News Analysis
Research Report
The State of the Digital Workplace
AI agents are already inside enterprise systems — making decisions, triggering actions, spawning other agents — and the security industry is only beginning to understand what that means.
At RSA 2026, Cisco became one of the first major vendors to treat them as a distinct attack surface, announcing Zero Trust Access for agents through Duo IAM, an open-source secure agent framework called DefenseClaw and a self-service red-teaming tool called AI Defense: Explorer Edition.
Whether that architecture is equal to the challenge is a harder question.
Zero Trust Is the Wrong Security Model
The main problem is architectural, said Diptamay Sanyal, a principal engineer at CrowdStrike who focuses on enterprise identity and threat intelligence. Zero Trust, as designed, rests on the assumption that it verifies every human every time. AI agents break that model.
"An agent isn't a human who authenticates once and does something," Sanyal said. "It's a persistent autonomous entity that holds credentials, makes decisions, triggers downstream systems, spawns other agents and does all of that at machine speed with no natural pause point."
That distinction matters because threat data already shows how damaging identity-based attacks against human users have become. The CrowdStrike 2026 Global Threat Report documented adversaries dismantling trust through OAuth token abuse, single sign-on exploitation and trusted partner connection compromise. Moreover, 82% of detections weren’t through malware. Attackers were not breaking in; They were logging in, through legitimate pathways, using valid credentials.
But with agents, the problem is amplified. A compromised agent’s effects are faster, wider and compounding by the time any behavioral anomaly is detected, compared with a compromised human account.
Zero Trust for agents would need to change, said Maez De Guzman, who leads enterprise security strategy at EY.
"Agents don't log in, inherit identity or exercise intent the way that humans do," De Guzman said. “Zero Trust must shift to continuous intent validation, behavioral baselining and task-based authorization, including real-time privilege adjustment."
The distinction De Guzman draws is important. Most enterprise environments use retroactive anomaly detection, not proactive real-time intent verification. A system that flags unusual behavior after the fact is incident response, not Zero Trust.
The AI Agent Security Blind Spots
The most dangerous vulnerabilities are ones that current tooling misses, said Monika Malik, lead data and AI engineer at AT&T.
The largest blind spots are not hallucination attacks or obvious misconfigurations, Malik said. They are delegated trust problems: prompt and goal hijacking, tool misuse, poisoned memory and context, over-broad permissions, vulnerabilities in plugins and MCP servers and handoffs between agents that are not properly logged.
Each of these exploits the way agents communicate with each other and with the systems they access, rather than the way they authenticate at the perimeter.
Sanyal's analysis of multi-agent architectures reinforces that picture. In a pipeline where agents inherit assumptions about each other's outputs, compromising one agent and injecting a malicious instruction creates a propagation path that looks legitimate to every monitoring layer above it. "That's exactly the identity abuse pattern documented in the threat data, just running at machine speed,” he said.
De Guzman called this recursive delegation: one compromised agent delegates tasks, poisons shared memory and pivots across peers to affect an entire collaborative system before any alerts pop up.
Multi-agent effects are a governance failure as well as a technical failure one, Malik added. "Enterprises must assume lateral movement will occur unless each agent is assigned isolated identity, isolated memory boundaries, transaction limits and a hard kill switch," she said. Most digital workplace teams are still working out how to govern basic copilot access and retention. Asking them to implement per-agent identity isolation and runtime policy enforcement is, for now, aspirational.
Real Complexity, or Clean Architecture?
This brings us back to Cisco's announcement. The company is correct that AI agents represent a new and expanding attack surface. But there is a difference between a framework with runtime constraints and one that generates dashboards and compliance artifacts while leaving the underlying control problems unsolved.
What matters is whether controls operate at the action level and interoperate across complex multi-vendor environments, De Guzman said. Most enterprise AI deployments are not clean, single-vendor architectures. They are collections of platforms, APIs and agent orchestration layers from different providers, she said, running across hybrid environments with inconsistent logging and no unified policy architecture.
A Zero Trust model that works inside a Cisco-defined architecture but cannot enforce controls at the execution layer across that complexity is a compliance wrapper around problems that have not actually been solved, Malik said.
Tooling was not built for non-human identities operating autonomously at scale, and the accountability question remains unanswered: When an agent makes a wrong decision inside a Zero Trust perimeter, who owns it? Sanyal said.
"The answer can't be the agent,” Malik replied. “Accountability must remain human." Every autonomously deployed agent requires an accountable business owner, a technical owner and an auditable chain showing what the agent saw, what policy it evaluated, what actions it took and what fallback existed when it got it wrong.
When AI Agents Working as Intended Is the Problem
Moreover, the external adversary may not be the most likely intruder for AI agents in the enterprise.
Conference
Apr
27
Gartner Digital Workplace Summit London 2026
Register
Webinar
May
6
Retention Is a Communication Problem: New Data from 6,000+ Employees
This session gives leaders a clear diagnosis and practical path to treat retention as an infrastructure problem.
Register
Conference
Jun
2
Gartner Application Innovation & Business Solutions Summit Las Vegas 2026
Register
Webinar
On demand
Do Learning Programs Really Work? How to Turn Education Into Engagement In Healthcare
See how leaders are using learning programs to build trust with healthcare professionals and create measurable engagement.
Watch Now
The more likely one is internal. An agent that executes a poorly defined instruction from a legitimate user, at machine speed, across multiple systems, in ways nobody anticipated, produces damage that no perimeter control catches, because nothing was breached. The instruction was authorized and the agent complied.
Zero Trust has no answer for that. It is a problem of organizational clarity, not security architecture, and it implicates teams deploying agents without first documenting what those agents are supposed to do.
If vendors treat Zero Trust for AI agents as an access control problem, and enterprises treat it as a substitute for the governance work they have not done, then it won’t be effective.
The framework needs to become a combination of identity verification, action-level control, runtime governance and human accountability that Malik, De Guzman, and Sanyal describe. But even then, that isn’t enough. Because the agents most likely to cause damage are not ones that get compromised, but the ones that work as intended.