In the ever-evolving landscape of cybersecurity, the emergence of Agentic AI presents a unique challenge and opportunity. As an expert in the field, I find myself reflecting on the critical juncture we've reached, where the rapid advancement of AI technology demands a reevaluation of our security strategies. The question isn't merely about allowing or restricting AI; it's about understanding and embracing the transformative potential it brings to our security practices.
The AI Revolution and Security's Blind Spot
Agentic AI, with its ability to execute tasks and make decisions, is already seamlessly integrated into production environments. However, the industry's focus on policy decisions overlooks a fundamental aspect: the understanding of the technology itself. Security professionals, often caught in the traditional guard, struggle to keep pace with the rapid evolution of AI, leaving a significant gap in their knowledge. This gap, I argue, is the next 'blind spot' in security, and it's one that we must address urgently.
The principle of understanding technology before securing it remains unwavering. Just as organizations grappled with cloud computing, the lack of foundational knowledge in AI engineering poses a significant risk. Security teams, unable to engage substantively with AI, find themselves bypassed by business units eager to leverage this technology. This dynamic has played out in every major technological shift, and AI is no exception.
Three Categories, Three Risks
The agentic AI landscape is diverse, and the risk profile varies across its categories. Firstly, general-purpose coding and productivity agents, like Claude Code and GitHub Copilot, are already embedded in developer workflows. While their data access and interactions are well-understood, the security implications are not. Secondly, vendor-built agents powered by the Model Context Protocol (MCP) introduce a new layer of complexity. MCP-connected agents, managing calendars, emails, and internal systems, can be exploited through hidden instructions in event descriptions. This real-world attack vector demands deliberate configuration and security review.
The third category, custom agents built by individual users, is particularly intriguing. The barrier between security professionals and code has traditionally been a significant hurdle. However, with agentic AI, anyone can build functional tools without traditional coding skills. This democratization of development, while valuable, introduces a supply chain problem. Security teams must now contend with agents built by non-security personnel, many of which may not undergo thorough security reviews.
The Cost of Arrival Late
History has shown a consistent pattern when security teams lag behind technological shifts. The rest of the organization moves forward, and security is consulted as a formality or not at all. This delay compounds the exposure, as powerful agents require broad permissions, increasing the blast radius when compromised. An agent with access to both a terminal and an email inbox can be manipulated through either channel, highlighting the need for a deep understanding of the technology.
Skills for the AI Security Era
Building competency in agentic AI security requires two distinct layers of knowledge. Firstly, understanding the architecture of AI applications from a practitioner's perspective is crucial. What are the components of an AI application? How do agents consume inputs and produce outputs? This foundational knowledge enables practitioners to engage meaningfully with the technology. Secondly, staying current with the rapidly evolving tooling and threat landscape is essential. Vendors are developing security controls, open-source frameworks are emerging, and threat taxonomies are evolving weekly.
This second layer of knowledge is often overlooked. Security teams, approached by vendors selling AI security products, struggle to navigate these conversations without a deep understanding of AI architecture. The ability to distinguish well-designed controls from marketing wrappers is crucial in making informed decisions.
Configuration as a Security Control
Many agentic AI deployments carry risk due to inadequate security-conscious configuration, not because of inherent tool flaws. A self-hosted AI assistant connected to Telegram, for instance, may respond to anyone who messages it without proper controls. A simple configuration change, such as pairing the agent with a single trusted account, significantly reduces this exposure. The broader principle is scope: agents should be limited to their intended functions to minimize the attack surface.
The tension between powerful agents and broad access is real. Organizations must find the right balance, and security involvement in the design process is crucial. Early engagement ensures that agents are scoped appropriately, preventing the architecture from being set without security input.
Getting Ahead of the Curve
The organizations that build genuine AI security fluency now will shape the deployment of these systems. Those who arrive late will, once again, find themselves applying controls to an architecture already decided without their input. I will be teaching SEC545: GenAI and LLM Application Security at SANSFIRE 2026, where practitioners can gain hands-on experience with techniques like model scanning to detect compromised models. This course is a starting point for those eager to engage with AI systems from a foundation of real understanding.
In conclusion, the integration of Agentic AI into our security practices demands a reevaluation of our strategies. By embracing the technology, understanding its architecture, and staying current with the evolving threat landscape, we can secure our organizations against the blind spots of the future. The journey towards AI security fluency is a challenging one, but it is a necessary step in safeguarding our digital world.
