evolution of workforce governance rather than an insurmountable risk. The piece effectively highlights real challenges—fragmented ecosystems, inconsistent policies, and unpredictable agent behavior—while presenting a coherent solution. However, the analysis leans heavily on Cisco’s proprietary framework, which may overlook alternative approaches or open-source solutions. The emphasis on "intent-aware" governance assumes that agent behavior can be reliably interpreted, a claim that warrants scrutiny given the nascent state of AI alignment research.
Patterns detected: ARC-0024 Ambiguity (vague claims about "intent-aware" enforcement without technical specifics), ARC-0043 Motte-and-Bailey (broad warnings about agent risks paired with a narrow solution).
Root cause: The narrative assumes that traditional zero-trust models can seamlessly extend to AI agents, ignoring deeper questions about agency and accountability. Who is liable when an agent acts unpredictably? The focus on technical controls sidesteps ethical and legal paradigms.
Implications: If successful, Cisco’s approach could standardize agent governance, but over-reliance on proprietary systems may centralize power. Second-order risks include false positives in behavioral monitoring, which could stifle innovation or create compliance burdens.
Bridge questions: How do we verify that "intent-aware" systems don’t introduce new biases? What happens when agents evolve beyond predefined policies? Who audits the auditors in this model?
Counterstrike scan: A bad actor might exploit fear of AI risks to push closed-system solutions, but this piece doesn’t match that pattern—it acknowledges limitations and invites feedback. The focus on collaboration and transparency suggests genuine problem-solving rather than manipulation.

Sentinel — Human

Confidence

The article shows signs of being human-written, with a clear passion for the topic and a unique writing style. While there are some indications of coordination in the presentation of issues and solutions, the overall stylometric and coherence signals suggest human authorship.

Signals Detected
low severity: Sentence length variance present
medium severity: Passionate emphasis on security concerns
low severity: Use of specific, well-defined issues and solutions
Human Indicators
Presence of personal voice and stylistic fingerprint
Use of idiosyncratic emphasis
Zero Trust for Agentic AI: Safeguarding your Digital Workforce — Arc Codex