Most enterprises are experimenting with AI agents. Almost none have deployed them at scale. Cisco's own data puts the numbers at 85% and 5%, respectively. That gap isn't about model quality. It's about control.
Cisco's RSA Conference 2026 announcements are aimed squarely at that problem.AI agents don't just return outputs. They call APIs, trigger workflows, and make decisions autonomously. That changes the nature of risk in ways most enterprise security architectures weren't built to handle. Jeff Schultz, SVP of Portfolio Strategy at Cisco, notes, "With chatbots, the concern was what AI might say. With agents, the concern is what they can do."
That's a meaningful distinction. Once AI starts taking actions, accountability becomes the central security question.
Identity controls weren't built for this
Enterprise identity and access management was designed for humans and static services. Agents fit neither model. They operate continuously, often across multiple systems, with no clear ownership in many organizations.
Cisco is extending Zero Trust to cover AI agents directly - assigning identities, mapping agents to human owners, and scoping permissions to specific tasks via new Duo IAM capabilities and MCP policy enforcement in Cisco Secure Access. The goal is to bring agents under the same governance logic that applies to human workers. Cisco Identity Intelligence adds agent and non-human identity discovery, so organizations can see what's actually running before they can govern it.
That matters because without it, every new agent deployment is a potential blind spot.
Access isn't the whole story anymore
Traditional security assumes that controlling access controls risk. That logic breaks down when the actor is autonomous.
As
Tom Gillis, SVP and GM of Infrastructure and Security at Cisco, put it: "The challenge isn't just whether they have access, but what they do with it."
Cisco's approach shifts enforcement to the point of execution. Policies evaluate agent behavior in real time, not just at login. That's the right direction because agents can chain together tools, access multiple systems, and run workflows without constant human oversight. A compromised agent isn't a single-system problem.
Testing before deployment, not after
Cisco is expanding AI Defense with a new self-serve tier called Explorer Edition, aimed at developers and AppSec teams who want to test models and applications before they go into agentic workflows. Teams can run multi-turn adversarial testing, simulate prompt injection and jailbreak attempts, and get exportable security reports - without needing enterprise procurement to get started. It connects to CI/CD pipelines via GitHub Actions, GitLab, Jenkins, and custom integrations.
Separately, Cisco is launching an Agent Runtime SDK that embeds policy enforcement directly into agent workflows at build time, with support for AWS Bedrock AgentCore, Google Vertex Agent Builder, Azure AI Foundry, and LangChain.
The gap this addresses is straightforward.
Akshay Bhargava, VP of AI Software and Platform at Cisco, pointed to a core challenge behind this push: many organizations genuinely don't know how their agents will behave once deployed. Testing earlier gives teams a chance to find that out before it becomes a production incident.
New tools for evaluating model risk & secure agent deployment
Cisco is also releasing an LLM Security Leaderboard - a public resource that benchmarks how models handle adversarial inputs like malicious prompts and jailbreak attempts. The idea is to give organizations an objective signal on model risk that sits alongside standard performance metrics, so security posture becomes part of the model selection conversation, not an afterthought.
On the developer side, Cisco is introducing DefenseClaw, an open source secure agent framework that bundles together tools for scanning skills and MCP servers, generating AI bills of materials, and automating security inventory. The goal is to eliminate the manual security steps that currently slow down agent deployment. Cisco plans to integrate DefenseClaw with NVIDIA's OpenShell as a sandbox environment, extending its existing collaboration with NVIDIA on runtime security.
The threat side is moving fast
The urgency here isn't theoretical.
Amy Henderson, Sr. Director at Cisco Talos, pointed to AI compressing the time between vulnerability disclosure and active exploitation, with some vulnerabilities being widely targeted within weeks of disclosure. The latest Cisco Talos Year in Review reinforces that vulnerabilities like React2Shell saw near-instant automated exploitation, likely driven by agentic AI being used to build new exploit kits.
Attackers are also concentrating on identity systems and centralized control layers - the access points that unlock the most once compromised. That combination puts defenders in a difficult position, especially in environments still running legacy infrastructure.
SOC automation isn't optional anymore
On the operations side, Cisco is adding AI-driven capabilities to Splunk across the full SOC workflow. Exposure Analytics brings real-time asset inventory and risk scoring into Splunk Enterprise Security by default. Detection Studio unifies the detection engineering lifecycle and maps coverage against the MITRE ATT&CK framework. Federated Search lets analysts query across environments without moving data.
The bigger addition is the Agentic SOC Expansion: six specialized AI agents - covering detection building, triage, malware reversing, guided response, SOP generation, and automation building - that move beyond surfacing data to actually executing security workflows.
John Morgan, SVP and GM for Splunk Security's framing was direct: "Traditional SOC workflows can't keep up with the volume and velocity of threats."
That's true before you factor in agent-driven attacks. The practical outcome is analysts spending more time on decisions and less on repetitive triage. Several of these capabilities are already generally available; others are rolling out through June.
What this adds up to
Cisco's announcements show a structural change in enterprise security: agents that act at machine speed require controls that work at machine speed.
Three things are shifting at once. Identity governance now has to account for non-human actors. Enforcement needs to happen at runtime, not just at the access layer. And automation is becoming central to both the attack surface and the defense.
For enterprises trying to move AI from pilot to production, these aren't abstract concerns. Getting agents into production means answering harder questions about how they're monitored, what they're allowed to do, and who's accountable when something goes wrong.
