Why agent authorization keeps failing even when authentication works

Agent authorization failures are widespread despite successful authentication checks

Most security frameworks can verify identity, but that’s not where today’s biggest risks lie. Agents, software entities that act autonomously on behalf of people or systems, are passing authentication tests yet stepping far beyond their intended boundaries. What looks safe on paper often isn’t in practice. At Cisco, the team sees these incidents regularly. Anthony Grieco, Cisco’s SVP and Chief Security and Trust Officer, confirmed that unauthorized agent activity is happening across customer environments right now.

This growing problem reflects how organizations move faster than their controls can evolve. In the drive to innovate, many are set to deploy hundreds of AI agents per employee. That kind of scale can break traditional security models. Authentication alone no longer guarantees safety; what matters is how access is managed after identity is confirmed. Authorization, the rules defining what each system, user, or agent can actually do, has become the new fault line.

Executives must understand that authorization design now determines the entire security posture of an AI-driven enterprise. It’s about controlling the behavior that follows. This requires defining and enforcing context-aware permissions that adapt to what the agent is doing, what data it touches, and when it operates. It’s operational security elevated to a strategic level.

Cisco’s State of AI Security 2026 report outlines the disconnect clearly. Eighty-three percent of organizations plan to deploy agentic systems, but only twenty-nine percent feel prepared to secure them. That imbalance signals a market sprinting ahead without enough guardrails. For executive teams, the message is simple: if your organization wants to move quickly in AI adoption, your authorization frameworks must move faster. Waiting is not an option.

The core authorization gap stems from insufficiently granular access control for AI agents

The authorization problem goes beyond weak controls, it’s about the lack of precision. AI agents today often inherit the same permissions as human users. In most environments, this starts with good intentions. Teams clone existing user profiles to save time and maintain consistency, but the result is an explosion of unnecessary access. Agents end up with broad, permanent privileges that no one revisits or recalibrates. From a security perspective, that’s a silent breach waiting to happen.

Anthony Grieco made it clear that this is the heart of the issue. He described a clear standard: if an agent handles financial data, it should only access what it needs, one expense report, at one moment in time, and nothing beyond that. This is the type of granular, time-bound control enterprises must achieve to deploy agents safely at scale. Carter Rees, VP of AI at Reputation, reinforced this view, describing how a “flat authorization plane” within large language models allows over-permissioned access to persist. There’s no natural hierarchy of privileges. Everything runs on the same level.

For C-suite leaders, this means authorization must evolve into a continuous governance discipline. Static permissions are no longer workable. What’s required now is adaptive authorization that adjusts automatically to context, who or what is making the request and for what purpose. It’s a business enabler that lets innovation proceed without fear of losing control over sensitive systems.

Executives should push their organizations toward zero-trust principles for agents, just as they have for users. Every access request should be specific, limited, and verifiable in real time. Agents must be registered as independent identities, each restricted to the smallest possible scope of action. Security leaders like Grieco see this level of control as the path forward, not to slow innovation, but to make it sustainable. The companies that implement granular authorization now will be the ones still moving fast, and securely, in the years to come.

Lack of visibility and monitoring obscures the distinction between agent and human activity

Enterprises are flying blind when it comes to knowing whether an action in their systems comes from a human or an AI agent. Most security logs today don’t show the difference. The process lineage that identifies a digital action’s origin, who or what initiated it, and which system carried it out, is often missing. That means over-permissioned agents can act within enterprise systems without detection, leaving security teams unable to trace or contain their behaviors.

Elia Zaitsev, CTO of CrowdStrike, stated that most logging standards don’t capture enough detail to distinguish an agent’s operation from a person’s. Even advanced systems can merge both under one process identity. Anthony Grieco at Cisco added that without identity-to-action mapping, you can’t manage or secure your environment effectively. This is a visibility problem, the infrastructure simply doesn’t record enough context.

