Agentic Artificial Intelligence (AI) is already operating within the production environments of countless organizations globally, autonomously executing complex tasks, ingesting vast datasets, and initiating actions – often without the informed involvement of dedicated security teams. The prevailing industry discourse, which largely frames this as a policy question of allowing, restricting, or merely monitoring, critically misinterprets the depth of the challenge. The more pressing, and indeed urgent, inquiry is whether cybersecurity professionals possess a genuine understanding of this transformative technology. In the vast majority of enterprises today, this foundational comprehension is conspicuously absent, a gap that is widening at an alarming rate each week, compounding potential vulnerabilities and risks.
The Foundational Imperative: Understanding Precedes Defense
The bedrock principle of information security remains immutable: effective defense is predicated on genuine fluency in the technology it aims to protect. This truth has been reaffirmed with every major technological paradigm shift. Consider the ubiquitous firewall: its effective configuration is impossible without a deep understanding of networking protocols and architecture. When cloud computing emerged, organizations that bypassed the crucial foundational learning phase found themselves with sprawling, opaque environments beyond their capacity to genuinely secure. Despite investing in tools and crafting policies, real control remained elusive. The emergence of cloud security as a distinct and specialized discipline underscores the necessity for practitioners to develop profound familiarity with a technology before robust security measures can be implemented.
This historical pattern is now manifesting with AI, but at an accelerated pace and with significantly higher stakes. The practical ramifications of lagging in agentic AI comprehension extend far beyond mere technical exposure. Cybersecurity teams that cannot articulate the nuances of AI engineering—unable to challenge design decisions, propose pragmatic controls, or ask incisive, informed questions—inevitably find themselves marginalized. Business units, driven by innovation and operational efficiency, proceed with their AI initiatives, not out of malice, but because a security team unable to engage substantively with the technology ceases to be a useful partner in critical decision-making. This phenomenon has been a consistent feature of every significant technological evolution over the past two to three decades, and AI is proving to be no exception. The indispensable starting point, therefore, is active engagement. Security professionals must immerse themselves in the technology, attempting to build agents, experimenting with the very tools their developers are employing. This hands-on familiarity is the crucible where genuine understanding is forged, and it is this profound understanding that unlocks all subsequent possibilities for effective defense.
Deconstructing the Agentic AI Landscape: Three Categories of Risk
The landscape of agentic AI is expansive and variegated, with risk profiles differing significantly across its diverse applications. For clarity and strategic security planning, three distinct categories warrant particular attention and understanding.
The first category encompasses general-purpose coding and productivity agents. Tools such as Claude Code and GitHub Copilot are already deeply embedded within developer and engineering workflows across organizations worldwide. Whether formally sanctioned or not, their usage is pervasive. From a security standpoint, understanding the specific data these agents can access, how they interact with proprietary codebases, and the range of actions they are authorized to perform constitutes baseline security knowledge. A recent report by GitLab, for instance, indicated that over 70% of developers are already using AI tools, with many integrating them directly into their coding environments, often without explicit security reviews. This widespread adoption necessitates immediate scrutiny of their permissions, data handling, and potential for introducing vulnerabilities or intellectual property leakage.
The second category comprises vendor-built agents powered by the Model Context Protocol (MCP). MCP represents a critical integration layer, enabling AI agents to connect seamlessly with external services and execute actions on their behalf. Nearly every major software vendor is either actively developing an MCP server or has one already deployed in production environments. In practical terms, this means an agent managing a user’s calendar, email, or internal ticketing system can receive input from these channels and act upon it autonomously. Consider a scenario where a malicious calendar invitation carries hidden instructions embedded within its event description. The agent, designed to parse and interpret such inputs, could inadvertently execute the embedded prompt, leading to unauthorized actions. This represents a live and rapidly expanding attack surface that mandates deliberate configuration, rigorous security review, and continuous monitoring. The convenience offered by these agents must be meticulously balanced against the inherent risks of granting them broad access to critical enterprise systems.
The third, and arguably most dynamically interesting, category involves custom agents built by individual users. Historically, a significant barrier separated security practitioners, who possessed a keen understanding of risk, from the actual code running within their environments. Most cybersecurity professionals, by training, were not programmers. Building custom tooling or automating complex workflows typically required specialized development skills that were not widely distributed across security teams. This barrier, however, has fundamentally dissolved. With the advent of agentic AI, individuals throughout an organization, regardless of their coding proficiency, can now construct functional tools. These might include sophisticated automations, personalized workflows, or even agents with significant system access, all without writing traditional code. For security teams, this capability is genuinely valuable, potentially accelerating critical functions like incident investigation, forensic triage, and threat hunting workflows by enabling practitioners to rapidly build the precise tools they require. However, this same transformative capability extends to every other team within the enterprise. Marketing, finance, operations, human resources – virtually anyone can now build and deploy agents. Many will. Crucially, a significant proportion of these user-built agents will likely bypass formal security reviews before being put into live operation. This scenario presents a novel and complex supply chain problem, where the "supply" of new, potentially insecure, software is generated internally by non-technical users, creating a vast, unmanaged attack surface.
