Anthony Grieco, Cisco’s SVP and chief security and trust officer, didn’t hesitate when VentureBeat asked whether rogue agent incidents had reached Cisco’s customer base.
"One hundred percent. We see them regularly," Grieco told VentureBeat in an exclusive interview at RSAC 2026. "I’ve heard some things that I can’t repeat, but they get to places where, you know, agents do what they think is right."
The events described by Grieco have a consistent pattern: authentication passes, identity checks clear. An agent is who he claims to be. Then he accesses data he could never touch or does something no one else is authorized to do at that level of detail. Failure is not a personality; is allowed.
"Business says we will have 500 agents for every employee," Grieco told VentureBeat. "Security leaders are really focused on how we can make sure we do it safely."
Cisco’s State of AI Security 2026 report 83% of organizations plan to implement agent capabilities, but only 29% feel they are ready to provide them. Five sales agents sent identity frames At RSAC 2026. None closed every gap. This includes Cisco.
VentureBeat mapped the four clearance gaps between Grieco’s exclusive interview and five independent sources. The instruction matrix at the end of this story is what to do about them.
No one has closed the permission loophole yet
Grieco came up through Cisco’s engineering and threat research organizations before taking on a role that spans both sides of the company’s security operation: building the products Cisco sells and managing Cisco’s self-defense program.
The permission loophole he describes is specific and operational.
"This agent here is a financial agent, but even if he is a financial agent, he should not have access to all financial information," Grieco told VentureBeat. "It should go into individual expense reports at a given time, not just expense reports. Getting this kind of granular control is one of the biggest things that will help us say yes to many agent developments."
Independent practitioners have validated the pattern at RSAC 2026. IEEE senior member Kayne McGladrey told VentureBeat that organizations clone human user profiles for agents by defaultand permit rollout begins on day one. Carter Rees, Vice President of AI Reputationdetermined the structural cause. LLM’s flat clearance level does not respect user permissionsRees told VentureBeat. An agent on that plane does not need to escalate privileges. They are already there.
"The biggest problem we see is knowing what’s going on," Grieco said. "Having identity and control maps of these is really important."
Elia Zaitsev, CTO of CrowdStrike, described the measure of visibility Exclusive VentureBeat interview at RSAC 2026. In most default login configurations, agent behavior is indistinguishable from a human. Distinguishing the two requires traversing the process tree. Most enterprise logins cannot make this distinction.
Five vendors, including an agent at RSAC, sent identity frames Cisco Duo IAM and MCP gateway controls. None closed every gap VentureBeat identified. The following four spaces are left open.
Standard bodies agree on the same diagnosis
The permission and identity gaps Grieco describes aren’t just vendor observations. Three independent standards bodies reached parallel conclusions in early 2026. NIST’s NCCoE In February 2026, it published a concept paper, "Accelerating adoption of software and AI Agent identity and authorization," explicitly calls for demonstration projects on how existing identity standards apply to autonomous agents.
The OWASP Top 10 for Agent ApplicationsReleased in December 2025, it identified abuse of overly privileged access and unsafe delegation as high-level risks. And Cloud Security Alliance Launches CSAI Fund at RSAC 2026 with its mission "Agent Control Aircraft Security," including dedicated Agent AI IAM framework built around decentralized identifiers and zero-trust principles. When NIST, OWASP, and CSA independently note the same gap class in the same market period, the signal is structural rather than vendor specific.
MCP security requires discovery before control
VentureBeat asked Grieco at RSAC 2026 about the paradox of MCP, the Model Context Protocol that every vendor has adopted in recognition of security vulnerabilities. Grieco did not claim that the protocol was secure. He argued that preventing it was no longer realistic.
"As a security leader in this day and age there is no saying no," Grieco told VentureBeat. "And how can we manage it?"
In Cisco’s own environment, Grieco’s team added MCP discovery, proxying, and inspection capabilities. AI Defense and Cisco Secure Access. This approach treats MCP servers like businesses treat shadow IT: find them before you manage them.
