Here’s a stat that should terrify every CISO: 85% of major enterprise customers are experimenting with AI agents, but only 5% have moved them into production. The gap isn’t capability — it’s security. Companies know AI agents can automate complex workflows. They just can’t figure out how to deploy them without creating massive new attack surfaces.
Cisco announced a comprehensive security framework for AI agents at RSA Conference 2026 on March 23. It includes zero-trust access controls for agents, an open-source security framework called DefenseClaw, and new Splunk integrations that automate threat response at machine speed. It’s the first serious attempt by a major security vendor to solve a problem everyone else has been hand-waving about.
The Problem Is Bigger Than Most People Realize
AI agents aren’t chatbots. They’re autonomous software systems that can read emails, access databases, execute code, make API calls, and take actions across enterprise systems without human approval for each step. That’s what makes them useful. It’s also what makes them dangerous.
Traditional security models are built around human users. You authenticate a person, give them role-based access, monitor their activity, and revoke access if something looks wrong. AI agents break every assumption in that model. An agent doesn’t have a badge. It doesn’t go home at 6pm. It can execute thousands of actions per minute across dozens of systems simultaneously.
Think of it like this: giving a human employee access to your CRM is like handing them a key to one room. Giving an AI agent access is like handing it a master key and telling it to “figure out what needs doing.” The efficiency gain is real. So is the risk of it opening doors it shouldn’t.
What Cisco Actually Built
Zero Trust Access for AI Agents: New capabilities in Cisco’s Duo identity platform let enterprises register AI agents as identifiable entities, map them to human owners who are accountable for their actions, and enforce strict access controls using the Model Context Protocol (MCP). This means an agent can only access systems that its human owner has clearance for, and every action is logged to a responsible person.
AI Defense Explorer Edition: A self-serve tool that lets developers test their AI models and applications against attacks before deployment. You can simulate adversarial inputs, check for prompt injection vulnerabilities, and embed guardrails into agents during development rather than bolting them on after.
DefenseClaw: An open-source framework — available on GitHub starting March 27 — that automates security inventory and compliance for agent deployments. It integrates with Nvidia’s OpenShell sandbox to test agent behavior in isolated environments before production deployment. Open-sourcing this is strategically smart: it positions Cisco as the standard-setter while letting the community improve the tools.
Splunk Enhancements: New AI-powered security operations tools that automate response workflows. When an agent behaves anomalously, Splunk can detect the deviation and trigger containment automatically — at machine speed, matching the speed of the agents themselves.
Why This Matters Now
The AI agent market is at an inflection point. OpenAI, Anthropic, Google, and Microsoft are all shipping agent-capable models. Enterprise customers want to deploy them. But without a security framework, every deployment is a calculated gamble.
Cisco’s framework doesn’t solve every problem, but it establishes the foundational concepts: agent identity, accountable ownership, access control, behavioral monitoring, and automated response. These are the building blocks that every future agent security solution will need. By shipping first, Cisco gets to define the vocabulary and the architecture.
The rollout is phased: Detection Studio and Malware Threat Reversing Agent are available now. Exposure Analytics and SOP Agent come in April-May. Automation Builder Agent and Triage Agent target June. Cisco is clearly racing to have a complete stack before the enterprise agent deployment wave hits critical mass.
The Second-Order Effect
If Cisco’s framework becomes the enterprise standard for AI agent security, it creates a moat that extends far beyond security products. Companies that standardize on Cisco’s agent identity system will naturally gravitate toward Cisco’s networking, observability, and collaboration tools for their agent infrastructure. Security becomes the wedge product for a much larger enterprise footprint.
This is the same playbook Microsoft used with Active Directory in the 2000s. Control identity, and you eventually control the ecosystem around it.
The Verdict
Cisco’s AI agent security framework is early, incomplete, and almost certainly not the final answer. But it’s the right question at the right time. The 85-to-5 gap between experimentation and production exists because security hasn’t kept up with capability. Cisco just narrowed that gap.
If you’re an enterprise security team evaluating agent deployments, DefenseClaw is worth putting on your GitHub watch list. If you’re building AI agents, the zero-trust identity model Cisco is proposing will likely become a compliance requirement within two years. Better to design for it now than retrofit later.