RSAC 2026: Five Vendors Launch AI Agent Identity Frameworks but Leave Three Critical Security Gaps Open

RSA Conference 2026: The Shift to Agentic Identity

The atmosphere at the Moscone Center during RSA Conference 2026 was electric, dominated by a singular, overarching theme: the transition from passive Generative AI assistants to autonomous "Agentic AI." As enterprises move beyond mere text generation to deploying sophisticated AI agents capable of executing complex workflows, the industry has reached a critical inflection point. The central challenge, as highlighted by a wave of announcements this week, is no longer just securing the data—it is securing the identity of the digital workforce itself.

At the heart of the RSAC 2026 discourse, five major security titans—CrowdStrike, Cisco, Palo Alto Networks, Microsoft, and Cato CTRL—simultaneously unveiled new AI agent identity frameworks. These initiatives are designed to categorize, authenticate, and authorize non-human identities, a necessary evolution in a Zero Trust environment. However, beneath the polished press releases and ambitious roadmaps, a sobering reality has emerged. Recent post-incident analyses from Fortune 50 organizations reveal that despite these new frameworks, three critical security gaps persist, leaving these automated agents vulnerable to sophisticated exploitation.

The New Frontier: Identity as the Security Perimeter

For years, identity management has focused on "who" is accessing the system, typically assuming a human user. With the rise of Agentic AI, the paradigm has shifted. We are now dealing with entities that possess the autonomy to query databases, initiate API calls, and modify system configurations without direct human intervention.

The industry response at RSAC 2026 reflects this urgency. The goal of the newly launched frameworks is to treat every AI agent as a distinct identity, complete with its own set of credentials, scopes of authority, and behavioral profiles. This approach seeks to move away from "system accounts" that are often over-privileged and difficult to audit, toward a granular, identity-centric model.

However, the sheer speed of development has outpaced the maturity of these frameworks. While CrowdStrike and Cisco have emphasized endpoint and network telemetry as the backbone for their identity trust models, and Microsoft has leaned into its deep integration with Entra ID, the fundamental problem of agent behavior—what the agent does once authenticated—remains the primary point of contention.

Vendor Approaches to AI Identity

Each of the major players has approached the problem through the lens of their core competency. The following table provides a snapshot of the strategic focus for these organizations.

Vendor	Primary Strategy	Key Focus
CrowdStrike	Endpoint Telemetry	Agent behavior monitoring via EDR
Cisco	Network Fabric	Zero Trust access controls for agents
Palo Alto Networks	Integrated Platform	Context-aware policy enforcement
Microsoft	Identity Ecosystem	Entra ID integration for AI identities
Cato CTRL	SASE Framework	Secure access for distributed agents

As outlined above, the focus is largely on establishing who the agent is. Yet, industry analysts at Creati.ai note that establishing identity is merely the first step. The gap lies in managing the dynamic nature of these agents once they enter the corporate network.

The Three Critical Security Gaps

Despite the technological advancements presented at RSAC 2026, real-world data from recent security incidents at Fortune 50 companies highlights that these frameworks are failing to address three fundamental vulnerabilities. These gaps represent the "blind spots" of modern Agentic AI security.

1. Dynamic Permission Scope Creep

Most current frameworks rely on static policy definitions. In a static environment, an agent is assigned a fixed role—for example, "Read-Only Database Access." However, the strength of AI agents lies in their ability to reason and adapt. When an agent is tasked with a complex goal, it may attempt to escalate its own operations, effectively engaging in "scope creep."

The current identity frameworks lack the logic to dynamically re-evaluate an agent’s authorization scope in real-time based on the intent of a specific prompt. If an agent is compromised or hallucinates, it can leverage its assigned identity to perform actions it was never explicitly intended to do, simply because the permission boundary was too broad and defined at the start of the session rather than the execution of the task.

2. The Lack of Non-Deterministic Audit Trails

In traditional IT security, logs are linear and deterministic. If a user deletes a file, there is a clear chain of custody: User ID -> Action -> Timestamp. AI agents, however, operate in non-deterministic ways. They chain together multiple steps, reasoning paths, and API calls to achieve a goal.

The second critical gap identified is the inability of current identity frameworks to provide a human-readable, auditable trail of why an agent made a decision. When an incident occurs, forensic teams are left with a massive pile of unstructured API logs but no visibility into the agent's internal "thought process." This makes it nearly impossible to determine if an action was the result of a malicious prompt injection, a misconfiguration, or a genuine (if flawed) reasoning path.

3. Cross-Agent Context Poisoning

Finally, there is the issue of inter-agent communication. Modern enterprise architectures are increasingly relying on "multi-agent systems," where an orchestration agent manages several specialized sub-agents. The identity frameworks unveiled at RSAC 2026 largely treat agents as siloed entities.

This leaves a significant vulnerability: context poisoning. If a low-privilege agent is compromised, it can feed "poisoned" context or malicious instructions to a higher-privilege agent within the same workflow. Because these frameworks lack inter-agent identity validation—where one agent verifies the trust level of another before accepting input—the security of the entire chain is only as strong as its weakest link.

Beyond the Frameworks: A Path Forward

The announcements from vendors like Cisco and Microsoft are undoubtedly a step in the right direction. By standardizing the concept of non-human identity, they are laying the groundwork for more secure autonomous systems. However, organizations should not mistake these frameworks for "set and forget" security solutions.

To bridge these gaps, enterprises must adopt a multi-layered defense strategy:

Implementation of Human-in-the-Loop (HITL) Triggers: For high-stakes operations (e.g., financial transactions, infrastructure changes), identity frameworks should mandate manual approval, regardless of the agent's perceived trust score.
Behavioral Baselines: Security teams must move beyond static identity management to active behavioral monitoring. If an agent deviates from its baseline behavior, the identity framework should automatically trigger a re-authentication or a session kill.
Unified Agent Observability: Companies must invest in observability tools that can correlate AI reasoning logs with traditional network and application logs. Without this correlation, visibility into agentic activity will remain fragmented.

Conclusion

RSAC 2026 has successfully signaled that AI security is entering a new, more mature phase. The focus on AI Agent Identity is a necessary and welcome development, providing the structural integrity needed to govern the next generation of autonomous workloads.

However, as the experiences of Fortune 50 companies prove, identity is not a silver bullet. While CrowdStrike, Cisco, and their peers have built the doors for this new era, the locks—specifically those governing dynamic authorization, auditability, and inter-agent trust—are still being forged. For Creati.ai readers and enterprise leaders, the takeaway is clear: adopt these new identity frameworks, but prioritize the operational security of the agents themselves. The era of Agentic AI is here, and our security posture must evolve just as rapidly as the models we deploy.