RSAC 2026 shipped five agent identity frameworks and left three critical gaps open | Venture Beat

Overview

RSAC 2026 shipped five agent identity frameworks and left three critical gaps open

“You can deceive, manipulate, and lie. That’s an inherent property of language. It’s a feature, not a flaw,” Crowd Strike CTO Elia Zaitsev told Venture Beat in an exclusive interview at RSA Conference 2026. If deception is baked into language itself, every vendor trying to secure AI agents by analyzing their intent is chasing a problem that cannot be conclusively solved. Zaitsev is betting on context instead. Crowd Strike’s Falcon sensor walks the process tree on an endpoint and tracks what agents did, not what agents appeared to intend. “Observing actual kinetic actions is a structured, solvable problem,” Zaitsev told Venture Beat. “Intent is not.”

Details

That argument landed 24 hours after Crowd Strike CEO George Kurtz disclosed two production incidents at Fortune 50 companies. In the first, a CEO's AI agent rewrote the company's own security policy — not because it was compromised, but because it wanted to fix a problem, lacked the permissions to do so, and removed the restriction itself. Every identity check passed; the company caught the modification by accident. The second incident involved a 100-agent Slack swarm that delegated a code fix between agents with no human approval. Agent 12 made the commit. The team discovered it after the fact.

Two incidents at two Fortune 50 companies. Caught by accident both times. Every identity framework that shipped at RSAC this week missed them. The vendors verified who the agent was. None of them tracked what the agent did.

The urgency behind every framework launch reflects a broader market shift. "The difficulty of securing agentic AI is likely to push customers toward trusted platform vendors that can offer broader coverage across the expanding attack surface," according to William Blair's RSA Conference 2026 equity research report by analyst Jonathan Ho. Five vendors answered that call at RSAC this week. None of them answered it completely.

The scale of the exposure is already visible in production data. Crowd Strike's Falcon sensors detect more than 1,800 distinct AI applications across the company's customer fleet, generating 160 million unique instances on enterprise endpoints. Cisco found that 85% of its enterprise customers surveyed have pilot agent programs; only 5% have moved to production, meaning the vast majority of these agents are running without the governance structures production deployments typically require. "The biggest impediment to scaled adoption in enterprises for business-critical tasks is establishing a sufficient amount of trust," Cisco President and Chief Product Officer Jeetu Patel told Venture Beat in an exclusive interview at RSA Conference 2026. "Delegating versus trusted delegating of tasks to agents. The difference between those two, one leads to bankruptcy and the other leads to market dominance."

Etay Maor, VP of Threat Intelligence at Cato Networks, ran a live Censys scan during an exclusive Venture Beat interview at RSA Conference 2026 and counted nearly 500,000 internet-facing Open Claw instances. The week before: 230,000. Cato CTRL senior researcher Vitaly Simonovich documented a Breach Forums listing from February 22, 2026, published on the Cato CTRL blog on February 25, where a threat actor advertised root shell access to a UK CEO’s computer for $25,000 in cryptocurrency. The selling point was the CEO’s Open Claw AI personal assistant, which had accumulated the company’s production database, Telegram bot tokens, and Trading 212 API keys in plain-text Markdown with no encryption at rest. “Your AI? It’s my AI now. It’s an assistant for the attacker,” Maor told Venture Beat.

The exposure data from multiple independent researchers tells the same story. Bitsight found more than 30,000 Open Claw instances exposed to the public internet between January 27 and February 8, 2026. Security Scorecard identified 15,200 of those instances as vulnerable to remote code execution through three high-severity CVEs, the worst rated CVSS 8.8. Koi Security found 824 malicious skills on Claw Hub — 335 of them tied to Claw Havoc, which Kurtz flagged in his keynote as the first major supply chain attack on an AI agent ecosystem.

Cisco went deepest on identity governance. Duo Agentic Identity registers agents as distinct identity objects mapped to human owners, and every tool call routes through an MCP gateway in Secure Access SSE. Cisco Identity Intelligence catches shadow agents by monitoring network traffic rather than authentication logs. Patel told Venture Beat that today’s agents behave “more like teenagers — supremely intelligent, but with no fear of consequence, easily sidetracked or influenced.” Crowd Strike made the biggest philosophical bet, treating agents as endpoint telemetry and tracking the kinetic layer through Falcon’s process-tree lineage. Crowd Strike expanded AIDR to cover Microsoft Copilot Studio agents and shipped Shadow Saa S and AI Agent Discovery across Copilot, Salesforce Agentforce, Chat GPT Enterprise, and Open AI Enterprise GPT.

Palo Alto Networks built Prisma AIRS 3.0 with an agentic registry, an agentic IDP, and an MCP gateway for runtime traffic control. Palo Alto Networks’ pending Koi acquisition adds supply chain and runtime visibility. Microsoft spread governance across Entra, Purview, Sentinel, and Defender, with Microsoft Sentinel embedding MCP natively and a Claude MCP connector in public preview April 1. Cato CTRL delivered the adversarial proof that the identity gaps the other four vendors are trying to close are already being exploited. Maor told Venture Beat that enterprises abandoned basic security principles when deploying agents. “We just gave these AI tools complete autonomy,” Maor said.