For executives, this visibility gap represents a strategic risk. If an enterprise cannot tell what type of entity triggered a system change or data request, the organization has no reliable defense posture. Security teams can’t investigate threats they can’t see. Addressing this requires more than another monitoring dashboard; it means redesigning telemetry and log capture to register not only what happened, but who, or what, made it happen.

The path forward involves updating SIEM (Security Information and Event Management) configurations and integrating process-tree lineage visibility. In practice, this allows teams to trace an action back to its true executor. By investing in these capabilities, executives equip their organizations to maintain operational transparency across both human and autonomous activity. The goal is not to limit agents, it’s to make their actions observable and accountable.

Industry standards organizations independently confirm structural gaps in agent authorization frameworks

When three of the most authoritative cybersecurity bodies, NIST, OWASP, and the Cloud Security Alliance, identify the same weakness in the same period, that’s not coincidence, it’s validation. Each organization has analyzed the security posture around AI agents and arrived at the same conclusion: authorization frameworks are not yet ready for autonomous systems at scale.

NIST’s National Cybersecurity Center of Excellence (NCCoE) released a concept paper in February 2026 urging industry leaders to demonstrate how existing identity standards can adapt to agents. OWASP’s Top 10 for Agentic Applications (2025) placed over-permissioning and unsafe delegation among the most critical security risks. Meanwhile, the Cloud Security Alliance created the CSAI Foundation, focused entirely on securing the “Agentic Control Plane” with decentralized identifiers and zero-trust architectures.

For executives, the takeaway is clear, these findings show structural, not vendor-specific, flaws. The current models for managing identity and access were built for static systems and human operators. Autonomous agents operate continuously and contextually; they don’t fit old frameworks. By aligning early with emerging standards from NIST, OWASP, and CSA, businesses can influence development in ways that fit enterprise-scale operations instead of retrofitting controls later.

This is the moment to act. Corporate leaders should direct their security teams to participate in standards development and pilot test identity frameworks built for autonomous entities. Doing so is foresight. The organizations that help shape these rules will not only meet them sooner but will also execute AI strategies safely and confidently while competitors scramble to catch up.

MCP adoption introduces new governance and discovery challenges in agent security

The Model Context Protocol (MCP) has quickly become a foundational layer for how AI systems interact, yet most enterprises have little control or visibility over it. Every major vendor at RSAC 2026 acknowledged MCP’s importance while admitting its current security weaknesses. Anthony Grieco, Cisco’s SVP and Chief Security and Trust Officer, put it plainly: it’s no longer realistic for security leaders to block MCP; the focus must shift to managing it effectively.

Inside Cisco, Grieco’s team has integrated MCP discovery, proxying, and inspection into their security products, treating MCP servers as they would unmonitored internal systems. This approach allows them to detect shadow deployments, MCP instances created outside established governance, before they become unmanaged risks. Etay Maor, VP of Threat Intelligence at Cato Networks, demonstrated how attackers are already exploiting these gaps. His “Living Off the AI” attack at RSAC 2026 chained Atlassian’s MCP and Jira Services to bypass defenses, showing just how easily mismanaged agent connections can be compromised.

For executives, the lesson is that unmanaged MCP environments represent direct business exposure. Failure to inventory and control all MCP instances gives adversaries a route that bypasses traditional IT oversight. Governance needs to extend beyond human-driven systems into every machine-generated connection. Executives should mandate that their technology teams implement MCP discovery and inspection tools before any broader AI governance framework takes shape.

Leaders should treat MCP oversight as a continuous discipline, not a one-time audit. Every new MCP server added to the environment alters the security surface. Maintaining real-time awareness ensures that enterprises stay ahead of potential misuse, regardless of how quickly their agent ecosystem scales.

Aging and unpatched infrastructure significantly magnifies agent-related security risks

The base infrastructure supporting modern agent systems is outdated in many organizations, and that problem multiplies every risk. Cisco’s commissioned research by WPI Strategy found that nearly half of the critical infrastructure across the U.S., U.K., France, Germany, and Japan is at or near end-of-life, meaning vendors are no longer providing security patches or technical support. Grieco explained that when agents operate within such environments, their security value collapses, because the foundation itself isn’t secure.

