The operating model that turns security from a speed bump into the reason AI actually ships.
I'm in San Francisco. RSAC 2026. Here's what I'm hearing in the hallways:
"I've got three teams piloting agents. But nobody can tell me who owns them, what they can touch, or how I shut one down if something goes wrong. And the board is going to ask me next week."
Most CISOs can't answer those questions. Some try to blame AI. It's not the AI. A discovery scan at RSAC this week found 600 agents at one Fortune 500 that nobody had approved, nobody was monitoring, nobody could shut down on command, and nobody owned the consequences. The AI did exactly what it was built to do. The governance gap is what created the problem.
Key takeaways:
A discovery scan at RSAC 2026 found 600 ungoverned AI agents running inside one Fortune 500 in 24 hours. They had access to AWS, Snowflake, GitHub, and production code deployment.
Only 14.4% of organizations report that all their AI agents went live with full security and IT approval. The rest are already running, under-secured or not secured at all.
The four-question approval model: Owner, Scope, Failure Definition, Kill Switch. Thirty minutes. Written down. Before any code is written.
The Autonomy Ladder gives CISOs a path between "yes" and "no." Intern, Junior, Senior, Principal. Each level requires written evidence the agent earned the next.
Zero Trust breaks on AI agents in four places: memory drift, least privilege at task level, agent-to-agent calls, and behavioral baselines. The Agentic Trust Framework closes those four gaps.
What's the trap CISOs are stuck in right now?
Every board wants AI deployed. Yesterday. Every CEO in 2026 is saying the same thing: "We aren't going fast enough." Product teams are building agents. Nobody is looping security in. The CISO is getting squeezed from both sides. Say yes without controls and you own whatever goes wrong. Say no and you killed the AI initiative. Cybersecurity leadership is faced with an impossible dilemma: embrace AI and absorb enormous risk, or resist it and get sidelined for inhibiting gains.
No neutral ground. Every choice costs something.
Only 14.4% of organizations report that all their AI agents went live with full security and IT approval. The rest are already running, under-secured or not secured at all.
The question isn't whether to allow agents anymore. It's whether security gets a say in how they operate, or finds out what's running after something breaks.
One security leader put it bluntly: "Security says no, the business moves anyway. The choice is to engage and influence, or watch from the sidelines."
Here's what the CISOs who are winning figured out. Security isn't the brake. It's the reason the car gets to go faster without flipping. Every AI deployment that ships with governance behind it is one the business can scale, audit, defend to a regulator, and explain to a board. Every one that ships without it is a liability waiting to surface. The teams moving fastest are the ones who figured out how to say yes safely. That's the job now.
What are CISOs hearing in RSAC hallways?
The real conversations happen in hallways, not sessions. Four things I'm picking up on this week. Shadow agents are already here, the blast radius question is the new nightmare, boards are asking the question CISOs can't answer yet, and the startup market just confirmed all of it.
Shadow agents are already here. Multiple security leaders described discovering agents running with real production credentials that no security team had reviewed. Business-unit deployments. Customer data access. Built by teams who believed they were being fast and responsible at the same time.
The blast radius question is the new nightmare. Autonomous agents that can execute against identity systems and cloud infrastructure without a human in the loop. The hallway question all week: "What did you put in front of your agents before you let them execute?" The answers made me cringe.
Boards are asking the question CISOs can't answer yet. "What happens if an AI tool leaks client data? Are we protected?" is now standard in board meetings. Security leaders with a governance model are getting budget. The ones without are in hot water.
The startup market just confirmed all of it. Two of the ten Innovation Sandbox finalists this year were purpose-built for AI agent governance. One ran a discovery scan at a single Fortune 500 and found 600 ungoverned agents in 24 hours. They had access to AWS, Snowflake, GitHub, and production code deployment. Nobody knew they existed. The other startup raised on a single premise: every security tool your company owns was built before agents existed. When the startup market puts $50B behind a problem category, the problem is real.
The goal isn't to slow AI down. The goal is to make AI survivable at scale.
That's the whole reframe. Security doesn't slow deployment. The absence of it does, when the first visible mistake forces leadership to pull the plug entirely.
