TL;DR
- For two years, the dominant agent-security narrative was about identity — cryptographic agent IDs, signed requests, decentralized identifiers. RSAC 2026 was the moment the industry conceded that identity was never the hard part.
- Cisco’s CSO told the press that rogue-agent incidents are reaching customers regularly, and they share one shape: the agent is exactly who it claims to be, then it accesses data or takes an action nobody scoped it for. NIST, OWASP, and CSA all flagged the same gap class independently in the same cycle.
- Five vendors shipped “agent identity” frameworks at the show. None closed the gap. The market just told us — out loud, on the main stage — that scoped, attribute-aware, action-time authorization is the unsolved capability. That is the gap.
The Consensus Moment
Industry consensus rarely arrives all at once. It accumulates quietly across customer conversations and standards drafts, then surfaces in one cycle as if everyone had agreed in advance.
RSAC 2026 was that cycle for agent security. Asked whether rogue-agent incidents were reaching Cisco’s customer base, the company’s chief security and trust officer didn’t hedge:
“A hundred percent. We see them regularly.” The pattern, he said, is consistent: authentication passes, identity checks clear, the agent is exactly who it claims to be — and then it accesses data it was never scoped to touch or takes an action nobody authorized at that level of granularity.
That diagnosis lined up with three independent standards efforts in the same window. NIST’s NCCoE published a concept paper calling for demonstration projects on agent identity and authorization. OWASP’s Top 10 for Agentic Applications flagged tool misuse from over-privileged access as a top-tier risk. The Cloud Security Alliance launched a foundation explicitly aimed at “Securing the Agentic Control Plane.”
When the biggest networking-security vendor, a federal standards body, the most-cited open security organization, and a leading cross-cloud alliance all flag the same gap class in the same market cycle, the signal isn’t a vendor narrative. It’s structural.
Identity Was Always the Easier Half
The reason “agent identity” got top billing for two years is that it’s the half of the problem with familiar primitives. Asymmetric keys, signed envelopes, JWKS discovery, JWT claims — the identity community has been shipping those for a decade. Giving an agent a verifiable cryptographic identity is a real engineering effort, but the shape of the solution was never in doubt.
Authorization is harder because the answer changes per call. Should this identity perform this action against this resource right now? is not a question a token can answer. It’s a question a decision engine has to evaluate against current attributes — subject, resource classification, request context — on every request.
The market noticed which half it actually shipped. Cisco’s own framing made the gap explicit:
“Even if it’s a finance agent, it shouldn’t access all finance data. It should access the expense reports, and not just expense reports, but the individual expense reports at a particular time.”
Read that as the operational specification. Not “the agent is allowed in the finance domain.” Not even “the agent can read expense reports.” This expense report. This moment. This action. That granularity is the bar, and it is not a property of any token in production today.
Why the Existing Controls Don’t Reach
Three failure shapes recur across every incident report we’ve seen in the last quarter, and they all stem from the same architectural mismatch.
Agents Inherit Human Profiles
IAM teams reach for the closest available pattern and clone the human user’s permissions to the agent. The agent never needs to escalate privileges because it already has them — with the human’s entire authorization surface, applied at machine speed.
The Flat Authorization Plane
An LLM operating inside a single application context cannot enforce per-user, per-record, per-action permissions on its own. Everything inside its retrieval surface is reachable. The plane is flat unless the policy engine outside the model says otherwise.
Logs Can’t Tell Humans from Agents
Default enterprise logging records the human’s identity, not the actor that initiated the call. An over-permissioned agent that looks like a human in the SIEM is, for SOC purposes, invisible. You can’t respond to what you can’t see.
MCP Surfaces Are Shadow IT
Model Context Protocol servers proliferate the way Slack apps did in 2018 — developers wire them up, nobody catalogs them, and the security team finds out during the postmortem. The authorization story doesn’t exist if you can’t enumerate the surface.
Each of these is solvable with current technology. None of them are solved by “giving the agent an identity.” They’re solved by what happens after the identity check passes — which is exactly where the industry just admitted it doesn’t yet ship.
The 500-Agent Number Is the Forcing Function
One quoted figure from the show is worth dwelling on: businesses are talking about 500 agents per employee. Cisco’s own State of AI Security report found 83% of organizations planning agentic deployments, with only 29% feeling prepared to secure them.
