AI News
When AI stops suggesting and starts acting, the attack surface explodes. Cybersecurity in the agentic AI era is the biggest strategic shift Indian CISOs, CIOs, and boards face in 2026 — because agentic systems that plan, decide, and execute across live enterprise systems behave like a fast, tireless insider, and most CISO playbooks were never designed for that class of threat. Where a generative model that drafts text is a low-risk co-pilot, an agentic system that can call APIs, move money, provision accounts, or update customer records introduces a new attack surface, a new class of privileged identity, and a new category of incident that can unfold in seconds. This playbook lays out what a modern CISO organisation must build — governance, logging, human-in-the-loop gates, zero-trust for agents, post-quantum readiness, incident response, and the org changes that make all of it real.
India already leads global enterprise AI adoption, and agentic pilots are moving from proof-of-concept into production across BFSI, manufacturing, GCC-led shared services, and public sector. That momentum makes the security question urgent. Read this alongside our deeper coverage on the shift from suggestion to action in agentic AI vs generative AI and the sequencing guidance inside our enterprise AI adoption roadmap. Security is not a separate workstream from the AI programme — in the agentic era, it is the enabling layer that decides whether the programme scales or stalls.
Traditional enterprise security assumed three things: humans initiate actions, applications execute them, and logs record the trail. Agentic AI breaks every one of those assumptions. Agents initiate actions on their own, drive multiple applications through APIs, and generate a decision trail that traditional SIEM tooling was never designed to parse. That is why cybersecurity in the agentic AI era is not a patch on the existing programme — it is a new discipline that sits beside identity, endpoint, network, and data security as a first-class pillar.
Think of an agent as a new kind of identity. It has credentials, it holds permissions, and it acts at machine speed. But unlike a service account, it makes probabilistic decisions. Unlike a human employee, it has no intuition about escalation or reputational risk. And unlike a static script, it can be prompted, jail-broken, or manipulated into acting against its owner's intent through prompt injection, tool poisoning, or a compromised upstream data source. An agentic system that can call APIs, move data and complete tasks is a new class of insider with speed and scale — perimeter defence alone will not contain it.
The threat model expands on three axes. First, blast radius: an agent with API access can move faster than a human attacker and touch more systems per second. Second, attribution: when the agent acts, whose action is it — the vendor's, the developer's, or the business owner's? Third, forensics: reconstructing why an agent chose a particular path requires new observability that most security operations centres do not yet have. See The Agentic Era: how autonomous AI is transforming cyber risk and defence for the underlying research, and the accompanying case for engineering trust into every autonomous system in Building Cyber Trust as Autonomous AI Systems Begin to Act and Decide at Enterprise Scale.
Least-privilege is the single most important design principle for agentic systems. Every agent must have a written scope of allowed actions, an explicit list of systems it can call, a bounded set of accounts it can operate on, and a hard ceiling on the value or volume of actions it can execute. Anything outside that scope requires either a policy update or a human approval — never an implicit grant, and never a runtime shortcut.
The pattern that fails most reliably is the one where an agent is given broad permissions because "it might need them later". That is the same anti-pattern that produced the last decade's IAM incidents, only worse — because an agent can exercise every permission it holds within milliseconds, and repeat the mistake across thousands of transactions before a human notices. Governance must be encoded, not documented in a slide deck.
Practical steps for a CISO organisation:
Traditional application logs record inputs and outputs. They do not record decisions. Agentic systems require a purpose-built observability layer that captures the full decision trace: the prompt or trigger that started the run, the plan the agent generated, each tool call and its response, the intermediate state, the final action, and the outcome. Without that trace, root-cause analysis on an agent incident becomes archaeology — and Indian regulators, from the RBI to SEBI to the DPDP Board, will not accept "the model decided" as an answer.
Design your logging with three consumers in mind: the security operations centre that needs to detect abuse in near real-time, the compliance function that must reconstruct a decision months later, and the model-improvement team that needs to learn from failures. The same trace should serve all three. Store it in a tamper-evident store, retain it for the period your regulators require, and make sure the schema is stable enough that queries written today still work when your agent fleet has doubled.
