Agent readiness for CISOs
Agents give the CISO a new class of insider: software that holds credentials, acts autonomously, and changes behaviour without a code change. The security programme that managed human users and deterministic services needs three extensions — identity, runtime control, and evidence — before agents scale past pilots.
Key concerns
Unattributable action
Agents hiding behind shared service accounts make logs lie: "who did this?" stops having an answer. Until each agent has its own identity and credentials, every downstream control — least privilege, anomaly detection, revocation — is built on sand. Sequencing matters here: attribution is the prerequisite control that the rest of the programme builds on, not one item on a parallel list.
Prompt injection as an access path
Any agent that reads untrusted content (email, web pages, documents, tickets) can be steered by it. The mitigation is not better prompts; it is bounding what a steered agent can do — allowlisted tools, action limits, and approval gates on consequential actions.
Evidence on demand
Regulators, auditors, and incident responders will ask what an agent did, and "we believe" is not an answer. An action-level, append-only audit trail is the control that makes every other agent control demonstrable. Build retrieval time into the requirement itself — evidence that exists but takes a week to produce fails the audit anyway.
Readiness checklist
- Every agent has a distinct identity; shared-credential agents are inventoried with a migration date
- Agent credentials are short-lived and issued at runtime, not stored in config
- Agents that read untrusted input cannot execute irreversible actions without a gate
- An append-only audit trail records consequential agent actions, and retrieval has been rehearsed
- A kill switch exists per agent and has been tested in production conditions
- Shadow-agent discovery (spend analysis, token sweeps) runs on a schedule, not once