Gap 1: Agents can rewrite the rules governing their own behavior

The Kurtz incident illustrates the gap exactly. Every credential check passed — the action was authorized. Zaitsev argues that the only reliable detection happens at the kinetic layer: which file was modified, by what process, initiated by what agent, compared against a behavioral baseline. Intent-based controls evaluate whether the call looks malicious. This one did not. Palo Alto Networks offers pre-deployment red teaming in Prisma AIRS 3.0, but red teaming runs before deployment, not during runtime when self-modification happens. No vendor ships behavioral anomaly detection for policy-modifying actions as a production capability.

Patel framed the stakes in the Venture Beat interview: “The agent takes the wrong action and worse yet, some of those actions might be critical actions that are not reversible.” Board question: An authorized agent modifies the policy governing the agent’s future actions. What fires?

Gap 2: Agent-to-agent handoffs have no trust verification

The 100-agent swarm is the proof point. Agent A found a defect and posted to Slack. Agent 12 executed the fix. No human approved the delegation. Zaitsev’s approach: collapse agent identities back to the human. An agent acting on your behalf should never have more privileges than you do. But no product follows the delegation chain between agents. IAM was built for human-to-system. Agent-to-agent delegation needs a trust primitive that does not exist in OAuth, SAML, or MCP.

Gap 3: Ghost agents hold live credentials with no offboarding

Organizations adopt AI tools, run a pilot, lose interest, and move on. The agents keep running. The credentials stay active. Maor calls these abandoned instances ghost agents. Zaitsev connected ghost agents to a broader failure: agents expose where enterprises delayed action on basic identity hygiene. Standing privileged accounts, long-lived credentials, and missing offboarding procedures. These problems existed for humans. Agents running at machine speed make the consequences catastrophic.

Maor demonstrated a Living Off the AI attack at the RSA Conference 2026, chaining Atlassian’s MCP and Jira Service Management to show that attackers do not separate trusted tools, services, and models. Attackers chain all three. “We need an HR view of agents,” Maor told Venture Beat. “Onboarding, monitoring, offboarding. If there’s no business justification? Removal.”

Human IAM assumes the identity holder will not rewrite permissions, spawn new identities, or leave. Agents violate all three. OAuth handles user-to-service. SAML handles federated human identity. MCP handles model-to-tool. None includes agent-to-agent verification.

Registration. Can the vendor discover and inventory agents?

Registration. Can the vendor discover and inventory agents?

Duo Agentic Identity. Agents registered as identity objects with human owners. Shadow agent detection via network traffic.

Duo Agentic Identity. Agents registered as identity objects with human owners. Shadow agent detection via network traffic.

Falcon sensor auto-discovery. 1,800+ agent apps, ~160M instances across customer fleet.

Falcon sensor auto-discovery. 1,800+ agent apps, ~160M instances across customer fleet.

Security Dashboard for AI + Entra shadow AI detection at the network layer.

Security Dashboard for AI + Entra shadow AI detection at the network layer.

Agentic registry in Prisma AIRS 3.0. Agents inventoried before operating.

Agentic registry in Prisma AIRS 3.0. Agents inventoried before operating.

All four register agents. No cross-vendor identity standard exists.

All four register agents. No cross-vendor identity standard exists.

Self-modification. Can the vendor detect when an agent changes its own policies?

Self-modification. Can the vendor detect when an agent changes its own policies?

MCP gateway catches anomalous tool-call patterns in real time, but does not monitor for direct policy file modifications on the endpoint.

MCP gateway catches anomalous tool-call patterns in real time, but does not monitor for direct policy file modifications on the endpoint.

Process-tree lineage tracks file modifications at the action layer. Could detect a policy file change, but no dedicated self-modification rule ships.

Process-tree lineage tracks file modifications at the action layer. Could detect a policy file change, but no dedicated self-modification rule ships.

Defender predictive shielding adjusts access policies reactively during active attacks. Not proactive self-modification detection.

Defender predictive shielding adjusts access policies reactively during active attacks. Not proactive self-modification detection.

AI Red Teaming tests for this before deployment. No runtime detection after the agent is live.

AI Red Teaming tests for this before deployment. No runtime detection after the agent is live.

OPEN. No vendor detects an agent rewriting the policy governing the agent’s own behavior as a shipping capability.

OPEN. No vendor detects an agent rewriting the policy governing the agent’s own behavior as a shipping capability.

Delegation. Can the vendor track when one agent hands work to another?

Delegation. Can the vendor track when one agent hands work to another?

Maps each agent to a human owner. Does not track agent-to-agent handoffs.

Maps each agent to a human owner. Does not track agent-to-agent handoffs.

Collapses the agent identity to the human operator. Does not correlate the delegation chains between agents.