The Compounding Costs of Delay: Business and Technical Implications
When security teams fall behind on a major technological shift, the predictable pattern of consequences consistently unfolds. First, the broader organization progresses without meaningful security input. Developers forge ahead with deployments, business units rapidly adopt new solutions, and security involvement, if sought at all, becomes a mere formality or is bypassed entirely. Second, and more critically, the exposure to risk compounds exponentially. The more powerful and sophisticated the agents an organization deploys, the greater the scope of access these agents inevitably require to function effectively. Broad permissions are precisely what make agents so useful and transformative: access to calendars, communication platforms, file systems, code repositories, and internal APIs. However, this expansive access also dramatically increases the "blast radius"—the extent of potential damage—when something inevitably goes awesry, either through malfunction or malicious exploitation.
Consider an agent granted access to both a system terminal and an email inbox. Such an agent could be manipulated through one channel (e.g., a carefully crafted email) to execute unauthorized commands or actions in the other (e.g., via the terminal). This represents a potent lateral movement path that sophisticated attackers will actively seek to exploit. Reasoning about such complex attack vectors, and designing effective countermeasures, demands a deep understanding of how the agent was constructed, its internal logic, and its operational environment—a level of comprehension that can only be cultivated through genuine, hands-on engagement with the technology itself.
Building a Robust Defense: Essential Skills for AI Security
Developing competency in agentic AI security necessitates the acquisition of two distinct, yet interconnected, layers of knowledge.
The first crucial layer is understanding how AI applications are architected, specifically from a practitioner’s perspective rather than that of a data scientist. This involves grasping the fundamental components of an AI application: how agents consume diverse inputs, how they chain various tools and functions together to achieve objectives, and how they produce outputs. Furthermore, it requires a detailed understanding of what an operational session with an MCP-connected agent truly entails from an access control and identity management standpoint. This foundational architectural understanding is the bedrock upon which all subsequent actionable security measures can be built. Without it, discussions about controls remain abstract and ineffective.
The second indispensable layer is currency. The tooling, frameworks, and threat landscape surrounding AI are evolving with unprecedented speed. Major vendors are actively developing security controls for AI systems, though many of these are still in nascent stages of maturity. Simultaneously, a plethora of open-source frameworks and tools are rapidly emerging. Organizations like OWASP are continuously publishing and refining threat taxonomies specifically tailored to AI, with updates appearing on a weekly basis. Once the foundational architectural understanding is firmly in place, maintaining currency becomes an ongoing, rigorous discipline. This involves knowing which new tools are worth evaluating, which open-source frameworks are gaining traction and proving robust, and, crucially, what probing questions to ask when vendors present their AI security solutions. This second point holds more significance than it might initially appear. Cybersecurity teams are already being inundated with pitches from vendors selling a wide array of AI security products. Without a robust foundational knowledge of how these applications are built and how agents actually operate, navigating these conversations effectively becomes nearly impossible. It is exceedingly difficult to distinguish a genuinely well-designed security control from a cleverly packaged marketing wrapper if one lacks a profound understanding of what exactly one is attempting to control and protect.
Proactive Security: Configuration as a Foundational Control
Many of the risks associated with current agentic AI deployments stem not from fundamental flaws in the underlying tools, but from a lack of security-conscious configuration during their initial setup.
Consider a self-hosted AI assistant connected to a common communication channel like Telegram, a deployment model that is becoming increasingly prevalent. Without appropriate access controls, such an agent could be configured to respond to any message it receives from any user, creating a wide-open entry point for potential exploitation. A relatively simple configuration change—for instance, pairing the agent exclusively with a single, trusted user account or a restricted group—can effectively close the vast majority of this exposure. This illustrates a critical principle: a single, well-informed decision made early in the deployment process can yield a profoundly meaningful security outcome.
The broader principle here is that of scope. An agent designed solely to manage a user’s calendar should under no circumstances possess access to their system terminal. Similarly, an agent tasked with processing incoming customer requests should not have write access to the organization’s critical code repository. Scoping agents precisely to their intended function not only limits the potential blast radius in the event of compromise but also significantly reduces the overall attack surface available for exploitation. However, a tension inherently exists in this balance: powerful, highly useful agents often require broad access to be truly effective. This is a trade-off that business units will invariably push back on, prioritizing functionality and efficiency. Finding the optimal balance between utility and security demands early and continuous security involvement in the design process—critically, before the architectural decisions are finalized and before permissions are already deeply entrenched.
A Call to Action and Future Preparedness
Organizations that prioritize and successfully cultivate genuine AI security fluency now will be strategically positioned to actively shape how these powerful systems are deployed across their enterprises, guiding innovation responsibly. Conversely, those who arrive late to this critical security domain will, once again, find themselves in the unenviable position of attempting to retroactively apply controls to architectures that have already been designed and implemented without their expert input.
This July, cybersecurity professionals seeking to engage with AI systems from a foundation of real understanding are invited to participate in SEC545: GenAI and LLM Application Security at SANSFIRE 2026. The comprehensive course delves into the practical construction of AI applications, the operational mechanics of agentic systems, the critical attack surfaces security teams must grasp, and the array of tools and controls available to address these evolving threats. It includes hands-on exercises, such as model scanning techniques to detect compromised AI models before they are deployed in production environments. For practitioners committed to mastering the intricacies of AI security, this represents an essential starting point.
Register for SANSFIRE 2026 here.
This article has been expertly written and contributed by Ahmed Abugharbia, SANS Certified Instructor.
Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.
