Michael Nicosia, COO and cofounder at Salt Security.
Security teams have spent the last few years securing the wrong things. While enterprises debated AI ethics and model safety, AI agents quietly earned the keys to production infrastructure.
At Amazon, an AI coding agent made changes to a production environment without authorization, taking it offline for 13 hours, according to unnamed sources cited by the Financial Times. At McKinsey, as part of a red-team test, an autonomous agent breached their internal AI platform in under two hours and accessed 46.5 million internal chat messages. And at PocketOS, an AI coding agent deleted its database in seconds.
Individually, these events may seem unrelated. Together, they point to something bigger: AI is no longer confined to generating outputs. It is being trusted to take action inside live systems. When those actions go wrong, the impact can be immediate and real.
The Real Lesson From Early Incidents
These incidents are an early signal of how quickly things can go wrong when autonomous systems are given operational access without sufficient controls. A self-running system can execute tasks in a live environment and cause irreversible damage in a matter of seconds.
This doesn’t mean AI is inherently unsafe. However, most organizations have not yet built the guardrails required for autonomous systems. There are still gaps in how permissions are defined, how actions are validated and how behavior is monitored in real time.
When those gaps exist, even well-intentioned systems can create significant risk.
From Assistants To Operational Actors
Most recent discussions around AI risk have focused on outputs such as accuracy, bias and hallucinations. Those concerns matter, but they only address part of the picture. AI agents are now being deployed to write code, manage infrastructure, trigger workflows and interact directly with critical systems.
This changes the nature of risk. When a system can take action inside your environment, the concern becomes less about whether the output is correct and more about whether the action is safe, authorized and aligned with business intent. That is a very different challenge, and one that traditional security models were not designed to handle.
A New Kind Of Attack Surface
As AI agents become embedded in enterprise operations, these systems operate across multiple layers, combining identity, data access and execution in ways that are difficult to track using traditional tools.
We can already see this dynamic in environments like Moltbook, where autonomous agents interact, share logic and execute workflows without human visibility.
While this may appear experimental, it reflects the direction enterprise systems are heading. Autonomous activity is increasing, and it is happening at a scale and speed that manual oversight cannot match.
Why Existing Security Models Struggle
Cybersecurity has historically been built around protecting users, devices and infrastructure. AI agents blur those boundaries. They operate as both user and system, authenticating, accessing data and triggering actions, often with broad permissions and without direct human involvement.
This creates a visibility challenge. Security teams may be able to track individual events, but they often lack insight into the full chain of actions an agent performs or the intent behind those actions.
As AI adoption grows, this gap becomes more pronounced. My company’s research found that organizations are rapidly expanding their use of AI-driven systems, yet many still lack full visibility into the environments those systems interact with.
Reframing Security For The Agentic Era
This is a marked change in how digital systems operate, as decisions and actions are increasingly delegated to software.
Agentic security should, therefore, focus on understanding and governing behavior rather than protecting static assets. One way to do this is to map what has become known as the security graph for agentic AI: the full set of relationships between AI agents, the MCP servers they connect through and the APIs they act upon.
The map can allow security teams to see what agents exist, what they have access to and how they interact with critical systems.
Regardless of the strategy, the goal is to move security closer to the point of execution. Instead of focusing only on who is accessing a system, focus on what is being done and whether it aligns with expected behavior.
A Shift Reflected In Regulation
Regulation is beginning to reflect this shift, although unevenly across regions.
The EU AI Act has taken the most direct approach, requiring organizations to demonstrate control over how AI systems behave, including monitoring actions, maintaining audit trails and enabling human oversight.
In the U.S., the regulatory pressure now comes primarily from the states, though the picture is unsettled. Texas enacted TRAIGA in 2025, establishing baseline prohibitions on harmful AI uses and governance requirements for state agencies. California signed SB 53 in 2025, focusing on transparency and safety obligations for developers. Colorado’s SB 24-205, the most comprehensive, requires developers and deployers of high-risk AI systems to conduct risk assessments and protect consumers from algorithmic discrimination.
The result is a fragmented and still-shifting compliance landscape that U.S. enterprises operating across multiple states must navigate without a unified federal framework.
While the structures differ, the direction is the same. The converging regulations are fundamentally asking one question: Can you prove what your AI systems did? And prove those actions were permitted? That proof happens at the API layer, where the agent action takes place, not at the prompt or model output.
Every agent running in your environment should also have a named accountable owner, including a documented scope of access and a decommissioning process. Regulators are going to require answers about what AI systems do in the real world, which means you need to build your map before you’re forced to defend it.
The New Reality For Cybersecurity
The transition to agentic AI is reshaping the enterprise technology landscape. Systems that can act autonomously are being integrated into core operations, often faster than security models can adapt.
To keep pace, cybersecurity needs to evolve from protecting systems to governing autonomous behavior. Because in the agentic era, risk is not defined by what AI says but by what AI does.
Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?