Outdated systems can’t handle modern authorization logic or persistent telemetry demands. They lack compatibility with zero-trust frameworks and advanced IAM configurations, which are essential for managing hundreds or thousands of agents operating at once. Cisco’s Resilient Infrastructure initiative seeks to fix this by disabling insecure defaults, deprecating legacy protocols on a three-release schedule, and reclassifying end-of-life replacements as security priorities rather than mere IT upgrades.

Executives must recognize infrastructure modernization as a business-critical security measure, not an operational expense. Every unpatched system can undermine even the most advanced agent governance policy. Upgrading core systems also protects business continuity, ensuring agents can operate efficiently within environments designed to handle their workload and complexity.

For leadership teams, the takeaway is strategic discipline: commit to an accelerated upgrade cycle and treat aging infrastructure as a direct security liability. Decision-makers who allocate budget now for modern, secure environments will not only reduce exposure but also enable their organizations to adopt AI technologies safely and at scale.

Enterprises must immediately address four operational security gaps to protect agentic systems

Organizations are already experiencing the consequences of weak agent governance. Anthony Grieco, Cisco’s SVP and Chief Security and Trust Officer, stated that rogue agent incidents are not hypothetical, they are active, recurring realities in enterprise environments. VentureBeat’s cross-analysis with experts from IEEE, Reputation, Cato Networks, and CrowdStrike identified four critical failure points that leaders should act on immediately: aging infrastructure, unmanaged MCP deployments, agent over-permissioning, and lack of visibility into agent behavior. Each of these weaknesses exposes enterprises to unnecessary and compounding risks.

The first gap, aging infrastructure, is a direct result of neglected system lifecycle management. When foundational technology is outdated, even strong governance controls cannot prevent exposure. Second, unmanaged MCP environments create blind spots that allow agents to operate beyond any formal security oversight. Third, agent over-permissioning continues to spread because most organizations still duplicate human access privileges instead of defining unique, scoped identities for agents. Fourth, behavioral visibility remains poor because current logs fail to track agent actions distinctly from human ones, leaving Security Operations Centers unable to trace or contain malicious or unintended activity.

For executives, these four areas define the minimum action threshold required to secure AI-driven operations. Addressing them will not only strengthen enterprise resilience but also align AI adoption with regulatory and operational stability. Grieco emphasized that this isn’t a future goal, it must happen now. Security teams need to audit every system for end‑of‑life risks, map all MCP servers, assign time- and data-bound permissions to each agent, and adjust their SIEM systems to recognize whether a task was executed by a human or an agent.

This is a moment for leadership to act decisively. These corrective actions lay the groundwork for a secure and scalable agentic ecosystem. Intervening early allows organizations to prevent operational misuse, sustain productivity, and advance AI integration without undermining corporate trust or control. Experts including Kayne McGladrey of IEEE, Carter Rees of Reputation, Etay Maor of Cato Networks, and Elia Zaitsev of CrowdStrike all validated these measures. Their collective perspective points to a single conclusion: organizations that fix these foundational weaknesses now will have a lasting strategic advantage in securing their AI future.

In conclusion

The shift to AI-driven operations is accelerating, and agent security is the next governance frontier. Identity checks alone no longer guarantee protection. Authorization, visibility, and infrastructure readiness now define whether enterprises can innovate safely or expose themselves to systemic risk.

Executives should view this moment as pivotal. The goal isn’t just defending against threats, it’s building the trust layer that enables large-scale automation. That means enforcing granular permissions, mapping every AI connection, and prioritizing continuous discovery over static compliance.

The market data is clear: most organizations intend to scale agent use, but few are ready to secure it. Those that act early, modernizing their foundations, tightening controls, and aligning with emerging standards, will establish a durable competitive edge.

Security can’t be an afterthought; it has to evolve alongside the technology it protects. The leaders who move first won’t just close the gaps, they’ll define how secure, agentic enterprises operate in the years ahead.