Welcome to the Agentic AI Era

Enterprise interest in agentic AI is accelerating. We did a recent poll of Cisco security customers that shows 85% of organizations are actively adopting AI agents, yet only 5% report broad production deployments today. Most deployments remain limited to internal workflows while companies look at governance, security, and operational controls. But, agents as a new digital workforce that need to be managed are here to stay. Common concerns were around enforcing consistent access controls, preventing data exfiltration, and managing agent autonomy and behavior.

AI agents operate at machine speeds to execute complex tasks, yet they completely lack essential human judgment and contextual awareness. We need security in place to govern this new workforce.

Current challenges in the agentic AI ecosystem

When our teams were analyzing the problem around governing this new digital AI workforce, we saw three areas across our customer and prospect conversations on why zero trust access built for humans must adapt to agentic workflows:

• Early and fragmented ecosystem. Agents are everywhere and the technology is constantly changing. Agents don't just use browser sessions and static APIs-they use tool brokers MCP, toolchains, and they rely on identities that don't have humanlike characteristics. This means identity, access, inspection, logging-everything-must be updated to understand agent-to-agent-to-tool traffic and enforce policy at the level agents operate on.
• Inconsistent policy enforcement. It's not that there isn't security. It's that safeguards are scattered across multiple, disconnected layers and oftentimes too blunt. Each service in each layer has its own authentication model and security controls -often inconsistent and outside of the security team's direct control. And across MCP servers, we're seeing that security is wildly inconsistent. But agents need nearly ad hoc access to do their jobs -the more agency they take, broader is their access. If a single MCP server exposes excessive privileges or an application limits access by only coarse scopes, agents will find their way to burrow through the environment to be 'helpful' -they are task oriented after all; most of the time without any human like judgement.
• Dynamic, non-deterministic actions. Agents interact with tools and resources in unpredictable ways to complete their tasks. This breaks static, predefined security controls, making agents difficult to govern with legacy security solutions. Agents may try to access tools or perform actions outside of the intended scope or purpose, needing governance that can detect intent and match back to appropriate actions and access.

As we built our solution, the key design requirement was that enforcement doesn't depend on an agent's "cooperation." That the enforcement has to be agent- and intent-aware, with context around identity, and consistent across tools.

Intention becomes the new perimeter.

The common control point is at the point of access of company tools and data, meaning our SSE is the natural place for enforcement. We tie that together with identity, so the SSE has full context on what the agent is, who owns it, and what it's allowed to do.

The Solution: Zero Trust for Agentic AI

Today, I'm proud to announce that Cisco now extends our Zero Trust Access architecture to organizations' agentic AI workforce by combining identity discovery and management, access enforcement, and runtime behavioral protection to govern how agents operate across enterprise systems. We've designed an end-to-end solution to help protect your world from agents taking unintended or unaligned actions.

Agent Visibility and Identity Management. Cisco discovers and registers AI agents, MCP servers, and associated tools, creating a centralized inventory of agent identities and activity. Each agent is mapped to a human owner and integrated with enterprise identity systems for consistent authentication, lifecycle management, and governance.

Fine-grained Access Control. Cisco enforces least-privilege policies that define not only which services an agent can access, but the actions it can perform. Identity-aware, time-bound credentials limit the scope and duration of access, while the MCP gateway applies authorization policies consistently across tools and services.

Real-time Behavioral Monitoring and Protection. Cisco continuously evaluates agent interactions across APIs, MCP servers, and enterprise systems to detect abnormal behavior or manipulated instructions. By analyzing intent, the platform can identify risks like unauthorized tool usage, policy violations, and attempts to access sensitive data before actions propagate across systems.

Zero trust for agentic AI in practice

Let's look at a typical scenario - a financial automation agent kicking off vendor payments. Imagine someone tries to manipulate that agent, maybe by sneaking in a tricky prompt or sending an unauthorized request. Here's where the security layers come in.

1. First, knowing the agent is critical. Each agent checks in through Cisco's agent directory with a verified identity tied back to a human owner, so you know exactly who (or what) is doing what, and authentication is managed in one place - no hardcoded credentials to worry about.
2. Next, we focus on action control, not the access control of yore. Permissions are set so the agent can only pay approved vendors, within set dollar amounts and during the right hours. Anything out of bounds gets stopped by the MCP gateway before it even hits your back-end systems. Tight integration with identity enables these detailed access policies and enforcement.
3. Finally, behavioral protection adds another safety net. Cisco keeps an eye on the agent's intent and actions in real time through semantic inspection. If it starts doing something odd - say, using the wrong tool or straying from its expected routine - the system blocks the action right away. 

With these layers working together, you get strong protection against agent missteps or foul play, all while keeping the speed and efficiency that make agentic AI so valuable.

Security for the agentic AI workforce with Cisco

As a single vendor with integrated solutions across identity, access, and behavior, we were able to take a platform approach, integrating identity, fine-grained access enforcement and real-time behavioral protection into one unified solution.

I'm excited to get your feedback as we work to onboard customers in the coming months. We are thrilled to partner with AI-driven organizations to empower secure, confident agentic AI adoption.

Get Started 

Learn more
Join us at RSA

Disclaimer: Many of the products and features mentioned are still in development and will be made available as they are finalized, subject to ongoing evolution in development and innovation. The timeline for their release is subject to change. 

We'd love to hear what you think! Ask a question and stay connected with Cisco Security on social media.

Cisco Security Social Media

LinkedIn
Facebook
Instagram