In the ever-evolving landscape of cybersecurity, the emergence of Agentic AI presents both a challenge and an opportunity. As an expert in the field, I find myself reflecting on the implications of this technology and the critical need for organizations to adapt. The question is no longer if Agentic AI will be integrated into our systems, but rather how we can effectively secure it.
One of the most striking aspects of this technology is its ability to execute tasks and make decisions without direct human intervention. This autonomy, while powerful, also creates a blind spot for security professionals. Many organizations are already utilizing Agentic AI in their production environments, often without the security team's knowledge or involvement. This is a critical oversight, as the security of these systems hinges on a deep understanding of the technology itself.
In my opinion, the key to addressing this challenge lies in engagement. Security professionals must actively participate in the development and deployment of Agentic AI. By building and experimenting with these agents, they can gain the practical knowledge needed to secure them effectively. This hands-on approach is essential, as it allows security teams to challenge design decisions, propose workable controls, and ask informed questions.
The Agentic AI landscape can be broadly categorized into three distinct risk profiles. The first category comprises general-purpose coding and productivity agents, such as Claude Code and GitHub Copilot, which are already integrated into developer workflows. These agents require careful consideration of data access and interaction with codebases to ensure security. The second category involves vendor-built agents powered by the Model Context Protocol (MCP), which can access and act on external services like calendars and email. This presents a real attack vector, requiring deliberate configuration and security review.
The third category is particularly intriguing: custom agents built by individual users. In the past, a barrier existed between security practitioners and the code running in their environments. However, with Agentic AI, anyone can build functional tools without traditional coding skills. This democratization of development power is both a strength and a weakness. While it enables innovation, it also introduces a supply chain problem, as many of these agents may not undergo security reviews before deployment.
The consequences of lagging behind on Agentic AI are significant. When security teams are left behind, the rest of the organization moves forward without their input. Developers deploy, business units adopt, and security is consulted as a formality or not at all. This exposure compounds as agents with broad permissions require access to sensitive systems, creating a larger blast radius when compromised.
To address this, security professionals must develop two distinct layers of knowledge. The first layer involves understanding the architecture of AI applications from a practitioner's perspective. This includes comprehending the components of an AI application, how agents consume inputs, and the access control implications of MCP-connected agents. The second layer is staying current with the rapidly evolving tooling and threat landscape. Security teams must evaluate emerging tools, frameworks, and threat taxonomies to effectively navigate vendor solutions and security controls for AI systems.
A critical aspect of securing Agentic AI is configuration as a security control. Many deployments carry risk due to improper configuration, not because of inherent flaws in the tools. For instance, a self-hosted AI assistant connected to Telegram should be paired with a single trusted account to limit exposure. This simple configuration change can significantly enhance security.
The tension between powerful agents and broad access is real. Organizations must find the right balance to ensure the agents are useful without compromising security. This requires security involvement in the early design process, before the architecture is set and permissions are already in place. Those who arrive late to this technology will find themselves applying controls to an architecture that was already decided without their input.
In conclusion, the integration of Agentic AI into our systems is inevitable. However, the path to securing it is fraught with challenges. By engaging with the technology, developing practical knowledge, and staying current with the evolving landscape, security professionals can shape how these systems are deployed and protect against the risks they pose. The organizations that build genuine AI security fluency now will be positioned to lead in this new era of cybersecurity.
