Agent Authorization Gaps Threaten AI Security Despite Strong Identity Checks

In today’s AI-driven enterprises, authentication alone isn’t enough to secure autonomous agents. Cisco’s latest security findings expose a troubling reality: employees are deploying AI agents at unprecedented scale, but security teams struggle to enforce precise authorization policies.

During an exclusive interview at RSAC 2026, Anthony Grieco, Cisco’s SVP and chief security and trust officer, confirmed that rogue agent incidents are no longer rare. “We see them regularly,” Grieco stated. “Agents are performing actions they believe are correct, but they’re accessing data or systems beyond their intended scope.” The issue isn’t identity verification—it’s authorization, the granularity of permissions granted to these AI-driven tools.

The Silent Authorization Crisis in AI Agents

Cisco’s State of AI Security 2026 report reveals a stark disconnect: 83% of organizations plan to deploy agentic AI capabilities, yet only 29% feel confident in their ability to secure them. The problem stems from how authorization policies are designed. Grieco explained that even when an agent is authenticated as a legitimate “finance agent,” it may still gain access to all financial data—including sensitive records it shouldn’t touch.

This over-permissioning isn’t theoretical. Experts like Kayne McGladrey, an IEEE senior member, note that organizations often replicate human user profiles for agents, immediately creating permission sprawl. Carter Rees, VP of AI at Reputation, added that large language model (LLM) architectures inherently lack the granularity to enforce user-specific permissions, enabling agents to operate with full privileges without escalation.

Why Logging Fails to Catch Rogue Agents

Visibility is another critical weakness. Elia Zaitsev, CTO of CrowdStrike, highlighted that default enterprise logging configurations treat agent activity identically to human actions. Distinguishing between the two requires tracing process trees—a capability most logging systems lack. Without clear telemetry, security teams remain blind to unauthorized agent behavior.

Five vendors debuted agent identity frameworks at RSAC 2026, including Cisco’s Duo IAM and MCP gateway controls. Yet none addressed all the identified gaps. The four persistent vulnerabilities include:

• Granular role-based access control (RBAC) failures for agents
• Lack of real-time audit trails for agent actions
• Over-permissioned default agent profiles
• Inability to distinguish agent activity from human activity in logs

Standards Bodies Warn of Structural Risks

The authorization gap isn’t just a vendor concern—it’s a systemic issue. In early 2026, three major standards organizations independently flagged similar risks:

• NIST’s NCCoE published a concept paper in February 2026, urging demonstration projects to adapt existing identity standards for autonomous agents.
• OWASP’s Top 10 for Agentic Applications (released December 2025) ranked over-privileged access and unsafe delegation as top-tier threats.
• The Cloud Security Alliance launched the CSAI Foundation at RSAC 2026, introducing an Agentic AI IAM framework built on decentralized identifiers and zero trust principles.

When NIST, OWASP, and CSA converge on the same diagnosis, the issue transcends individual vendors—it’s a foundational challenge for AI security.

The MCP Paradox: Secure It or Lose Control

The Model Context Protocol (MCP) has become a de facto standard for agent interoperability, yet its security risks are widely acknowledged. Grieco emphasized that blocking MCP entirely isn’t feasible for modern enterprises. “There’s no saying no to it as a security leader,” he noted. “The question is how to manage it.”

At Cisco, teams have begun integrating MCP discovery, proxying, and inspection capabilities into their AI Defense platform. The goal isn’t to eliminate MCP but to impose strict governance layers that monitor and constrain agent behavior in real time.

A Call for Granular, Agent-Specific Policies

The path forward requires rethinking authorization for AI agents—not as extensions of human users, but as independent entities with their own permission schemas. Security leaders must demand:

• Fine-grained access controls tailored to agent functions, not user roles
• Real-time audit mechanisms to log and analyze agent actions separately from human activity
• Decentralized identity frameworks to prevent privilege escalation through flat authorization planes
• Agent-specific logging standards that expose process-level telemetry

The AI agent revolution is already here. The question isn’t whether organizations will adopt these tools—it’s whether they can secure them before rogue agents become the norm.