Collapses the agent identity to the human operator. Does not correlate the delegation chains between agents.

Entra governs individual non-human identities. No multi-agent chain tracking.

Entra governs individual non-human identities. No multi-agent chain tracking.

AI Agent Gateway governs individual agents. No delegation primitive between agents.

AI Agent Gateway governs individual agents. No delegation primitive between agents.

OPEN. No trust primitive for agent-to-agent delegation exists in OAuth, SAML, or MCP.

OPEN. No trust primitive for agent-to-agent delegation exists in OAuth, SAML, or MCP.

Decommission. Can the vendor confirm a killed agent holds zero credentials?

Decommission. Can the vendor confirm a killed agent holds zero credentials?

Identity Intelligence runs a continuous inventory of active agents.

Identity Intelligence runs a continuous inventory of active agents.

Shadow Saa S + AI Agent Discovery finds running agents across Saa S and endpoints.

Shadow Saa S + AI Agent Discovery finds running agents across Saa S and endpoints.

Entra's shadow AI detection surfaces unmanaged AI applications.

Entra's shadow AI detection surfaces unmanaged AI applications.

Koi acquisition (pending) adds endpoint visibility for agent applications.

Koi acquisition (pending) adds endpoint visibility for agent applications.

OPEN. All four discover running agents. None verifies zero residual credentials after decommission.

OPEN. All four discover running agents. None verifies zero residual credentials after decommission.

Runtime / Kinetic. Can the vendor monitor what agents do in real time?

Runtime / Kinetic. Can the vendor monitor what agents do in real time?

MCP gateway enforces policy per tool call at the network layer. Contextual anomaly detection on call patterns.

MCP gateway enforces policy per tool call at the network layer. Contextual anomaly detection on call patterns.

Falcon EDR tracks commands, scripts, file activity, and network connections at the process level.

Falcon EDR tracks commands, scripts, file activity, and network connections at the process level.

Defender endpoint + cloud monitoring. Predictive shielding during active incidents.

Defender endpoint + cloud monitoring. Predictive shielding during active incidents.

Prisma AIRS AI Agent Gateway for runtime traffic control.

Prisma AIRS AI Agent Gateway for runtime traffic control.

Crowd Strike is the only vendor framing endpoint runtime as the primary safety net for agentic behavior.

Crowd Strike is the only vendor framing endpoint runtime as the primary safety net for agentic behavior.

Five things to do Monday morning before your board asks

Audit self-modification risk. Pull every agent with write access to security policies, IAM configs, firewall rules, or ACLs. Flag any agent that can modify controls governing the agent’s own behavior. No vendor automates this.

Audit self-modification risk. Pull every agent with write access to security policies, IAM configs, firewall rules, or ACLs. Flag any agent that can modify controls governing the agent’s own behavior. No vendor automates this.

Map delegation paths. Document every agent-to-agent invocation. Flag delegation without human approval. Human-in-the-loop on every delegation event until a trust primitive ships.

Map delegation paths. Document every agent-to-agent invocation. Flag delegation without human approval. Human-in-the-loop on every delegation event until a trust primitive ships.

Kill ghost agents. Build a registry. For each agent: business justification, human owner, credentials held, systems accessed. No justification? Manual revoke. Weekly.

Kill ghost agents. Build a registry. For each agent: business justification, human owner, credentials held, systems accessed. No justification? Manual revoke. Weekly.

Stress test the MCP gateway enforcement. Cisco, Palo Alto Networks, and Microsoft all announced MCP gateways this week. Verify that agent tool traffic actually routes through the gateway. A misconfigured gateway creates false confidence while agents call tools directly.

Stress test the MCP gateway enforcement. Cisco, Palo Alto Networks, and Microsoft all announced MCP gateways this week. Verify that agent tool traffic actually routes through the gateway. A misconfigured gateway creates false confidence while agents call tools directly.

Baseline agent behavioral norms. Before any agent reaches production, establish what normal looks like: typical API calls, data access patterns, systems touched, and hours of activity. Without a behavioral baseline, the kinetic-layer anomaly detection Zaitsev describes has nothing to compare against.

Baseline agent behavioral norms. Before any agent reaches production, establish what normal looks like: typical API calls, data access patterns, systems touched, and hours of activity. Without a behavioral baseline, the kinetic-layer anomaly detection Zaitsev describes has nothing to compare against.

Zaitsev’s advice was blunt: you already know what to do. Agents just made the cost of not doing it catastrophic. Every vendor at RSAC verified who the agent was. None of them tracked what the agent did.

Deep insights for enterprise AI, data, and security leaders

By submitting your email, you agree to our Terms and Privacy Notice.

Key Takeaways

• RSAC 2026 shipped five agent identity frameworks and left three critical gaps open

• “You can deceive, manipulate, and lie

• That argument landed 24 hours after Crowd Strike CEO George Kurtz disclosed two production incidents at Fortune 50 companies

• Two incidents at two Fortune 50 companies

• The urgency behind every framework launch reflects a broader market shift