- Every interaction should be authenticated, authorised and monitored in real time, following Zero Trust principles that assume no identity or connection should be trusted by default.
- Those relying on legacy, human-centric security models risk leaving significant gaps in their defences.
Artificial intelligence is entering a new phase. Rather than simply responding to prompts, AI systems are increasingly capable of acting independently with regards to planning, making decisions, accessing applications, and executing tasks with minimal human intervention.
This evolution towards Agentic AI promises significant gains in productivity and automation, but it also fundamentally changes the enterprise security landscape.
Traditional cybersecurity strategies were built around human users interacting with applications. Agentic AI shifts that model towards autonomous machine-to-machine interactions, creating an entirely new category of risk that many organisations are not yet prepared to address.
Unlike conventional generative AI tools, AI agents do much more than generate content. They connect to external tools, data sources and APIs, often through protocols such as the Model Context Protocol (MCP), enabling them to complete complex, multi-step workflows.
Where an AI assistant might summarise a report, an AI agent could analyse the findings, access internal systems, generate their own temporary task-specific code, write deployable code for new applications, execute processes and trigger business actions. All without direct human oversight.
This autonomy introduces a much broader attack surface. AI agents can become highly privileged non-human identities, interacting continuously with enterprise applications, APIs and sensitive data.
Attractive opportunities for attackers
To complete complex tasks, they generate and execute their own code for efficiency, creating additional security considerations around runtime environments, data access and execution controls. In most advanced use cases, agents also have their own memory, allowing the agent to retain, recall, update, and forget information over time.

These capabilities also create attractive opportunities for attackers. Rather than targeting users directly, malicious actors can attempt to manipulate the agent itself through techniques such as indirect prompt injection, memory poisoning, embedding malicious instructions within trusted documents, websites or external content.
If successful, an agent could unknowingly perform unauthorised actions, move laterally across systems, consume excessive API resources or expose sensitive corporate data.
The challenge is that many organisations remain reliant on security models designed for a fundamentally different world. Existing identity and access management frameworks were built for human users and static services, relying on persistent credentials, predictable network behaviour and relatively stable trust relationships. Autonomous AI agents simply don’t operate this way.
As organisations deploy more agents, they need to treat them as dynamic, continuously verified identities rather than trusted applications. Every interaction should be authenticated, authorised and monitored in real time, following Zero Trust principles that assume no identity or connection should be trusted by default.
This also requires a new approach to identity itself. Granting AI agents broad, long-lived credentials or human-level permissions significantly increases the potential impact of compromise.
Instead, organisations should adopt short-lived, cryptographically verified identities that are tightly scoped to specific tasks and permissions. Identity should become contextual, continuously evaluated based on what the agent is attempting to do, rather than simply who it claims to be.
“Shadow AI” challenges
Visibility is equally important. Many organisations already struggle with shadow IT; the rapid adoption of AI introduces the additional challenge of “shadow AI”, autonomous systems operating outside established governance processes.
Without comprehensive visibility into AI traffic, organisations cannot accurately understand which agents are operating, what data they are accessing or which APIs they are using.
Protecting these environments requires security controls that operate inline, inspecting AI interactions without slowing them down.
AI-specific firewalls, centralised AI gateways and real-time monitoring provide organisations with the ability to identify malicious prompts, detect model manipulation, enforce policy and prevent sensitive information from leaving the organisation.
Inline Data Loss Prevention (DLP) becomes especially important as autonomous agents increasingly interact with proprietary intellectual property, customer information and regulated data.
API security also becomes central to protecting Agentic AI. Since agents rely heavily on APIs to execute actions across enterprise systems, organisations need continuous visibility into exposed endpoints alongside intelligent rate limiting to prevent abuse, resource exhaustion and denial-of-service attacks.
Every API request should be evaluated not only for authentication but also for intent; ensuring agents only perform actions appropriate to their assigned responsibilities.
Build confidence
Ultimately, securing Agentic AI requires a defence-in-depth strategy that combines Zero Trust access controls, AI-aware application security, continuous API visibility and dynamic identity verification. Security cannot be bolted on after deployment. It must become an integral part of the AI infrastructure itself.
The business opportunity presented by autonomous AI is enormous. Organisations that successfully deploy AI agents will unlock new levels of efficiency, innovation and operational scale. However, the same autonomy that makes these systems valuable also makes them fundamentally different to secure.
The transition to Agentic AI is not simply another technology upgrade. It represents a shift in how enterprises think about identity, trust and security. Organisations that adapt their security architectures now will be best positioned to embrace autonomous AI with confidence, while those relying on legacy, human-centric security models risk leaving significant gaps in their defences.
As AI agents become trusted participants within enterprise environments, security must evolve just as rapidly. The future belongs not only to organisations that adopt AI first, but to those that secure it first.
- The author, Christian Reilly, is the Field Chief Technology Officer for EMEA at Cloudflare.

You must be logged in to post a comment.