I sat through three vendor demos last month that all used the term agentic security. One meant AI agents that triage alerts without analyst intervention; one meant protecting the AI agents already running in my environment; one meant both but couldn't explain how the two connected.
Agentic security has to mean both halves at once: securing the autonomous agents inside an environment, and deploying autonomous agents for security operations work.
I heard one term and zero shared definitions, and that ambiguity is creating procurement confusion, architectural blind spots, and regulatory exposure for the SecOps teams evaluating these tools. Doing one half without the other is a category error that recent agent framework CVEs like the PraisonAI authentication bypass (CVE-2026-44338) and the joint Five Eyes guidance have sharpened into focus.
In brief:
- Agentic security covers two unrelated practices: government agencies, academics, and standards bodies address securing agents, while vendors and trade press default to agents for security. Procurement conversations that don't specify which meaning is in play can't be evaluated.
- Securing agents comes before deploying them: rapid exploitation of disclosed CVEs in widely used agent frameworks like PraisonAI, LangChain, and Semantic Kernel makes this non-optional.
- Agent identity has to be separate from user identity: Microsoft, Amazon Web Services, and the Cloud Security Alliance all specify that agents must carry their own verifiable identities, distinct from the user who invoked them.
- The frameworks exist and provide high-level security guidance: practitioners still have to translate them into running configurations.
Agentic security splits into two meanings that collide
The term has two operative meanings, split between government and standards bodies and vendor pitches. Meaning one is securing autonomous AI agents inside your environment, the dominant framing in Microsoft's defense-in-depth research, Forrester's AEGIS framework, USENIX research on AI agent security, and the Five Eyes 2026 guidance. Meaning two is using autonomous agents for security operations work, the AI SOC vendor framing across the category.
The two meanings collide structurally. The properties that make AI SOC agents valuable, autonomous tool execution, persistent memory, multi-step decision-making, are the same attack surfaces Meaning one research flags as highest-risk. Deploying agents for defense without securing them first expands the attack surface where it matters most. Microsoft is one of the few to capture both sides at once: securing agents, securing their foundations, and defending alongside human experts.
Every part of an agent is an attack surface
An agent is an LLM with tool integrations, memory, environment access, and a decision loop. Anthropic's research describes agents as systems where LLMs are equipped with tools and the ability to take actions, directing their own processes and tool usage. Each of those pieces, the LLM core, tool integrations, memory and state, environment access, the decision loop, and the planning module, is a distinct attack surface.
Planning distinguishes agents from copilots: it runs multi-step operations without a human re-prompting each step, and Microsoft's defense-in-depth guidance treats that autonomy as a primary risk surface. The decision loop is where autonomy turns into operational risk. When a system can act on the world rather than generate content, an error in one tool call feeds the next, which is why securing and deploying agents are the same conversation.
Agent identity, not user identity
Identity is where these problems get concrete. The architectural mistake behind most of the new threat classes is giving an agent the same identity as the user who invoked it.
Three actions need three separate identities
Microsoft's guidance makes the requirement plain: agents must not share the user's identity, and systems need to distinguish actions taken by the user, by the agent on its own behalf, and by the agent acting on the user's behalf. Those three actions need separate authorization bases, separate accountability chains, and separate risk profiles, and merging them into a single record makes post-incident attribution impossible.
Two further consequences follow from that merge. Blast radius expands because human users tend to be over-permissioned, and agents inherit that over-permissioning at machine speed. Audit trails collapse because investigators end up attributing actions to the system rather than to a specific agent.
Every other control depends on identity separation
Standards bodies are naming the same problem. The Cloud Security Alliance (CSA) flagged a gap in how OAuth-based authorization handles autonomous agents and sub-agents, noting that existing identity frameworks don't fully address these agentic use cases. Amazon Web Services (AWS) frames the fix architecturally: agents should have their own identity rather than a copied human one, which may be overly permissive for their tasks.
