CISO

Agent readiness for CISOs

Agents give the CISO a new class of insider: software that holds credentials, acts autonomously, and changes behaviour without a code change. The security programme that managed human users and deterministic services needs three extensions — identity, runtime control, and evidence — before agents scale past pilots.

Key concerns

Unattributable action

Agents hiding behind shared service accounts make logs lie: "who did this?" stops having an answer. Until each agent has its own identity and credentials, every downstream control — least privilege, anomaly detection, revocation — is built on sand. Sequencing matters here: attribution is the prerequisite control that the rest of the programme builds on, not one item on a parallel list.

Prompt injection as an access path

Any agent that reads untrusted content (email, web pages, documents, tickets) can be steered by it. The mitigation is not better prompts; it is bounding what a steered agent can do — allowlisted tools, action limits, and approval gates on consequential actions.

Evidence on demand

Regulators, auditors, and incident responders will ask what an agent did, and "we believe" is not an answer. An action-level, append-only audit trail is the control that makes every other agent control demonstrable. Build retrieval time into the requirement itself — evidence that exists but takes a week to produce fails the audit anyway.

Readiness checklist

  • Every agent has a distinct identity; shared-credential agents are inventoried with a migration date
  • Agent credentials are short-lived and issued at runtime, not stored in config
  • Agents that read untrusted input cannot execute irreversible actions without a gate
  • An append-only audit trail records consequential agent actions, and retrieval has been rehearsed
  • A kill switch exists per agent and has been tested in production conditions
  • Shadow-agent discovery (spend analysis, token sweeps) runs on a schedule, not once

Frequently asked questions

Do existing IAM tools cover agent identity?

Mostly yes for the primitives — service principals, short-lived credentials, conditional policies. What they lack is the agent layer: identity that carries agent version and risk context, and issuance tied to a registry. Teams compose this from IAM plus an agent platform rather than replacing IAM.

Find out where your organisation stands on agent readiness.

Take the assessment →