{"id":200087,"date":"2026-03-24T20:07:00","date_gmt":"2026-03-25T00:07:00","guid":{"rendered":"https:\/\/testing.news-you-need.com\/index.php\/2026\/03\/24\/securing-ai-agents-the-defining-cybersecurity-challenge-of-2026\/"},"modified":"2026-03-28T14:05:36","modified_gmt":"2026-03-28T18:05:36","slug":"securing-ai-agents-the-defining-cybersecurity-challenge-of-2026","status":"publish","type":"post","link":"https:\/\/testing.news-you-need.com\/index.php\/2026\/03\/24\/securing-ai-agents-the-defining-cybersecurity-challenge-of-2026\/","title":{"rendered":"Securing AI agents: the defining cybersecurity challenge of 2026"},"content":{"rendered":"

Securing AI agents: the defining cybersecurity challenge of 2026<\/a><\/p>\n

https:\/\/www.bvp.com\/atlas\/securing-ai-agents-the-defining-cybersecurity-challenge-of-2026<\/a><\/p>\n

Publish Date: 2026-03-24 20:07:00<\/a><\/p>\n

Source Domain: www.bvp.com<\/a><\/p>\n

Author: <\/a><\/p>\n

Using an unordered list, summarize the following article with between 4 and 8 key points.
\n\t\t\t\t\t\tAI agents are rapidly moving from experimental demos to production-grade enterprise infrastructure. Microsoft, Google, Anthropic, OpenAI, and Salesforce are all deploying agentic AI systems that act across apps and data, not just chat. Gartner projects that 40% of enterprise applications will embed task-specific AI agents by 2026, up from less than 5% in 2025. But as AI extends into autonomous workflows across new verticals, cyberthreats are proliferating in lockstep. Model Context Protocol (MCP) vulnerabilities, prompt injection attacks, data exfiltration through AI assistants: the attack surface is expanding faster than the defenses designed to protect it.
\n\u00a0
\nThe risks are no longer theoretical. In a controlled red-team exercise, McKinsey’s internal AI platform “Lilli” was compromised by an autonomous agent that gained broad system access in under two hours, a stark demonstration of how quickly agentic threats can outpace human response times.
\n\u00a0
\nSecuring AI agents has become the defining cybersecurity challenge of 2026. A Dark Reading poll found that 48% of cybersecurity professionals now identify agentic AI and autonomous systems as the single most dangerous attack vector. The financial stakes are equally substantial: according to IBM’s 2025 Cost of a Data Breach Report, shadow AI breaches cost an average of $4.63 million per incident\u2014$670,000 more than a standard breach. The exposure isn’t just higher; it’s structurally different. Agentic attacks traverse systems, exfiltrate data, and escalate privileges at machine speed, before a human analyst can respond.
\n\u00a0<\/p>\n

\u201cAI agents are not just another application surface\u2014they are autonomous, high-privilege actors that can reason, act, and chain workflows across systems. The core risk isn\u2019t vulnerability, it\u2019s unbounded capability.\u201d
\n\u00a0\u2014 Barak Turovsky, Operating Advisor at Bessemer Venture Partners and former Chief AI Officer at General Motors<\/p>\n

