COMMENTARY: For the last 30 years, enterprise security has been organized around a single premise: there are bad people out there trying to get in, and the CISO’s job is to stop them. Every framework, every tool, every team structure flows from the assumption that human adversaries are operating at human speed. The CISO's job, fundamentally, has been to keep the perimeter intact and detect the ones who get through.
That model made sense when the primary risk was external. It made sense when the entities operating inside your environment were humans who authenticate, work one task at a time, and generate activity you can meaningfully review. It does not make sense when the most consequential actors inside your environment are AI agents.
[
SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Read more Perspectives here.]
In my conversations with CISOs, the one thing I keep hearing is: "I used to worry about who was trying to get in. Now I'm worried about what's already inside." That shift matters more than most people realize. It isn't just a change in what keeps a CISO up at night. It's a change in what the role is.
The threat model has flipped
Here's the part that I think most organizations haven't fully internalized yet — and this isn’t hyperbole. The biggest risk to the enterprise is no longer the attacker on the outside; it's the agent on the inside.
Not because that agent is malicious. Because it's maximally productive.
We are entering a period where AI agents will outnumber human knowledge workers inside organizations by staggering ratios. Consider that Anthropic's CEO recently
described a near future in which AI capabilities reach the equivalent of "a country of geniuses in a datacenter." GitHub Copilot is already
used by 90% of the Fortune 100. Claude Code
exceeded 29 million daily installs in February. Anthropic
added $6 billion in ARR in February.
These are not passive tools. They reason, they execute, they chain actions across systems and files and APIs at machine speed; often with broad permissions and minimal human oversight. It matters because when they fail, they don't fail like adversaries. They fail like industrial accidents.
Related reading:
Anthropic's own alignment
research has shown that as agents tackle harder tasks with longer reasoning chains, their failures become dominated by incoherence — not by a coherent pursuit of a wrong goal, but by unpredictable, self-undermining behavior. The researchers offered a vivid example: an AI that intends to manage a nuclear power plant but gets distracted reading French poetry, causing a meltdown. The danger is incoherent autonomy at scale.
Industrial accidents don't require intent. They require complexity, speed, autonomy, and insufficient observability. An enterprise running thousands of AI agents has all four.
Security vs. safety is not a semantic distinction
This is why I believe the CISO's role is undergoing a fundamental transformation from security officer to safety architect.
Security is the discipline of protecting systems from actors who intend harm. Safety is the discipline of ensuring complex systems operate reliably even when no one intends harm. The chemical plant doesn't have an adversary; it has volatile processes, complex interactions, and the ever-present possibility of an accident. Sabotage isn’t the nuclear reactor’s greatest risk, it's a cascading failure nobody anticipated.
When your organization runs hundreds or thousands of AI agents doing consequential work — writing production code, conducting financial analysis, handling sensitive research — the CISO's primary exposure is no longer the external attacker. Instead, it looks like an agent that overwrites a production database because its reasoning chain went sideways on step 47. Or an agent that accesses data it shouldn't have, not because it was prompted to, but because its task decomposition led it somewhere no one modeled. Or the fleet of agents whose independent actions interact in ways that produce a cascading failure.
Your SOC was trained to detect intentional exploits, but the emergent actions of agents are emergent; they require a fundamentally different posture.
You can't architect safety without observability
Every control from governance policies to permission scoping to behavioral guardrails is guesswork without observability. You can't govern what you can't see, and right now, most organizations cannot see what their agents are doing.
Endpoint detection and response (EDR) can tell you a process was spawned and a file was modified, but it cannot tell you why the agent chose to modify that file, whether the action was consistent with the task a human delegated, or whether the agent's behavior is drifting toward incoherence. Most organizations today have process-level telemetry for a problem that requires intent-level observability.
The traditional alert-driven model collapses here, too. In an agent-dense environment, you can't write rules fast enough. The permutations of legitimate agent behavior are essentially infinite — no signature or ruleset can anticipate them. Instead, safety demands pattern-driven observability: establishing baselines of expected behavior and detecting deviation in real time.
The question shifts from "did this agent do something on our list of bad things?" to "did this agent do something it doesn't normally do?" This is a fundamentally new capability that must be purpose-built. It doesn't exist in traditional tooling.
That’s why the CISOs and security teams who navigate this transition successfully will be the ones who ensure that an increasingly autonomous AI workforce operates reliably, observably, and within bounds — even when it fails. Especially when it fails.
The agents are already inside the house. The question is whether you can see what they're doing.