Building on that, Microsoft specifies four required properties: a unique verifiable identity per agent, scoped permissions, lifecycle controls like revocation and rotation, and per-agent accountability. The dependency runs one way: you can't scope permissions if you can't distinguish the agent, and you can't revoke credentials without independent identity records, so every other control inherits the need to get identity separation right first.
The frameworks tell you what, not how
Four bodies of guidance matter here, and they share one limit: they describe the posture to adopt, not the configuration to run.
- Forrester's AEGIS (Agentic AI Enterprise Guardrails for Information Security) places identity and access management among six control domains, alongside governance, data security, application security, threat operations, and Zero Trust. The full framework runs 39 controls and maps to NIST's AI Risk Management Framework (RMF) and ISO/IEC 42001 at 100%.
- The USENIX paper on agent security organizes defenses into local, collaborative, and server-side measures, and AgenticCyOps research names tool orchestration and memory management as the two primary trust boundaries from which defensive principles derive.
- The Five Eyes 2026 guidance on careful adoption of agentic AI adopts a cautious posture: deploy incrementally, begin with low-risk tasks, and plan for unexpected behavior.
Most of these are high-level guidance, not operational playbooks, judging by the deployments I've taken them into on my team. Forrester's full 39-control breakdown needs a client subscription, the USENIX paper admits practical defenses remain elusive, and the Five Eyes guidance gives you posture but not Monday-morning implementation. Turning these documents into running configurations is the practitioner's job, and that translation doesn't exist yet in any single published resource.
Agent-framework CVEs are exploited within hours
The risk catalog underneath those frameworks is concrete. Microsoft lists agent hijacking, sensitive data leakage, supply chain compromise, agent sprawl, harmful outputs, and inappropriate reliance, with intent breaking flagged as a separate threat class, and the OWASP Top 10 for Agentic Applications 2026 defines parallel categories.
- PraisonAI authentication bypass (CVE-2026-44338, CVSS 7.3): under active scanning within hours of disclosure.
- LangChain LangGrinch flaw (CVE-2025-68664, CVSS 9.3 Critical): public proof-of-concept exploits on GitHub.
- ChromaDB code injection (CVE-2026-45829, CVSS 4.0: 10.0 Critical): still unpatched.
- Semantic Kernel had two critical CVEs in spring 2026, an InMemoryVectorStore RCE (CVE-2026-26030) and an arbitrary file write (CVE-2026-25592).
When the effective response window runs in hours, a patch-within-30-days posture leaves the system exposed for most of the exploit lifetime.
The defensive case is strong for triage, thin for verdicts
That's the securing-agents picture. The Meaning two side is what these systems do inside the SOC, and it breaks into two buckets: AI analysts for investigation, triage, and threat hunting, and remediation systems for response orchestration. Outside assessments lean cautious on whether the category delivers:
- Gartner named AI-driven SOCs a top 2026 trend but framed them as a source of complexity, staffing pressure, and upskilling demands rather than a proven win.
- Gartner separately predicted over 40% of agentic AI projects may be canceled by the end of 2027, citing cost, unclear value, and weak risk controls.
- After RSAC 2026, Forrester found the capabilities difficult to differentiate at both the architectural and implementation level.
On the ground the split is sharper than that commentary admits: enrichment and Tier-1 triage have the strongest production evidence, while autonomous verdict, novel-pattern detection, and compliance-grade auditability are still mostly slideware. Vendors like Prophet Security, Dropzone AI, Exaforce, and 7AI are all in the discussion, but the same evaluation problem holds: capability claims on one half outpace evidence on the other.
AI analysts enrich; they don't decide
AI SOC platforms share a common shape: they ingest alerts from EDR, SIEM, and identity sources, enrich them across endpoints, cloud, identity systems, and threat intelligence, and produce structured investigation reports. Enrichment and evidence assembly is where the track record is longest, with IOC correlation, context loading, and structured reporting the capabilities that have the clearest field validation.