Take those numbers seriously. An enterprise with ten thousand employees is pricing in a world with five million non-person identities — each making calls per second, each with the potential to act on data it shouldn’t. Any authorization model that depends on humans reviewing access grants, rotating tokens by hand, or catching anomalies in dashboards loses to that scale before it starts.
The only architecture that survives is one where every consequential agent action is a structured policy decision, evaluated by an engine that reads identity attributes, resource classification, and context at the moment of the call. Externalized. Auditable. Consistent across tools, models, and orchestration frameworks. That’s not a 2026 aspiration. At five million agents per enterprise, it’s the operating baseline.
What to Do Before the Next RSAC
Stop Cloning Human Profiles for Agents
Every agent gets its own NPE record with its own attributes — purpose, owner, allowed actions, data classes, expiration. No more “use the service account.” No more “impersonate the requesting user.” A distinct identity is the prerequisite for a distinct policy.
Pass Grieco’s Test on One Workflow
Pick a single agent. Configure policy so it can access only the specific record it needs to do its job, only at the moment it needs to do it. If you can’t get one agent through that test, ten thousand are out of the question.
Externalize the Authorization Decision
Move the “allow / deny” decision out of every individual tool handler and into a centralized policy engine. One engine, one audit trail, one place to change the rule when the threat model moves.
Classify Resources, Not Just Identities
The decision is the pair: subject and object. A “finance” attribute on the resource record gets you the conditional rule that “finance agents may read finance data” — without overwriting the per-record scoping that prevents the agent from reading everything.
Inventory Your MCP Surface
Treat every MCP server like shadow IT until proven otherwise. Discover, catalog, attribute. An ungoverned MCP surface is a flat authorization plane wired directly to your production systems.
Distinguish Agents from Humans in the Log Stream
If your SIEM can’t answer “was this a human or an agent?” on every session, your behavioral detection story is non-existent for the population of identities that’s about to grow 500x. Make the actor type a first-class log field today.
Short-Lived, Action-Scoped Credentials
If an agent needs a token, mint it just-in-time for the specific call, scoped to the specific resource, expiring in minutes. Durable broad-scope credentials are the artifact the next incident report will name.
Treat the Decision Stream as the System of Record
Every allow and deny from the policy engine, captured with subject, action, resource, attributes, and rule. That stream is your behavioral baseline, your audit log, and your incident reconstruction surface — all from one place.
How This Maps to ABAC-Enabled Security
Granularity Is the Specification
“The individual expense report at a particular time” isn’t a slogan; it’s the actual decision surface. ABAC policies are built to evaluate subject attributes, resource attributes, and context against each other for exactly this shape of question.
Externalized Decisions, Distributed Enforcement
One policy engine across MCP servers, tool surfaces, orchestration layers, and downstream APIs. The agent population scales 500x; the decision plane doesn’t multiply with it.
Agents as First-Class NPEs
Distinct identity records, distinct attributes, distinct lifecycles — not human-profile clones. That’s how authorization regains the granularity it lost the moment IAM teams reached for the nearest available template.
The Market Window
The interesting thing about a consensus moment is that it changes what’s buyable. For two years, “agent authorization” was an opinion held by a handful of security-platform companies and a small group of identity researchers. As of last week, it’s the diagnosis given by the largest networking-security vendor on the planet, validated by three standards bodies, and confirmed by working CSOs in interviews you can read on the same day they were conducted.
That changes the buying conversation. The question stops being do we need this? and becomes what does it look like and who has it? The article’s own conclusion was that the controls exist in pieces across multiple vendors, and no single vendor has assembled the complete stack.
That sentence is the market. It is also a description of why we built Stratium. The plumbing for agent identity is converging in protocol working groups. The missing layer — the one the industry just named — is the externalized, attribute-aware, action-time decision engine that turns “authenticated” into “authorized” for every call an agent ever makes.
Authentication passed. Authorization is what gets built next.
Further Reading
- Stratium, “Bearer Tokens Don’t Carry Intent: Nine Seconds and the Advisory Failure Mode”
- Stratium, “The Load-Bearing Wall of the Agentic Stack: Authorization”
- Stratium, “The Missing Layer in AI Agent Security: ABAC-Driven Action Policies”
- Stratium, “The Zombie Agent Problem: Agentic Risk Is a Lifecycle Problem”
- Louis Columbus, VentureBeat, “Agent authorization is broken — and authentication passing makes it worse” (May 14, 2026) — the Grieco interview and the 83% / 29% State of AI Security figures referenced above are drawn from this reporting.