COMMENTARY: The continued rise of autonomous security agents such as XBOW, and the more recently launched
Aardvark from Open AI shows how quickly agentic AI has moved from the lab into real-world workflows at security operations centers (SOCs).
These agents can gather context, test hypotheses, and drive investigations forward in seconds instead of hours, giving security teams a powerful edge in speed and scale.
[
SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Read more Perspectives here.]
This capability couldn’t come at a more critical time for defenders as adversaries continue to become more sophisticated. However, greater agent autonomy also expands the attack surface that
SOC teams must secure, with a whole new wave of machine identities coming online.
Our researchers
observed a fourfold increase in identity-based threats in the past year, revealing just how prominent these forms of attack have become. The same agentic capabilities that accelerate threat hunting for defenders can just as easily be used by adversaries to augment their own capabilities. This makes a systematic approach to agentic oversight essential.
The insider threat, reinvented
As agentic AI becomes more embedded in business operations, it’s also changed the risk profile of organizations. Agents often require access to documents, cloud resources, and internal tooling. When those privileges receive less scrutiny than they would for a human employee, the agent becomes a high-value target for an adversary.
This risk has now arrived as
43% of security leaders say they’ve experienced a security incident involving their AI tools in the past 12 months.
In effect, it’s the classic insider threat, reinvented. A compromised agent might perform routine tasks on the surface while quietly siphoning data or sabotaging workflows behind the scenes. This agent doesn’t even need to break rules: it can operate entirely within its authorized scope while executing an adversary’s objectives.
Such activity can look legitimate to traditional monitoring tools, because the agent uses valid credentials and whitelisted patterns – letting the adversary move undetected.
Governing agents with strict access
Mitigating the risk posed by
AI agents starts with governance. Teams should treat agents like interns at a business. Give them minimal permissions to start and only expand privileges once they prove their reliability.
This “zero-agency” approach, akin to zero-trust, ensures that sensitive actions, such as accessing or exporting sensitive data, always require human approval. It can also prevent agents from autonomously executing high-risk tasks.
Limiting privileges through role-based access controls, combined with short-lived credentials or tokenized accounts, also reduces the window for potential misuse. All sensitive agent actions should pass through auditable, tamper-resistant approval workflows to verify what these autonomous systems are doing and why.
In essence, giving AI human-level access means pairing it with equally strong controls. Even when organizations approve higher permissions for their agents, virtual checkpoints such as multi-factor authentication (MFA) and session monitoring should remain in place as a failsafe against AI overreach.
Visibility through baselining and anomalies
Governance only represents part of the picture. Even with strict controls on higher permissions, organizations need visibility into each agent’s behavior to detect misuse or compromise. SOC teams should establish a baseline of normal activity for every agent – for example, which APIs it interacts with, what data it accesses, and how often it runs privileged tasks.
Machine-learning-based anomaly detection can then flag unexpected activity, such as sudden spikes in data exports or out-of-scope access attempts, which may indicate a breach.
Beyond baselining and anomaly detection, maintaining comprehensive, unalterable logs of agent actions has become equally critical. If an agent gets compromised, security teams must have fast access to these records to understand what occurred and when, enabling rapid containment and more accurate post-incident analysis.
With governance and visibility in place, organizations should also use AI agents themselves to proactively strengthen defenses. Dedicated agents can conduct continuous threat hunting and controlled attack simulations, triage alerts, surface high-confidence threats, and stress-test defenses at speed. This “defense-as-a-service” approach lets SOC teams scale detection and response without overloading human analysts.
Defensive AI must also run with narrow scopes and strict oversight. Have the agents monitor each other’s activity, creating a layered self-monitoring ecosystem. In other words, one agent can cross-check another’s behavior so that no single system becomes an unchecked point of failure.
Finally, organizations should “assume compromise” and plan accordingly. Teams need to update incident response playbooks for the AI era to help SOCs maintain control. These playbooks let teams act quickly when an agent goes rogue, preventing adversaries from exploiting its autonomy or high-privilege access.
Agents can move at machine speed while operating within valid permissions, and so response procedures should cover suspension, credential rotation, and auditing recent actions to contain risks effectively.
Agentic AI brings major advantages to defenders, businesses and adversaries alike, but its autonomy and deep system access can become a liability if misused or compromised.
Moving forward, organizations should apply security basics rigorously, monitor and validate every agent, and use AI to counter automated threats. Teams that balance speed with good security hygiene will turn agentic AI from a risk into a decisive advantage.
Jimmy Astle, senior director, validation and data science, Red CanarySC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.
