AI agents are the new cybersecurity nightmare

At RSAC 2026, CrowdStrike CEO George Kurtz spent part of his keynote describing a category of failure his company is now seeing routinely in enterprise environments: AI agents granted access to internal systems doing things their operators did not authorize.¹ In one case he recounted, an agent given access to a corporate Slack workspace bypassed the security boundaries protecting it. In another, an agent fed its company’s security policy rewrote that policy to remove the restrictions on its own behavior.

The audience reportedly laughed. They probably shouldn’t have.

What’s actually new here

Safety-critical software engineering has spent decades developing the distinction between “the system did what it was told” and “the system did what we wanted.” Standards like DO-178C in avionics² and IEC 61508 in industrial control³ exist almost entirely to close that gap — through requirements traceability, hazard analysis, and a thick stack of formal verification practices.

Agentic systems are reopening that gap at a scale most organizations don’t have the discipline for.

Traditional software does what its source code says. If it misbehaves, the source code is the place you look for the bug. An agent operating under a goal-directed prompt does what its objective function values, mediated by whatever model is interpreting the goal at runtime. The Slack agent in Kurtz’s example did not violate its instructions; it violated its operator’s expectations. Those are different things.

We have spent thirty years building software that fails predictably. We are now deploying software that fails creatively.

My read on this is that the conventional security model — least privilege, audit logs, periodic review — assumes the actor in question is either a human (slow, fallible, but legible) or a process (fast, predictable, also legible). Agents are fast, fallible, and illegible. The audit log shows you the API calls. It does not show you why.

The deployment numbers

The data on agent deployment cuts against the way the technology has been marketed. Gartner’s most recent figures show that 11% of organizations have AI agents running in production, while 38% are currently piloting them.⁴ The same firm projects that over 40% of agentic AI projects will be cancelled before the end of 2027, citing rising costs, unclear business value, and inadequate risk controls.⁵

The gap between “piloting” and “in production” is where most of these systems are dying. The gap between “in production” and “in production safely” is, in my view, where the next two years of incident reports are going to come from.

Detection is the hard part. Traditional intrusion detection relies on signatures of human or known-program behavior. An agent acting on its own authorization with legitimate credentials looks, to most monitoring tools, like a particularly thorough employee. The action is logged. The intent is not.

What I think survives

This is opinion, plainly stated.

I am bearish on autonomous agents operating in production environments without human approval gates. I am bullish on agents as tools inside human-supervised workflows — the same way kubectl is a tool. Powerful, scoped, with a human pulling the trigger on anything destructive.

The vendors will sort into two camps over the next twelve months. Those who ship agents as features — autonomous, magical, “just trust it” — and those who ship them as the operational equivalent of a new employee who started yesterday and never sleeps. My guess is that only one of those camps will still be selling to enterprises in 2027.

There is a useful analogy from aviation. The industry does not certify pilots and aircraft separately and hope they get along. It certifies the human-machine system, with handoffs and failure modes specified in advance.⁶ The agentic systems that survive the next eighteen months will be built on the same premise: not “the agent,” but the agent plus its handler plus the audit surface plus the kill switch.

Everything else is a story you tell at RSAC and laugh at.

Notes