Pair the trace with anomaly detection tuned to AI-speed threats — patterns of tool calls that deviate from the baseline, sudden spikes in refund volume, unusual database read patterns, or agents that begin calling APIs they have never called before. Traditional user-behaviour analytics baselined on humans will not catch these. Agent-behaviour analytics is a new capability that a modern cybersecurity function must build or buy.
Not every agent action is equal. Sending a status email is reversible; wiring funds is not. The CISO's job is to draw a bright line between actions an agent may take autonomously and actions that require a human approval before execution. The gate belongs at the action layer, not at the prompt layer — because a well-designed policy engine can enforce it regardless of what the model was asked to do.
A workable classification:
Human-in-the-loop is not a workflow slowdown — it is the mechanism that lets the rest of the agentic estate run autonomously with confidence. Get the classification right and the productivity story survives contact with the risk committee.
Adversaries have agents too. Phishing at scale, personalised social engineering, automated vulnerability discovery, credential-stuffing at machine speed, and prompt-injection attacks against your own agents are already visible in Indian threat telemetry. The economics of attack have shifted — what previously required a skilled operator can now be templated by an agent, and the marginal cost of the next attack is near zero.
The CISO response must be symmetric. Where attackers deploy agents, defenders must deploy them too — for triage, correlation, and automated containment inside pre-approved playbooks. The same governance principles apply on the defender side: named owners, allowed-action scopes, full logging, and human approval for high-impact containment. Defensive agents should be treated as production systems, not experiments, from day one.
Specific new attack classes to plan for:
Deploy AI-tuned anomaly detection, red-team your agents on the same cadence you red-team your applications, and treat cybersecurity AI solutions as first-class production systems with owners, budgets, and roadmaps — not sidecars to the existing SOC.
Agentic systems will handle more sensitive data flows than any generation of enterprise software before them. That makes the crypto question urgent. Practical quantum machines capable of breaking widely deployed public-key algorithms are not here yet, but the "harvest now, decrypt later" attack pattern is — adversaries capture encrypted traffic today with the expectation of decrypting it in five to ten years. Long-lived secrets protected only by RSA or ECC are already exposed to that timeline.
Practical planning steps for a 2026 programme:
Read the deeper trend piece in our quantum coverage — the intersection with agentic AI is where the risk compounds fastest.
Zero-trust was built for humans and devices. It generalises cleanly to agents, but not by default. Every agent request should be authenticated, authorised against an explicit policy, logged, and evaluated against real-time context — the same as a human user request. Network location must not be a substitute for trust; an agent inside the data centre is not implicitly trusted.
The practical shift for cybersecurity in the agentic AI era is that agents also become subjects of zero-trust checks when they call downstream systems. That means the tool-call layer needs its own policy engine, its own audit trail, and its own key management — separate from the human-facing IAM. Treat the agent-to-tool boundary as a new perimeter, and instrument it accordingly.
Boards should ask for a zero-trust maturity model for agents alongside the one for users. If the answer is "we haven't started", the agentic programme is not ready for scale.
An agent incident does not look like a traditional application incident. It may not throw an exception. It may not trigger a monitoring alarm. It may simply be that the agent decided, confidently and quickly, to do the wrong thing across a thousand transactions before anyone noticed. The response playbook must reflect that reality.
Every agent deployment needs four things in the incident-response bundle: a kill switch that immediately halts the agent's ability to act, a rollback plan for actions the agent has already taken, a communication plan for customers or counterparties who may have been affected, and a post-incident review template that captures the decision trace, the failure mode, and the policy change required to prevent recurrence.
Simulate agent incidents. Table-top exercises for agentic scenarios — a hijacked customer-service agent, a poisoned data source, a permissions escalation — should sit alongside your ransomware and DDoS drills through 2026. In BFSI specifically, coordinate with the operational-resilience programme; agentic incidents are operational-resilience events, not just cyber events, and Indian regulators will expect them to be treated as such. Our sector guide to AI in banking and BFSI in India covers the regulatory expectations in more depth.
