Agent Authorization Crisis 2026: Cisco Reveals 4 Gaps

Agent Authorization Is Broken — And Authentication Passing Makes It Worse

The core problem: Agent authorization is the single biggest security blind spot for enterprises deploying AI agents in 2026. Authentication passes, identity checks clear, but agents access data they were never scoped to touch. The failure is not identity; it's authorization.

The data: Cisco's State of AI Security 2026 report found that 83% of organizations planned to deploy agentic capabilities, but only 29% felt prepared to secure them. At RSAC 2026, five vendors shipped agent identity frameworks — none closed every gap.

Why it matters for your bottom line: If your organization is among the 83% planning agent deployment, you are almost certainly operating with a flat authorization plane that gives every agent the same access as a human — and attackers are already chaining tools to exploit it.

The Authorization Gap Nobody Has Closed Yet

Anthony Grieco, Cisco's SVP and chief security and trust officer, confirmed the pattern in an exclusive interview at RSAC 2026: "A hundred percent. We see them regularly." The incidents follow a consistent script: authentication passes, identity checks clear, then the agent accesses data it was never scoped to touch or takes an action nobody authorized at that level of granularity.

Grieco described the operational challenge precisely: "This agent here is a finance agent, but even if it's a finance agent, it shouldn't access all finance data. It should access the expense reports, and not just expense reports, but the individual expense reports at a particular time."

Independent practitioners confirmed the pattern. Kayne McGladrey, an IEEE senior member, told VentureBeat that organizations default to cloning human user profiles for agents — permission sprawl starts on day one. Carter Rees, VP of AI at Reputation, identified the structural root cause: the flat authorization plane of an LLM fails to respect user permissions. An agent on that flat plane does not need to escalate privileges. It already has them.

Standards Bodies Converge on the Same Diagnosis

Three independent standards bodies reached parallel conclusions in early 2026. NIST's NCCoE published a concept paper in February 2026 explicitly calling for demonstration projects on how existing identity standards apply to autonomous agents. The OWASP Top 10 for Agentic Applications, released in December 2025, identified tool misuse from over-privileged access and unsafe delegation as top-tier risks. The Cloud Security Alliance launched the CSAI Foundation at RSAC 2026 with a dedicated Agentic AI IAM framework built around decentralized identifiers and zero trust principles.

When NIST, OWASP, and CSA all independently flag the same gap class in the same market cycle, the signal is structural, not vendor-specific.

MCP Security: Discovery Before Control

Model Context Protocol (MCP) servers are proliferating across environments without security visibility. Grieco did not argue that MCP is safe — he argued that blocking it is no longer realistic. "There is no saying no to that in today's day and age as a security leader," he told VentureBeat. "And so it's how do we manage that."

Inside Cisco's own environment, Grieco's team added MCP discovery, proxying, and inspection capabilities to AI Defense and Cisco Secure Access. The approach treats MCP servers the way enterprises treat shadow IT: find them before you govern them.

Etay Maor, VP of threat intelligence at Cato Networks, validated that approach from the adversarial side. At RSAC 2026, Maor demonstrated a Living Off the AI attack chaining Atlassian's MCP and Jira Service Management. Attackers do not separate trusted tools, services, and models. They chain all three.

Nearly Half of Critical Infrastructure Is Obsolete and Unpatched

Agent authorization failures are harder to detect and contain when the infrastructure underneath has not received a security patch in years. Cisco commissioned UK-based advisory firm WPI Strategy to examine end-of-life technology risk across the US, UK, France, Germany, and Japan. The report found that nearly half of the critical network infrastructure across those geographies is aging or already obsolete. Vendors no longer patch it.

"Almost 50% of the critical infrastructure across these geographies was aging, it was end of life or almost end of life," Grieco told VentureBeat. "It means vendors are not providing security patches for them anymore."

Cisco's Resilient Infrastructure initiative disables unused features by default and phases out legacy protocols on a three-release deprecation schedule. But Grieco pushed back on the assumption that secure by default is a static achievement: "One of the things that most people don't think about is that those are not static points in time. It's not like you do it once and you're done."

Winners & Losers

Winners:

• Cisco: Offers the most comprehensive agent security suite — Duo IAM registers agents as distinct identity objects with granular, time-bound permissions; AI Defense adds MCP discovery, proxying, and inspection; Splunk integration provides SOC telemetry for agent-specific detection and response. Cisco also leads with the Resilient Infrastructure initiative, positioning itself as the trusted partner for secure agent deployment.
• NIST and Cloud Security Alliance: Their frameworks become reference points for agent security, driving adoption and influencing regulatory standards.
• Security vendors with agent-aware solutions: Growing demand for agent identity, authorization, and monitoring creates a significant market opportunity for vendors that can close the gaps.

Losers:

• Organizations deploying agents without proper security: Lack of preparedness leads to increased risk of breaches, regulatory non-compliance, and reputational damage. The 71% that feel unprepared are exposed.
• Vendors of legacy infrastructure: Cisco's study highlights aging infrastructure risk, pushing modernization away from legacy systems and toward secure-by-default platforms.
• Enterprises using flat authorization for LLMs: Flat authorization fails to respect user permissions, leading to privilege escalation and tool misuse. These organizations will face the most severe incidents.

Second-Order Effects

The authorization gap will drive a wave of security consolidation. Enterprises will demand integrated agent identity and authorization solutions rather than point products. Standards bodies will accelerate their work, and regulatory frameworks will emerge by 2027. The cost of non-compliance will rise sharply.

Legacy infrastructure modernization will accelerate as organizations realize that agents operating on unpatched systems inherit vulnerabilities no vendor will fix. The replacement cycle will shift from IT upgrade to security investment.

Attackers will continue to innovate. Living Off the AI attacks will become more sophisticated, chaining multiple tools and protocols. The security industry will need to evolve detection and response capabilities to keep pace.

Market / Industry Impact

Agent identity and authorization will become a foundational layer in enterprise security architecture, moving from human-centric IAM to agent-aware frameworks. The market for agent security solutions will grow rapidly, with Cisco, CrowdStrike, and others competing for leadership. Standards from NIST, OWASP, and CSAI will shape procurement requirements.

Legacy infrastructure vendors will face pressure to modernize or lose market share. The shift to secure-by-default platforms will accelerate, with Cisco's Resilient Infrastructure initiative setting a benchmark.

Executive Action

• Audit your agent authorization posture immediately. Stop cloning human accounts for agents. Scope every agent permission to a specific data set, specific action, and specific time window. Grieco's test: can this finance agent access only the individual expense report it needs at this moment?
• Run an MCP server inventory across all environments. If you cannot enumerate your MCP surface, you cannot secure it. Treat MCP servers like shadow IT — discover them before you govern them.
• Update logging to capture process tree lineage. Ensure your SIEM can answer "was this a human or an agent?" for every session. If it cannot, the gap is open.

Why This Matters

The gaps mapped above are not theoretical. Grieco confirmed the incidents are already happening. The controls exist in pieces across multiple vendors. No single vendor has assembled the complete stack. Every day your organization delays closing these gaps, you increase the risk of a breach that could have been prevented. The adversaries are already moving. You must move faster.

Final Take

Agent authorization is the defining security challenge of the agentic era. The industry is still in the early stages of building the necessary controls. Cisco has taken a leadership position, but no vendor has closed every gap. Enterprises must take immediate action to audit their agent permissions, discover their MCP surface, and update their logging. The cost of inaction will be measured in breaches, regulatory fines, and lost trust.

Source: VentureBeat