\u00a0
\nAt Bessemer, we’ve spent the past year in deep conversation with CISOs and security practitioners navigating this challenge firsthand. This primer offers a three-stage framework for approaching your AI agent security strategy, the questions that should be driving a CISO 2026 agenda, and as the top five CISO actions needed to close the security gap\u2014plus practical guidance from technology leaders Barak Turovsky, Jason Chan, Dean Sysman, and Mike Gozzo.\u00a0
\nWhat do you secure first with AI agents?
\nThe most important question isn’t which tool to buy\u2014it’s what, exactly, needs to be protected. As threat exposure widens, CISOs must resist the instinct to procure before they’ve defined the problem.
\nThe answer starts with identity. As CyberArk has noted: “Every AI agent is an identity. It needs credentials to access databases, cloud services, and code repositories. The more tasks we give them, the more entitlements they accumulate, making them a prime target for attackers.”
\nThis is agentic AI’s central tension: the same autonomy that makes agents valuable\u2014executing multi-step workflows, coordinating tools, accessing databases, sending emails, modifying code, and updating plans in real time\u2014is precisely what makes them dangerous when compromised. Capability and exposure scale together.
\n“The fundamental shift enterprises need to internalize is that AI agents aren’t tools\u2014they’re actors,” says Mike Gozzo, Chief Product and Technology Officer at Ada. “They make decisions, take actions, and interact with systems on behalf of your customers. Securing an actor is a fundamentally different problem than securing a tool, and most of the industry hasn’t caught up to that yet.”
\nThat challenge is compounded by a property unique to agents: their behavior is nondeterministic. As Jason Chan, cybersecurity leader and Operating Advisor at Bessemer, explains: “Much of the power that agents provide is the ability to specify an outcome without verbosely documenting every step required to achieve it. If we’ve learned anything from rule-based security, it’s that it can and will be subverted. We need to enable\u00a0 security teams to create policy and capabilities that let agents deliver value while respecting security requirements.” Traditional controls assume predictable execution. Agents don’t offer that\u2014which is why the industry needs purpose-built approaches, not just adapted ones.
\nAs OWASP’s latest analysis points out, AI agents mostly amplify existing vulnerabilities rather than introduce entirely new ones. The threat categories are familiar\u2014credential theft, privilege escalation, data exfiltration. What has changed is the blast radius and the speed. Dean Sysman, co-founder of Axonius and Venture Advisor at Bessemer adds: “An agent doesn’t have the same human understanding of things that are wrong to do. When given a goal or optimization function, an agent will do harmful or dangerous things that for us humans are obviously wrong. We’ve seen real-life examples of agents deleting, changing, and operating infrastructure in harmful ways.”
\nSimply put, we\u2019re seeing familiar threats with an unfamiliar velocity. While no two enterprises face identical exposure, the attack surface of an agentic environment maps consistently across four layers: the endpoint, where coding agents like Cursor and GitHub Copilot operate; the API and MCP gateway, where agents call tools and exchange instructions; SaaS platforms, where agents are embedded in core business workflows; and the identity layer, where credentials and access privileges are granted, accumulated, and \u2014 too often \u2014 left unreviewed. Understanding which of these layers carries the most risk in your environment is the best place to start. The framework that follows is designed to help address these concerns.
\nHow to think about securing AI agents: a three-stage framework
\nSecuring AI agents is a systemic problem, so before a CISO can enforce policy or respond to threats, they need to know what they’re dealing with. Before AI agents can be protected at runtime, they need to have been configured correctly.\u00a0
\nThe challenge consists of three stages: visibility, configuration, and runtime protection, each a prerequisite for the next.
\nStage 1: Visibility\u2014know what you have
\nVisibility is the first and often most neglected stage. Most enterprises have no accurate inventory of the AI agents operating in their environment: which agents exist, what permissions they hold, who authorized them, and what they were built to do. Without this foundation, everything downstream is guesswork.\u00a0
\nVisibility means establishing a live map of agents across your stack, which includes coding agents like Cursor and GitHub Copilot at the endpoint, orchestration agents embedded in SaaS platforms like Salesforce and Microsoft 365, and API-connected agents operating through MCP servers and third-party integrations. Intent matters here too.For example, an agent provisioned for a narrow task but granted broad access to a CRM is a misconfiguration waiting to become an incident.
\nStage 2: Configuration\u2014reduce the blast radius before an attack happens
\nWith inventory established, the question becomes: Are these agents configured safely? This is where most of the exploitable risk lives today. The most common misconfigurations follow a predictable pattern: excessive privilege, weak or shared credentials, policy violations that went undetected because no tool was looking for them, and abnormal access patterns that don’t trigger traditional alerts because they’re technically within policy. Configuration is not a one-time audit; it’s a continuous posture. An agent’s attack surface shifts every time it is updated, given a new tool, or connected to a new service. CISOs need solutions that track configuration drift in real-time, not at quarterly review.
\nStage 3: Runtime protection\u2014detect and respond at machine speed
\nThe final stage is where the agentic threat becomes qualitatively different. A compromised agent doesn’t wait. It reasons, pivots, and escalates access autonomously, often completing an attack chain in the time it takes a human analyst to open a ticket. Runtime protection requires three capabilities traditional security tools weren’t built to provide: agentic investigation (understanding what an agent did and why), real-time detection that interprets nondeterministic behavior rather than matching known signatures, and context-aware enforcement that can halt a specific action without taking down the entire workflow. That last capability\u2014targeted, in-flight intervention\u2014is where the market is most underdeveloped, and where the clearest infrastructure opportunity lies.
\nDon\u2019t forget the power of an internal audit\u00a0
\nEvery team, no matter the size, must develop a custom-fit defensive strategy for securing AI agents. Here are seven guiding questions for CISOs to ask their teams.\u00a0 \u00a0<\/p>\n

Securing AI agents: Questions to guide an internal audit<\/p>\n

Scope & pain\u00a0<\/p>\n

1
\nHow extensively are AI agents deployed in your environment today?<\/p>\n

2
\nWhat’s your biggest concern about their security risks?<\/p>\n

3
\nDo you care more about coding agents (Cursor, Claude) or generic ones?\u00a0<\/p>\n

Architecture<\/p>\n

4
\nWhich layer makes most sense for AI agent security controls: endpoint, network\/proxy, identity management?<\/p>\n

5
\nIs there room for purpose-built agent-specific solutions?<\/p>\n

Market noise<\/p>\n

6
\nWith so many AI agent security startups emerging, how do you distinguish between them?<\/p>\n

Detection & prevention\u00a0<\/p>\n

7
\nAre you more focused on visibility of agents usage or preventing AI agents from being compromised?<\/p>\n