The CISO organisation of 2026 needs new roles and new rituals. An Agent Security Architect owns the reference pattern for every agentic deployment — the scope, logging, permissions, and gates. An Agent Trust Officer works jointly with the responsible-AI function to align security controls with the governance obligations under the DPDP Act and forthcoming AI-specific guidance. Our guide to responsible AI and DPDP compliance in India covers the overlap in detail.
Security and responsible AI governance are inseparable in the agentic era. Both must be in your adoption roadmap from day one. The old model — where the CISO reviews AI use cases at the end of the cycle — no longer works. Security has to sit inside the product team from day one, with veto rights over any deployment that lacks named ownership, logging, or a rollback path.
Rituals that a modern CISO org should run every quarter:
Modern cybersecurity AI solutions shift the focus from perimeter defence to governing autonomous behaviour — identity for agents, action monitoring, and anomaly detection tuned for AI-speed threats. That shift is the CISO's brief for 2026.
Cybersecurity in the agentic AI era is a new discipline, not a patch on the old one. Enterprises that treat agents as first-class identities, enforce least-privilege in the platform, log every decision, gate every irreversible action, plan for post-quantum, and rehearse agent-specific incidents will scale their AI programmes safely — and turn India's adoption leadership into durable, defensible P&L. Enterprises that do not will learn the hard way, at machine speed, and often in public. Build the playbook now, before the next agent goes live. Subscribe to The TechLens to stay ahead of the shift, and explore more in our Cybersecurity coverage.
Agentic AI can call APIs, move data, and complete multi-step tasks autonomously — behaving like a fast, tireless insider. That expands the attack surface beyond what perimeter defence covers and demands agent-level governance: least-privilege scopes, tool-call logging, human-in-the-loop gates for high-risk actions, and anomaly detection tuned to AI-speed patterns. Traditional SIEM and IAM tooling was not built for probabilistic actors, so cybersecurity in the agentic AI era becomes a new pillar rather than an extension of the existing programme.
A CISO playbook for the agentic AI era should include least-privilege permissions for every agent, purpose-built decision-trace logging, human-in-the-loop gates for irreversible actions, active defence against AI-powered attacks (prompt injection, tool poisoning, deepfake fraud), post-quantum encryption planning for long-life secrets, zero-trust extended to agent-to-tool boundaries, agent-specific incident response, and new roles such as an Agent Security Architect who owns the reference pattern for every deployment.
Enterprises need cybersecurity AI solutions that govern autonomous behaviour rather than perimeter alone: identity for AI agents, tool-call and decision-trace monitoring, anomaly detection tuned for machine-speed threats, automated containment inside pre-approved playbooks, and red-team tooling for agentic systems. These should be treated as production platforms with named owners and roadmaps, not as sidecars bolted onto an existing SOC.
Treat prompt injection and tool poisoning as first-class threats. Enforce action scopes at the platform layer so a manipulated prompt cannot escalate beyond its allowed operations, sanitise and validate any external data the agent reads, monitor for anomalous tool-call sequences, and run adversarial red-team exercises on live agents on the same cadence as application penetration tests. Never rely on prompt-only guardrails for high-risk actions.
Agentic systems handle unusually large volumes of sensitive data flows and long-lived secrets — customer records, credentials, contract data — that adversaries are already capturing under a "harvest now, decrypt later" model. Inventorying crypto use, prioritising long-life secrets, adopting hybrid classical-plus-post-quantum key exchange, and pushing vendors for post-quantum roadmaps is prudent now, well before quantum machines become practical.
The CISO organisation needs new roles (Agent Security Architect, Agent Trust Officer), new rituals (quarterly agent inventory, permission-drift audits, red-team exercises, agent-focused table-tops, board briefings that translate agent risk into business risk), and a new operating model in which security sits inside the product team from day one with veto rights on any deployment that lacks named ownership, logging, or a rollback path.