Agentic Security and the Gap Between Approval and Execution

At RSA Conference, Cisco President and Chief Product Officer Jeetu Patel focused on the security consequences of agents taking action across enterprise systems, pointing to a gap between how permissions are granted and how those permissions play out during execution.

Once an agent begins a task, its actions can extend across multiple systems without being re-evaluated. A workflow that starts with a valid request can continue into steps that were never explicitly approved, leading to outcomes such as broader data exposure or unreviewed transactions.

These actions unfold as part of normal system interactions, which makes them harder to catch in the moment.

The keynote also highlights that existing controls are not designed to follow execution across systems. Checks are applied at the point of access, while risk develops as actions move forward. Individual steps can appear acceptable on their own, yet still contribute to outcomes that introduce exposure when viewed together.

Why It Matters: The keynote outlines security challenges tied to execution, permissions, and ongoing system activity. Permissions granted for a specific task can carry into additional actions that were not anticipated, creating blind spots that only become visible when looking across the full sequence of activity.

• Execution Carries Immediate Risk Once Actions Begin: Once an agent initiates a task, execution moves across connected systems without a built-in pause for review. Actions such as booking expenses or modifying records are carried through end to end, so an error is not contained to a single step. The result can include outcomes like unauthorized charges or changes to systems that are difficult to reverse, depending on the level of authority the agent was given.

• Literal Instruction Following Creates Gaps Between Intent and Outcome: Agents execute instructions as written, without interpreting intent or recognizing when something falls outside normal expectations. When instructions are incomplete or too broad, the agent continues anyway, producing outcomes that align with the input but not with the desired result. This is where sensitive data can be shared too widely or access can be extended beyond what was actually intended.

• System Interconnectivity Extends Risk Across Every Interaction: Agents move between systems as part of completing a single task, linking calendars, financial platforms, communication tools, and external services. Each step introduces another point where data can move or permissions can carry forward. What begins in one system does not stay there, and exposure builds as actions continue across these connections.

• Standard Workflows Can Trigger Cascading Access and Data Issues: A routine request can unfold into a chain of dependent actions, each building on the last. Sending invites can pull in personal data, which can then be shared or exposed through another system, while access granted for one step may persist into the next. These outcomes are not the result of unusual behavior but of normal workflows continuing without clear limits.

• Security Must Address Risks Across the Agent Lifecycle: Risk exists across how agents are built and how they operate. This includes weaknesses in models, changes to stored memory, unverified external tools, hidden instructions in connected services, and corrupted inputs. It also includes how and where agents run, especially if they are able to move beyond intended boundaries during execution.

• Effective Control Requires Continuous Governance of Actions and Permissions: Oversight depends on knowing which agents are active and how their permissions are being used over time. Access must be constrained to specific tasks and removed when no longer needed, while actions are evaluated as they happen. Without this level of control, activity can appear valid in isolation while still leading to outcomes that introduce risk.

Go Deeper -> Reimagining Security for the Agentic Workforce – RSA Conference