Why predictive resilience based on Agentic AI must anchor the National Cyber Strategy

COMMENTARY: The Trump administration’s National Cyber Strategy calls for a more predictive and resilient approach to cyber risk management for governments and vendors.

Meeting that mandate will require stronger cybersecurity tactics, particularly moving away from reactive patching to leveraging the use of Agentic AI where the system identifies and neutralizes attack paths in real-time, forecasts operational impact efficiently and mitigates risk before it disrupts critical systems.

[SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Read more Perspectives here.]

In mission-critical environments, a failed patch can introduce new vulnerabilities, increase the risk of a breach, or even bring down systems that support essential services. Therefore, organizations must evolve their practices into a proactive risk operations center (ROC) model that prioritizes mission continuity over alert volume, particularly among governments and vendors that connect cybersecurity with operational resilience.

While a security operations center (SOC) reacts to attacks against a vulnerability, the ROC model uses Agentic AI to preemptively identify exploitable attack paths. It answers the one question every CISO asks before a rollout: “How does this change the operational integrity and security posture of the mission?”

Shift to Agentic AI-driven resilience

The National Cyber Strategy makes one point clear: the traditional perimeter no longer exists. Organizations now operate within a vast ecosystem of cloud platforms, APIs, and automated workflows that blur the boundaries between agency and vendor environments.

In this new reality, attackers don't just exploit software flaws, they’re exploiting trust itself. An unverified identity can now be every bit as dangerous as a line of unpatched code. That’s why managing cyber risk can no longer focus solely on technical vulnerabilities, it must evolve toward agentic resilience.

Agentic AI introduces a new dimension to this mission as the ROC continues to evolve with its self-correcting and orchestration layers. By understanding the normal rhythm of digital interaction, how users, applications and even AI agents operate day-to-day, these systems can flag subtle deviations before they become breaches. When an API starts performing outside its expected pattern or an automated workload requests unusual access, cyber risk AI agents can raise the alarm and act.

Imagine security that spots early signs of compromise and also can execute autonomous, context-aware policy adjustments to minimize credential misuse, tighten privileges, rotate credentials or isolate the affected process – all before an adversary makes a move.

Mission-aware prioritization vs. generic scoring

Traditional frameworks such as the common vulnerability scoring system (CVSS) offer important technical indicators, but they were never designed to capture the operational context of modern government and vendor environments.

Through Agentic AI, organizations can shift from generic vulnerability prioritization to mission-aware decision-making. By mapping technical vulnerabilities to the specific government functions they support, security teams can prioritize remediation based on real-world impact to national infrastructure, ensuring that the most vital services remain resilient under pressure.

An Agentic AI-driven ROC model lets agencies incorporate several critical dimensions of risk:

Mission criticality: Agentic AI should evaluate vulnerabilities through the lens of mission impact, identifying which patches directly affect systems essential to operations rather than relying on technical severity ratings.
Operational impact analysis: Before deployment, predictive analytics can simulate how a patch will interact with complex environments that include legacy IT systems, hybrid cloud infrastructure and operational technology. This tactic reduces the risk of disruptions.
Autonomous remediation: Agentic AI should map the agency’s evolving attack surface and identify hidden logic flaws or misconfigurations. By detecting these weaknesses early, Agentic AI cyber risk agents can trigger automated remediation actions before they are exploited.

Align zero-trust and automated discovery

Over the past decade or more, zero-trust has already laid the philosophical foundation: "Never trust, always verify.” Automating the discovery of exploitable logic flaws and attack paths extends that principle into action by closing the loop between detection and defense, continuously verifying every identity, transaction and system behavior. Combined with the ROC model, the most secure networks are the ones most capable of foreseeing change and adapting before a vulnerability gets exploited.

Today, waiting for human intervention creates dangerous gaps in cyber resilience. The ROC brings the promise of AI-guided foresight, automating discovery and remediation, prioritizing based on operational risk and ensuring continuity across the digital battlespace. It’s a shift from chasing threats to orchestrating readiness, where every system becomes a self-securing element of the mission.

The future of managing cyber risk isn’t about prevention: it’s about self-directed data protection. By embracing the ROC model, we can move from reactive cybersecurity to autonomous resilience, ensuring that government and vendor systems are always one step ahead.

Jonathan Trull, chief information security officer and executive vice president for risk management, Qualys

SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.