Etay Maor, vice president of threat intelligence at Cato Networks, confirmed this approach from the adversarial side. At RSAC 2026, Maor demonstrated Living Off the AI attack, which combines Atlassian’s MCP and Jira Service Management. Attackers do not distinguish between reliable tools, services and models. All three are chained. "We need an HR view of agents," Maor told VentureBeat. "Onboarding, monitoring, offboarding."
Almost half of the critical infrastructure is outdated and out of repair
Agent authorization flaws are hard to detect and contain when the underlying infrastructure hasn’t received a security patch in years, and this gap compounds every other vulnerability in this story. Cisco has commissioned a UK-based consulting firm WPI Strategy Investigating end-of-life technology risk in the US, UK, France, Germany and Japan. The report It found that nearly half of the critical network infrastructure in these geographies is outdated or already outdated. Vendors no longer patch it.
"Almost 50% of critical infrastructure in these geographies was aging, end-of-life or near-end-of-life," Grieco told VentureBeat. "This means that vendors no longer provide security patches for them."
Cisco’s Sustainable Infrastructure the initiative disables unused features by default and phases out older protocols in a three-release deprecation schedule. Grieco pushed back against the assumption that safety by default is a static achievement. "One thing that most people don’t realize is that these are not static points in time," Grieco told VentureBeat. "It’s not like you do it once and you’re done."
Agent enterprise security gap matrix
The following four loopholes are things security directors can act on Monday morning. Each series, cross-validated by five independent sources, maps from what’s broken to why it’s broken to what to do about it.
Sources: VentureBeat analysis of Grieco’s exclusive interview at RSAC 2026, cross-validated against independent reports from McGladrey (IEEE), Rees (Reputation), Maor (Cato Networks), and Zaitsev (CrowdStrike). May 2026.
|
Security gap |
| What fails and what it costs |
Why your current stack doesn’t capture it |
Where is seller control now? |
First move for your team |
|
Obsolescence of infrastructure |
About half of critical network assets are at or near end of life (WPI Strategy); agents running on unpatched systems inherit vulnerabilities that no vendor can fix |
The annual patch cadence cannot keep up with the threat rate; EoL systems receive zero security updates and zero vendor support |
Sustainable Infrastructure disables untrusted defaults, warns about risky configurations, deprecates old protocols in three release schedules |
Infra team: check each network asset against vendor EoL dates this quarter. Reclassify the EoL replacement from an IT upgrade to a security investment in the next budget cycle |
|
Discovery of MCP |
MCP servers are deployed in unprecedented security environments; Developers create agent tool relationships that override existing management |
Shadow MCP deployments bypass existing discovery tools; there is no standard inventory mechanism; Controller Living Off the AI featured attackers chaining MCP + Jira in an attack |
AI Defense MCP adds discovery, credentialing, and verification; Treats MCP servers like shadow IT |
Security operations: run MCP server inventory on all environments before deploying any agent management controls. If you can’t list your MCP surface, you can’t protect it |
|
Excessive authorization of the agent |
Agents inherit broad human-level access at the flat authorization plane; There is no need to escalate privileges because the agent already has privileges (Rees) |
By default, IAM groups clone human profiles for agents (McGladrey); comprehensive, time-bound permits are not available for non-human entities |
Now two registers agents as distinct identity objects with granular, time-bound permissions for each tool invocation |
IAM team: immediately stop cloning human accounts for agents. Scope each agent permission to a specific data set, a specific activity, and a specific time window. The Grieco test: can this financial agent access only the individual expense report that he currently needs? |
|
Visibility of agent behavior |
Agent actions are indistinguishable from human actions in security records (Zaitsev); An over-authorized agent that appears human in the logs is invisible to the SOC |
The default entry does not descend the process tree; no vendor has shipped a complete cross-platform behavior database for agent activity |
SOC telemetry integration with Whimsical for agent-specific detection and response |
SOC presenter: update the record to capture the lineage of the process tree so that agent-initiated actions can be distinguished from human-initiated actions. If the SIEM fails to respond "is this a person or an agent?" space is open for each session |
"Frankly, we have to move it fast and evolve it fast to keep up with where the competitors are going." Grieco told VentureBeat.
The above gaps are not theoretical. Grieco confirmed that the events had already taken place. Controls are available in parts from many vendors. No seller has assembled the full stack.