Where autonomy stops is explicit: verdict and escalation authority remain human-gated, with least-privilege execution, tamper resistance, and human oversight as common requirements. Novel-pattern detection carries cascading error risk, since even a low error rate compounds when one agent passes inaccurate data to another. An AI analyst that can't produce a replayable decision trail is doing enrichment work, and a buyer should treat that limit as material to procurement.
Agentic remediation doesn't retire your scripts
Agentic remediation doesn't eliminate scripts. It adds a probabilistic reasoning layer that decides which action to invoke and when, while the underlying actions, firewall rules, host isolation, credential revocations, stay the same. The trigger shifts from deterministic to model-decided, placing agentic LLM-orchestrated workflows alongside deterministic linear scripts and branching conditional logic in the playbook landscape.
The failure modes live in that LLM-orchestrated tier. Prompt injection is structural, because the agent processes untrusted data, log entries, emails, API responses from compromised systems, and research on eight indirect prompt-injection defenses found bypass rates above 50% under adaptive attacks. Over-permissioned agents executing destructive, often irreversible actions compound the risk, which is why Microsoft puts human review for high-risk actions in the orchestrator logic rather than the model's judgment.
An agentic security program is two programs at once
An agentic security practice that works covers both meanings: securing the agents in your environment and deploying agents for security work. If a vendor says agentic security and means only one half, ask which one. In the selections I've run, the gap is always shipped capability on one half and a roadmap slide on the other, and the roadmap is what you're funding when you sign.
On your own side, audit the agents already running first: inventory which have tool access, what identity they run under, whether it's distinct from the invoking user, and what permissions they've accumulated. The Five Eyes careful-adoption guidance lands on the same posture: assume agents may behave unexpectedly, and prioritize resilience, reversibility, and risk containment over efficiency. Beginning there gives you room to maneuver as the category matures.
Frequently asked questions about agentic security
How should a SecOps team define agentic security in practice?
Agentic security has two operative meanings: securing autonomous AI agents operating inside enterprise environments, and deploying autonomous AI agents to perform security operations work like investigation, alert triage, and response. Government agencies and academic researchers address the first meaning, while AI SOC vendors address the second. A complete agentic security practice requires both.
When does agentic security differ from broader AI security work?
AI security is the broader discipline covering all AI systems, including model safety, training data integrity, and inference pipeline protection. Agentic security is the subset focused on autonomous systems that can plan, use tools, and act on the world without human prompting at each step. The distinguishing factor is autonomous action, which introduces attack surfaces like tool misuse, memory poisoning, and identity conflation.
Which agentic AI threats should security teams prioritize first?
Microsoft and other sources describe several major risk categories for agentic AI, including prompt-injection and goal-hijacking attacks, supply chain risks, sensitive data exposure, and human trust exploitation. The OWASP Top 10 for Agentic Applications 2026 adds agent goal hijack, tool misuse, supply chain attacks, unexpected code execution, and memory poisoning. Documented CVEs in LangChain, Semantic Kernel, and ChromaDB show these threat classes are hitting real frameworks.
How should a security team apply the AEGIS framework?
Apply it as a gap-assessment tool, not a 39-control checklist deployed at once. Document each agent with Forrester's "Agent on a Page" (owner, purpose, data and tool access), then run it against AEGIS's controls to find gaps. Phase the fixes the way Forrester prescribes: foundational domains like governance, IAM, and data security before advanced ones. Anchor it on least agency, which extends least privilege to an agent's decisions.
Do AI agents need identities separate from users?
Yes. Microsoft and AWS specify that agents must carry unique, verifiable identities distinct from the users who invoke them. Giving an agent the same identity as a human user eliminates the ability to scope permissions, maintain audit trails, or enforce lifecycle controls like credential revocation. The dependency is strict: every downstream security control for agents depends on this identity separation being solved first.