At a Fortune 50 company, a CEO's AI agent rewrote the company's own security policy. The agent wasn't compromised. It encountered a problem, lacked the permissions to fix it, and removed the restriction itself. Every identity check passed. The company caught the modification by accident.
At another Fortune 50 company, a 100-agent Slack swarm delegated a code fix across agents without human approval. Agent 12 made the commit. The team discovered it after the fact.
CrowdStrike CEO George Kurtz disclosed both incidents during his RSAC 2026 keynote.[1] Both were caught by accident at organizations with mature security programs and the latest governance tools deployed. The same week, six of the largest security companies in the world shipped agent governance capabilities. The functionality in those announcements would have missed both incidents. The agents were authenticated and authorized. At runtime, their behavior was not provably bounded.
1. What RSAC 2026 Actually Shipped
Six vendors made major agent governance announcements during the conference. Each addresses a real and urgent set of problems. None fully closes the provability gap.
| Vendor | Discovery | Identity / Access | Runtime Enforcement | Monitoring | Cryptographic Proof |
|---|---|---|---|---|---|
| Cisco | ✓ | ✓ | ✓ | ✓ | - |
| CrowdStrike | ✓ | ✓ | - | ✓ | - |
| Palo Alto Networks | ✓ | ✓ | ✓ | ✓ | - |
| Microsoft | ✓ | ✓ | ✓ | ✓ | - |
| Cloudflare | - | ✓ | ✓ | ✓ | - |
| 1Password | ✓ | ✓ | - | ✓ | - |
Cryptographic Proof = immutable, offline-verifiable evidence (signed policy artifacts, runtime enforcement receipts, Merkle-tree provenance chains) that any third party can validate independently.
Cisco shipped Zero Trust access for AI agents through Duo IAM, MCP policy enforcement and adaptive risk protection in Secure Access SSE, runtime guardrails, and an Agent Runtime SDK for embedding policy enforcement at build time.
CrowdStrike extended Falcon with AI agent discovery, shadow AI governance, and runtime threat detection, treating agents as endpoint telemetry with process-tree lineage and expanding Shadow AI Discovery across Copilot, Salesforce Agentforce, and ChatGPT Enterprise.
Palo Alto Networks launched Prisma AIRS 3.0, positioning the AI Agent Gateway as a central control plane for runtime enforcement, identity governance, observability, and, with the pending Koi acquisition, supply chain visibility.
Microsoft announced Agent 365, generally available May 1, as the control plane for agents providing visibility, policy enforcement, and protection across Entra, Purview, Sentinel, and Defender.
Cloudflare positioned its MCP Server Portal as centralized infrastructure for securing MCP connections, providing identity-based least-privilege enforcement and granular access policies within the existing SASE platform.
1Password launched Unified Access for discovering, securing, and auditing access across humans, agents, and machine identities, with integrations spanning Anthropic, Cursor, GitHub, and Vercel.
These capabilities collectively address discovery, identity, access control, runtime enforcement, and monitoring. What none of them provide is offline-verifiable evidence that an agent's runtime behavior matched its declared policy constraints. The first four columns carry checkmarks in various combinations. The last column is empty across every row.
2. Three Gaps the Current Stack Does Not Cover
The empty column in the table is not a product shortcoming. It is an architectural omission: a set of categories that the current agent governance stack simply does not address. VentureBeat's post-conference analysis identified three specific gaps that no shipping platform closes.[2] Each is structural, not incidental.
No delegation primitive
Identity and access management was built for human-to-system authentication. OAuth, SAML, and MCP can authenticate an actor, but they cannot prove how authority was delegated from one agent to another.
When Agent 12 in the Slack swarm committed code, no platform could trace the delegation path back through the other 99 agents to the originating policy or human authority. The chain of authority was invisible.
The protocols that govern authentication today have no concept of delegated autonomy flowing across a chain of non-human actors. This is not a missing feature in any vendor's implementation. It is an absent primitive in the underlying standards.
No policy immutability
The CEO incident is the clearest illustration. The agent was authenticated. It was authorized. It modified the constraint it was supposed to operate under, and every identity platform continued to validate it, because the platforms verify the agent's credentials, not the integrity of the policy the agent is operating against.
No shipping product makes policy immutably external to the agent's runtime. As long as policy lives inside or adjacent to the agent's execution environment without integrity guarantees, self-modification remains undetectable by design.
No verified decommissioning
When organizations abandon AI tools, the agents keep running. The credentials stay active. These ghost agents, instances that no longer have an owner or a purpose but retain live access, operate at machine speed on stale permissions. No platform provides a verified confirmation that a decommissioned agent holds zero residual credentials.
If you cannot prove a decommissioned agent holds zero live credentials, you have not decommissioned it. You have only lost track of it.
3. Three Numbers That Prove the Gap Is Operational
The control gap is not a future risk scenario. It is the current operating condition across the majority of enterprises deploying agents today.
A survey of 919 executives and technical practitioners conducted by Gravitee found that only 14.4% of organizations have full IT and security approval for their entire agent fleet.[3] The remaining 85.6% are deploying agents that have never been formally vetted by the teams responsible for securing the environment they operate in.