One real example: a customer-service agent at a mid-size company began issuing refunds outside policy guidelines after a customer learned how to prompt it correctly. It ran for 11 days before anyone noticed. No breach. No attacker. Just an agent doing exactly what it was designed to do, with nobody watching whether that matched what the business actually wanted.
The CISOs navigating this well stopped talking about risk. They started talking about what governance unlocks. "With these four controls in place, we can deploy this agent in two weeks" lands completely differently than "we need time to complete our security review." Same outcome. Different relationship with the business. Same CISO. Same controls. Completely different conversation.
What four questions should approve every AI agent?
Four questions, answered in writing, before any agent touches a production system. Owner. Scope. Failure Definition. Kill Switch. It takes less than thirty minutes. It happens before anyone writes a line of code. This is the difference between governing agents and watching them react after the fact.
Who owns this agent? One named human accountable for this agent's behavior. Not a team. One person whose name is on it and who gets the call when something goes wrong. No named owner, no deployment. Non-negotiable.
What's the agent's scope? A written list of what this agent can access, initiate, or change. The mistake almost every team makes: they define scope by system, not by action. "This agent has access to the CRM" is not a scope definition. "This agent can read contact records and log call notes, and cannot modify deal values, delete records, or access billing information" is. Regulators don't accept system access as an answer. They want approved actions. Write it that way from the start.
What does this agent do wrong that triggers human review? Not a generic error threshold. A named behavior. "If the agent sends an external communication that wasn't explicitly requested." "If the agent modifies a record outside its defined scope." This is the question almost nobody asks before deployment. It's the one that determines whether you're governing the agent or watching it react after the fact.
How do you kill this agent? Name a person who can shut it down in under five minutes. With a log entry proving they tested it in the last 30 days. Not "we have a process." A log entry.
Most deployments I review answer Owner and Scope. Almost none have a written Failure Definition. The kill switch test? Never once seen it done before I ask. That's where your greatest liability lives.
This model also changes the conversation with business leaders. When you walk in with these four questions before anyone has started building, you're not the person blocking the project. You're the person who made it possible to ship it. That's the shift. Same four questions. Completely different role.
What action should you take this week?
Ask your IT lead, your engineering lead, and your business unit heads the same question, separately, before they've compared notes:
"What AI agents or automations are currently running in our environment, and what systems do they have access to?"
You'll get different answers. The gap between those answers is your governance gap. You cannot close it until you can see it.
How does the Autonomy Ladder let you ship faster without losing control?
Most organizations treat agent deployment as binary. The agent runs or it doesn't. That framing is what creates the emergency phone calls. The Autonomy Ladder gives you four levels. Intern, Junior, Senior, Principal. Each level requires written evidence the agent earned the next. It's how you say yes safely instead of saying no entirely.
Think about how you hire. You don't give an intern root access to production. Trust is earned through demonstrated behavior, with responsibility increasing as evidence accumulates. Agents work the same way.
Intern. Observes and recommends. Executes nothing. Every output reviewed by a human before any action is taken. Every agent starts here. Most skip this step because the demo worked and the business was impatient. That impatience is what creates 11-day refund problems.
Junior. Executes low-risk, reversible actions within a defined scope. Reversible means undone in under five minutes without data loss. If it can't be undone that fast, it stays at Intern.
Senior. Executes moderate-risk actions with human escalation triggers and automated logging. Before promotion from Junior to Senior: 30 days of action logs, a documented error rate, and at least two examples of the agent correctly escalating when it hit the edge of its scope.
Principal. Established track record, clear ownership, auditable logs, formal review every 90 days. Not because the technology changes. Because the business context around it does. The agent that was low-risk six months ago may now be touching systems it wasn't originally scoped for.
The ladder is also a negotiation tool. When business teams push to deploy faster, you're not saying no. You're saying: "Intern level this week. Junior in 30 days if the logs look right. Senior in 90 days if we can show the board a clean track record."
Most leaders accept that deal. Blanket refusal is the one they won't. And blanket refusal is the one that ends your seat at the table permanently. The ladder keeps you in the conversation and keeps the business moving. That's the goal.
Where does Zero Trust break down with AI agents?
