Can we just switch the AI agents off? How to cope with an overenthusiastic intern in the office.
In Partnership With
Nothing sets the pulse of a CISO racing quite like AI. In a role where control is critical, the unpredictability of agentic deployments can be unsettling at best. When Meta’s own AI safety boss nearly has her email inbox wiped out by a misbehaving OpenClaw instance, what hope do security teams have of reining in enterprise risk?
According to recent Palo Alto Networks research, 62% of IT leaders claim to be most concerned about rogue AI agents, and over half have already seen them perform unauthorised actions. You can be sure that hackers are also working out ways to hijack, manipulate and sabotage this new fleet of non-human identities (NHIs).
To make sense of it all, a select group of nervous CISOs got round the table recently for a convivial evening of knowledge sharing, hosted by Palo Alto Networks.
The vendor’s Senior Director – Field Technology Office, David Higgins, laid out the three main challenges of agentic AI for security professionals. “How do we as practitioners leverage AI to do what we do better? How is AI going to be used against us? And – the main area for me – is how is AI becoming a new attack surface?” he said. “As we start leveraging it for the different functionality that it can bring, how will that potentially be exploited?”
Those agents are keeping us awake at night
It didn’t require much prompting from guest speaker, Rob Black, for the assembled crew to vent their frustrations and concerns about the technology. The speed and scale of potential agentic AI threats were top of mind for many.
“The thing that keeps me awake at night is bad actors using agentic AI to scale an attack at pace, because the control mechanisms are still to be found,” said one. “It’s a problem that can run away from you pretty quickly. Vendors are bringing AI into our world and it scares me.”
Another said one of the key challenges with agentic AI is that it is probabilistic in nature, making it difficult to test reliably. “What we’re trying to manage is no longer deterministic – where we can run a test against a set of systems and end up with the same result, three or four times,” he said. “We’re dealing with something that … changes every time.”
Another security leader around the table was alarmed by the prospect of employees running MCP servers locally on their devices. “If you don’t put the correct governance around it, it can inherit all of your privileges and access rights,” he fretted. “So if you’ve given it production access rights to your production environment, it can start taking action against them.”
The insider threat, now with added agents
Several CISOs around the table also expressed concern about enemy number one: the corporate employee. Unreliable humans plus “over-enthusiastic interns” (aka agents) could be a recipe for disaster, they argued. “How do we stop everyone becoming a citizen developer?” said one, explaining that even some of the sales team are now asking for GitHub access.
“AI multiplies the problems you have with your asset register many times,” said another, citing the persistent challenge of shadow IT.
Many staff don’t realise that even corporate-grade agentic tools can be a security risk, said one CISO. “We’ve proven that Claude can go into an AWS instance and trash it, because we told it to, in a test bed,” he explained. “And you ask: ‘can you reverse that?’ And it says: ‘no, I can’t, sorry’.”
Identity is key to the challenge, and the solution, said Palo Alto Networks’ Higgins.
“If we have agents performing actions on behalf of people, there’s a whole delegated authorisation challenge,” he added. “Whose permissions is that agent using? Is it me the user that requests the agent to perform the action? Or [am I] empowering the agent to have its own permissions and do its own thing?”
Answering these sorts of questions will be absolutely critical to ensure accountability for the decisions that agents make, from both a regulatory and security perspective, Higgins said.
To block or not to block?
One way of dealing with the whole sorry mess is to simply say “no”. One security leader seemed to relish his role as enforcer of rules and teller of hard truths.
“What you’ve got coming at you is brutal and nasty. It’s coming to hurt you. The way to deal with it is simplicity. Can we just switch that off? And how long can it be switched off for?” he said. “Even if it’s just 20 minutes, we can then plan what to do with those 20 minutes. Proper planning and preparation. In the gold old days, you could walk into a computer room and push the big red button on the wall and say to people, ‘you’re on paper for the next four hours.’”
Others pointed out that such an approach is not the way to endear oneself to a business increasingly looking to AI and agents for competitive advantage.
“For a lot of businesses, if they don’t have AI in their strategy then they’re dead, or feel they are,” one said.
Another shared that his manufacturing organisation has been forced to appraise AI security risk because his vendors have started introducing these capabilities. But he recognised the importance of building AI into OT and IT processes, explaining that using digital twin technology has saved the company £2m per year through reduced waste.
Others agreed that supporting the business is critical. One explained they never say “no” outright but ask “how”? He likened the Gold Rush-like stampede for new technology to a raging torrent. “You need to direct it the way you want,” he said.
The problem with binary yes/no decisions is that AI agents can seem fine when initially assessed, but then can “unexpectedly increase their scope”, one CISO claimed.
“It can start doing things that are a regulated issue when it was never intended for those purposes,” he said, citing the child welfare scandal that forced the resignation of the Dutch government and paved the way fort the EU AI Act.
The struggle is real, but the solution is familiar
Fortunately, it wasn’t all doom and gloom around the table. Several participants shared how they are enabling the business while managing agentic AI risk to acceptable levels. One security leader at a major supermarket said there are certain “red lines” that can’t be crossed by engineers, such as agents interacting with employee or customer data.
Another, who works at a SaaS-first company, said that when product team members want to vibe code prototype software to show the engineers, they must do so in carefully segregated environments. “They have separate GitHub repos and sandboxes to stop them having full access to everything,” he explained.
The manufacturing sector CISO shared that he manages third-party risk through rigorous ARB-led processes in which tough questions are asked, alongside business and technical design reviews. That’s before new SaaS-y AI products are approved.
Another seemed to relish the pace at which everything is moving.
“We have agents out there,” he said. “It’s challenging, but what that’s driving is increased velocity of governance to keep up with what’s going on every day.”
It was down to Palo Alto’s Higgins to bring the curtain down on a night of big emotions with some pointed advice.
“It’s an identity related conversation. We have insider threats, and those AI agents are now another form of an insider threat. So we need to put the right governance and controls around it,” he concluded. “That’s what we’ve been looking at: delivering access to agents as and when they need it based on intent, rather than handing over a set of credentials and permissions, saying ‘use these’, and hoping they do so responsibly.”
The challenges are real, then. But the solutions should be reassuringly familiar.
To explore how to rein in over-enthusiastic AI interns and secure your wider architecture against privilege creep, learn more about Idira by Palo Alto Networks [https://www.paloaltonetworks.com/idira]. Idira tackles the exact security gaps debated by the room, eliminating risky, “always-on” standing privileges across your entire estate—spanning human, machine, and AI identities. By enforcing Just-in-Time access, it ensures that any identity only gets the exact permissions it needs, exactly when it needs them, to perform a task safely.