Top CISO actions to close the protection gap
\nThe threat is real, the tooling is nascent, and the window to get ahead of it is closing. Based on our conversations with security leaders at the frontier of this problem, five priorities stand out for CISOs navigating the agentic security challenge in 2026.
\n1. Align on your organization’s risk posture before buying anything
\nThe instinct under pressure is to procure. Resist it. Before evaluating vendors or deploying controls, security teams need clarity on where their organization actually stands on AI agents. As Jason puts it: “Define, at a business level, your organization’s position on agents. Are you going all in? Dipping your toes in the water? Saying no until the landscape is better known? This position will help security teams align their approach with the organization’s expectations and risk tolerance.” A CISO in aggressive deployment mode needs a fundamentally different security posture than one in a \u2018wait-and-see\u2019 stance. The framework should follow the strategy, not precede it.
\n2. Treat agents like production infrastructure, not applications
\nThe most common mistake enterprises make is applying their existing application security playbook to agents. It doesn’t fit. “AI agents are not just another application surface\u2014they are autonomous, high-privilege actors that can reason, act, and chain workflows across systems,” says Barak Turovsky. “Most enterprises are adding monitoring on top of poorly constrained agents, which is the wrong order.” The right order is ownership first, then constraints, then monitoring. Define who is responsible for each agent, limit its permissions to what the task requires, and enforce action-level guardrails before any monitoring tool is turned on. Organizations that get this right won’t just be more secure\u2014they’ll deploy agents faster, because they actually trust them.
\n3. Start narrow, then expand deliberately
\nAgents accumulate access over time, and the risk surface grows with it. Dean Sysman offers a clear prescription: “Have a gradual, well-defined plan of the available inputs and outputs of each agent and make sure they are very narrowly scoped, then incrementally expand.” Launch agents with the minimum permissions required for a specific task, validate their behavior in that constrained environment, and expand access only when there is clear evidence it is needed and safe. Granting broad access upfront, in the name of flexibility or speed, is precisely how organizations create the privilege accumulation problem attackers will exploit.
\n4. Close the freedom-versus-control gap with guardrails, not just monitoring
\nAs we stated earlier, the fundamental tension in agentic AI is that the same autonomy that makes agents powerful makes them dangerous. As Dean observes: “The great value of agents is their ability to decide to do things on their own, but the guardrails of what they shouldn’t do need to be incredibly comprehensive.” Monitoring can tell you what an agent did. Guardrails determine what it’s allowed to do in the first place. The security leaders who get this right will be those who define those boundaries explicitly, at the action level, not just the access level, before an incident forces the conversation. The goal is not to constrain what agents can do, but to make their autonomy trustworthy.
\n5. Give every agent an identity, and treat it like an employee
\nMost agents today inherit broad permissions from the systems they connect to, with no zero-trust boundaries governing what they can actually reach. Mike offers a precise diagnostic: “Give agents an identity, scope their access, and audit what they do the same way you would any other actor in your environment. A CISO’s first move should be ensuring every agent has a managed identity with scoped authentication\u2014not a shared API key with \u2018god-mode\u2019 access. If you can’t answer the questions ‘What can this agent do?\u2019 \u2018On whose behalf\u2019? and Who approved it?’ the same way you can for a human employee, you’re not ready for the autonomy these systems are about to have.”
\nCISOs, don\u2019t wait\u00a0
\nAgentic AI is not coming\u2014it’s already here, but the security infrastructure to match it is not. The CISOs who close that gap deliberately, starting now, will define what enterprise AI looks like for the rest of the decade. The ones who wait until 2027 will spend that time in incident response.\u00a0
\nIf you’re a CISO navigating this challenge or a cybersecurity founder building in this space, we want to hear from you. Reach out to the team, including Amit Karp (karp@bvp.com), Mike Droesch (mdroesch@bvp.com), Yael Schiff (yschiff@bvp.com), and Elliott Robinson (erobinson@bvp.com).\u00a0<\/p>\n

<\/p>\n","protected":false},"excerpt":{"rendered":"

Securing AI agents: the defining cybersecurity challenge of 2026 https:\/\/www.bvp.com\/atlas\/securing-ai-agents-the-defining-cybersecurity-challenge-of-2026 Publish Date: 2026-03-24 20:07:00 Source…<\/p>\n","protected":false},"author":1,"featured_media":200088,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/www.bvp.com\/assets\/uploads\/2026\/03\/ATLAS_Securing-AI-agents_V2_ATLAS_Securing-AI-Agents-3_1600x900_compressed.png","fifu_image_alt":"","footnotes":""},"categories":[15],"tags":[26,30,24,31,27],"class_list":["post-200087","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","tag-ai","tag-breach","tag-cybersecurity","tag-exploit","tag-vulnerability"],"_links":{"self":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/200087"}],"collection":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/comments?post=200087"}],"version-history":[{"count":1,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/200087\/revisions"}],"predecessor-version":[{"id":200089,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/200087\/revisions\/200089"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/media\/200088"}],"wp:attachment":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/media?parent=200087"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/categories?post=200087"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/tags?post=200087"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}