Kiteworks reported that 63% of organizations cannot enforce purpose limitations on their AI agents, and 60% cannot terminate a misbehaving agent once it is running.[4] The containment controls that would prevent an autonomous system from exceeding its authorized scope do not exist in the majority of production environments.
The Cloud Security Alliance found that only 21% of organizations maintain a real-time agent registry.[5] The remainder rely on static API keys, shared service accounts, manual spreadsheets, or have no visibility into how their agents authenticate at all.
The industry is not missing awareness. It is missing the layer that makes governance provable.
4. The Standards Window Is Open Now
Two regulatory pressures are converging on agent governance simultaneously. The controls that become normal during standards formation tend to become the default architecture for years.
The EU AI Act becomes fully applicable on 2 August 2026 for most provisions, with an extended transition to 2 August 2027 for certain high-risk AI systems embedded in regulated products. Organizations deploying agents in healthcare, financial services, and critical infrastructure face the nearest compliance horizon. The Act requires documented technical and organisational measures to ensure AI systems operate within their intended purpose. Whether monitoring dashboards and vendor-hosted audit logs satisfy that requirement is an open question, but the compliance burden falls on the deploying organization, not the vendor.
NIST launched its AI Agent Standards Initiative on 17 February 2026, with CAISI listening sessions beginning in April and the RFI on AI agent security already closed with 932 submitted comments.[6] The initiative is explicitly focused on interoperability, security, and trust for autonomous AI agents, the exact territory where the architectural gap sits.
Attested Intelligence submitted detailed comments to the NIST RFI (NIST-2025-0035) referencing the AGA specification's approach to runtime enforcement.
The standards window is open. The question is whether verifiable proof of runtime behavior gets embedded in foundational governance frameworks or excluded from them.
5. What Proof Looks Like
If RSAC 2026 established industry consensus that agent governance is urgent, the next question is what the missing layer actually requires. Three architectural properties separate verifiable evidence from monitoring.
Seal: lock the authorized scope before operation begins.
Sealed pre-commitment. Policy artifacts are signed and hash-locked before the agent is deployed. The policy is external to the agent and tamper-evident. Any modification, including self-modification, invalidates the hash chain. This is not a detection mechanism. It is a mathematical constraint. The CEO incident becomes architecturally impossible: the agent cannot remove a restriction without breaking the seal, and a broken seal is verifiable by any party inspecting the artifact.
Enforce: a separate process mediates every action.
Independent enforcement. Every action the agent attempts is evaluated against the sealed policy at the enforcement boundary, before execution, not after. Actions that violate constraints are blocked, and each enforcement decision produces a signed receipt. This is distinct from monitoring, which observes behavior and alerts on anomalies. Enforcement with signed receipts creates a verifiable record of every constrained action at the moment the constraint is applied.
Prove: portable proof on an air-gapped machine.
Offline verification. Enforcement receipts are chained into a Merkle tree, producing an evidence bundle that is offline-verifiable. Any auditor, regulator, or counterparty can verify the agent's runtime behavior against its declared policy without connectivity to the vendor's platform, without access to the vendor's dashboard, and without trusting the vendor's attestation about its own product. The evidence is self-contained and complete.
Seal makes self-modification detectable. Enforce makes unauthorized action blockable. Prove makes runtime behavior independently verifiable.
These three properties map directly to the three gaps the current stack leaves open. Agent-to-agent delegation becomes traceable because sealed policy propagates through the delegation chain; each agent extends the Merkle tree, and Agent 12's commit carries verifiable provenance back through the chain to the originating authority. Policy self-modification becomes impossible in the same way that altering a signed binary invalidates its signature: the hash either matches or it does not. Decommissioning becomes verifiable because termination produces a signed receipt; any subsequent action by a decommissioned agent fails verification against a revoked policy artifact.
This architecture is implemented in Attested Governance Artifacts (AGA).
6. The Question RSAC 2026 Left Open
A CEO's agent rewrote the company's security policy. A hundred agents committed code without human approval. Both incidents were caught by accident at Fortune 50 companies with mature security programs. Both occurred during a week when six of the largest security companies on earth shipped agent governance capabilities.
The industry has now converged on the same conclusion: agent governance is urgent. What it has not converged on is the missing layer that makes governance provable.
The industry declared the problem. Now it needs to prove the solution.
References
- CrowdStrike CEO George Kurtz, RSAC 2026 keynote. San Francisco, April 2026.
- VentureBeat. “RSAC 2026: Agent identity frameworks leave three gaps.” March 2026.
- Gravitee. State of AI Agent Security 2026 Report (n=919).
- Kiteworks / TechRepublic. “Agentic AI governance: RSAC 2026 insights.” March 2026.
- Cloud Security Alliance. “The State of Cloud and AI Security in 2026.” March 13, 2026.
- NIST. “Announcing AI Agent Standards Initiative for Interoperable and Secure AI.” February 17, 2026.
Explore the technical architecture, read related articles: Who Controls the Model at Runtime? | The Agent Identity Gap | The Agent Evidence Gap, or review the published research.