Unpredictable Autonomous Agents Are Rewriting the Rules of Identity Security

AI is rewriting the rules of enterprise security, but the industry’s knee-jerk reaction is a tired cliché: go back to basics. In an environment defined by hybrid workflows and the fast-paced rollout of dangerous frontier models, using new technology to speed up old checklists doesn't actually solve the problem. As the primary source of unpredictability in a network moves from human employees to autonomous machines, many security leaders are finding they need to rethink their approach entirely.

Advocating for a fresh take on how cyber programs are designed and governed in an AI-native environment is Helen Patton, a Cybersecurity Executive Advisor at Cisco with more than two decades of enterprise risk experience. Her background gives her a unique vantage point of exactly where theoretical AI capabilities crash into on-the-ground reality. For Patton, navigating the AI era begins with recognizing that the core variable of risk has flipped.

"The place where threats occur is where things are the least controlled, the least standardized, and the least predictable. That place is now the AI, not the human," she says. The industry has spent two decades building intricate Identity and Access Management (IAM) programs designed to contain human unpredictability. Acknowledging that autonomous agents become unpredictable variables changes how security teams must approach governance.

The hamster wheel 2.0

Foundational controls like zero trust, multi-factor authentication, and standardized endpoints remain non-negotiable. Security, as Patton describes it, is the counterculture to the organization by design, constantly managing edge cases. As edge cases expand beyond human behavior, the application of these frameworks must adapt.

Patton says some companies are rushing to reimagine cyber defense, but most are just using AI to run the same old playbooks at a higher speed. "Most organizations still have a tendency to say, 'How can we use AI to do our security jobs faster?' But they're still thinking of it in terms of doing things the same way they always have. AI presents the opportunity for us to reimagine the way we do cyber so that we're more prepared to respond at scope and scale in an AI world."

Training wheels required

The need for a new playbook is highly visible in the SOC, where some teams are beginning to restructure as AI absorbs entry-level work. Many experts suggest the future of the SOC depends on elevating analysts to orchestrate operations and apply local context. "While AI will do the discrete tasking, the human can weave those tasks together and create meaning and apply it to the local context," Patton says.

Still, she notes that job boards routinely reinforce a rigid checklist of tactical skills and certifications. "Yes, you still have to know the skills, but what you really need is the ability to sit above it and orchestrate it. That's where we're going to head." Accomplishing this, she believes, doesn't mean junior staff get to leapfrog over entry-level jobs. Instead, those jobs become a prerequisite. "We are going to have to intentionally put people into level doing level one work so that they have the intellectual capability of applying human judgment over AI agents."

Governance can't keep up

Applying human judgment to machine behavior requires communication channels that actually work. Right now, they largely don't. The external policy environment remains highly volatile. Federal regulations currently focus on national security and export controls, while state and local policies prioritize privacy and workforce safety.

Internally, traditional corporate governance often breaks down between senior leaders who lack ground-level context and junior employees who lack decision-making authority. "Senior leadership is too senior to understand the on-the-ground implications, and people who are too junior aren't given the authority to make the decision," Patton says. "So you've got this break between the people who have to approve a governance item and the people with the knowledge to approve the governance item." Because of these bottlenecks, she says, the industry continues to struggle to define good AI governance models.

The governance process itself poses another challenge. Because human governance relies on slow, context-heavy approvals, it's not easily applied to high-speed AI agents. Persistence is widely considered a major driver of technical debt, as static identities tend to accumulate risk, privileges, and vulnerabilities over time. To solve the bottleneck, Patton points to Sounil Yu's DIE triad, which stands for Distributed, Immutable, and Ephemeral. She says disposable, non-human identities drastically reduce the attack surface the moment a task concludes. "Humans have had persistent identities, at least until they die. But that's not how AI is going to work. An agent shouldn't have an identity and shouldn't be able to do anything until it's necessary. Then, it should only have an identity that allows it to do the thing, and the identity goes away again."

Democratizing security

Beyond the walls of top-tier enterprises, many organizations looking to move toward agentic security and continuous compliance engineering face a resource gap: a lack of advanced software coupled with a shortage of the human cognitive bandwidth required to supervise AI. The imbalance means under-resourced organizations struggle to evaluate AI safely or determine if it's contextually appropriate. Because we rely on these smaller organizations to manage public utilities, healthcare, and local infrastructure, even massive enterprises will feel the pain. "If they can't turn the lights on and flush the toilets, they're just going to be in the same boat as everybody else. The people who are doing security for their lights and their water are going to need help," Patton points out.

Rather than viewing the gap purely as a reason to panic, she frames it as the exact reason the industry must pivot its operational model. AI offers a practical opportunity to help under-resourced organizations manage their security without needing a massive in-house team. "One silver lining that we can think about is how to democratize things so that under-resourced organizations are better protected without having to do it themselves," Patton says. For her, the real promise of AI isn't simply making the best security teams faster. It's rethinking the strategy entirely and making effective security possible for organizations that could never build those teams in the first place.