Zero Trust was built for humans and devices. It assumes stable identity and predictable behavior over time. AI agents break both of those assumptions in ways that aren't visible until something has already gone wrong. Four specific gaps need a fix: memory drift, least privilege at task level, agent-to-agent calls, and behavioral baselines. The Agentic Trust Framework closes those four gaps. Not by replacing Zero Trust, but by extending it to systems that reason, decide, and act.
The memory problem. An agent at 80% memory capacity reasons differently than it did at 20%. Traditional Zero Trust verifies identity at session start. It has no mechanism for behavioral drift inside a session. Practical fix: set memory checkpoints. At 60% capacity, save state. At 70%, require human review before continuing.
The least privilege gap. One company at RSAC discovered 600 AI agents running in production. All of them had been granted access at some point, by someone, for some reason. Nobody could say which agents still needed that access, which tasks they were running right now, or whether any of them had drifted beyond their original scope. Traditional least privilege controls what a system can access. It doesn't govern what a system should access for the specific task running right now. An agent approved to read customer records for contract renewals uses that same access for everything else it runs. Real least privilege requires task-level scoping with expiring access. Most identity platforms don't support this for non-human identities yet. Write the policy anyway. Make the technology match it.
The agent-to-agent problem. When agents communicate with other agents, most architectures inherit the highest privilege in the chain by default. Nobody decided that. It's just what happens when nobody asks before deployment. Treat every agent-to-agent call as an external API call. If you wouldn't let a vendor take that action without a contract, don't let an agent take it without a policy document.
The behavior baseline gap. Normal for humans and devices is relatively stable. Normal for an AI agent changes every time its instructions, model version, data access, or even the prompt itself changes. You need a baseline per agent, re-established with every change. Log every agent action for 30 days before granting any autonomy above Intern level. Anything outside two standard deviations of that agent's established pattern gets flagged for human review.
Frequently asked questions
What's a fast way to find shadow AI agents in my company?
Two RSAC 2026 startups are purpose-built for it. Manual approach: ask your IT, engineering, and business unit leaders the same question separately. Run network logs against known AI provider endpoints. Audit finance for unexplained AI-platform charges. Scan for service-account credentials issued to systems no one is actively maintaining. Visibility comes before governance.
How do I know if my agent is at Intern, Junior, Senior, or Principal level?
You decide based on the evidence you have. Intern is the default for any new agent. Junior requires the agent's actions are reversible in under five minutes. Senior requires 30 days of action logs, a documented error rate, and at least two examples of the agent escalating correctly. Principal requires an established track record, clear ownership, auditable logs, and a formal 90-day review cadence.
What's a real Failure Definition look like?
A specific named behavior, not a generic threshold. "If the agent sends an external communication that wasn't explicitly requested." "If the agent modifies a record outside its defined scope." "If the agent issues a refund above $X without human approval." Each one is concrete enough that a monitoring system can trigger on it.
Why isn't traditional Zero Trust enough for AI agents?
Zero Trust verifies identity at session start. It assumes the entity being trusted has stable identity and behavior. AI agents shift behavior based on memory, prompts, and what they were last asked to do. Zero Trust doesn't have a mechanism for behavioral drift inside a session, task-level scoping for non-human identities, or agent-to-agent privilege control. The Agentic Trust Framework adds those.
What is the Agentic Trust Framework?
The Agentic Trust Framework (ATF) extends Zero Trust for AI agents. It defines five elements every agent needs: identity, behavioral monitoring, capability boundaries, audit trail, and recovery. The free assessment at verifiedagents.ai walks through all five in about ten minutes.
The bottom line
AI agents are already inside your company. Governance decides whether they become the reason AI shipped or the reason it got pulled. Four questions. Written down. Before the first line of code runs. That's the model. It's how you stop being the office of no and start being the reason the business can move.
If your security team can't answer who owns each agent, what it can do, what counts as a failure, and how to shut it down, they aren't governing AI. They're describing it after something breaks.
What AI agents are running in your environment that your security team doesn't know about?
Want to see where your organization stands? The free Agentic Trust Framework assessment at verifiedagents.ai takes ten minutes. For a deeper read, check out Agentic AI + Zero Trust: A Guide for Business Leaders and the Agentic Trust Framework.