Governance slowly. Enforcement rapidly. Machine speed.
Across hospital exam rooms and factory floors, autonomous AI agents are already performing tasks once reserved for human hands—yet the infrastructure meant to govern their identities, permissions, and accountability remains built for a slower, human-paced world. Cisco's Jeetu Patel reported at RSAC 2026 that 85% of enterprises are running agent pilots while only 5% have reached production, a gap that reveals not a failure of capability but a failure of trust architecture. The bottleneck is not what these systems can do, but whether organizations can answer the most fundamental question of governance: who is responsible when something goes wrong at machine speed.
- A 44% rise in attacks exploiting missing authentication controls—documented in IBM's 2026 X-Force report—signals that the window for building trust infrastructure before adversaries exploit it is already closing.
- Most enterprises cannot inventory which agents have access to sensitive systems, cannot scope their permissions, and cannot revoke their identities fast enough when something goes wrong—leaving patient records and production systems exposed.
- The failure pattern is structural: siloed teams build siloed agents on siloed data, and the cross-domain insight that makes agents genuinely powerful never materializes while permission sprawl begins immediately.
- Cisco's Michael Dickman argues the network itself—observing actual system-to-system communications rather than inferred activity—is the only foundation capable of enforcing agent policy at the speed machines operate.
- Organizations moving first on agentic IAM, microsegmentation, and cross-functional governance will deploy at a pace others cannot match, because every new agent inherits the trust architecture the first ones required.
A doctor watches an AI agent update a patient's health record, suggest prescriptions, and surface medical history in real time. On a factory floor, another agent inspects products faster than any human could. Both systems generate identities that most enterprises cannot track, scope, or shut down when something goes wrong—and that gap between what agents can do and what organizations can safely govern is the real reason artificial intelligence remains trapped in pilot mode.
Cisco President Jeetu Patel reported at RSAC 2026 that 85% of enterprises are running agent pilots while only 5% have reached production. That 80-point gap is not a computing problem. It is a trust infrastructure problem. IANS Research found that businesses still lack role-based access control mature enough for human identities alone—agents will make the problem exponentially harder. The 2026 IBM X-Force Threat Intelligence Index documented a 44% increase in attacks exploiting missing authentication controls, driven in part by AI-enabled vulnerability discovery.
Michael Dickman, Cisco's senior vice president and general manager of Campus Networking, frames the challenge as architectural rather than a matter of better tooling. The network, he argues, sees what other monitoring systems cannot: actual system-to-system communications, not inferred activity. That behavioral data becomes the foundation for cross-domain policy enforcement—and without it, organizations are left guessing while machines act. He identifies four prerequisites for production deployment: secure delegation with clear human accountability chains, cultural readiness to redesign workflows around agents that can evaluate every alert, hybrid architectures where agents reason while deterministic tools execute, and irreplaceable human judgment to refine what AI produces.
The most common failure pattern is organizational. Teams build agents on top of their own data in isolation, producing incremental automation while cross-domain insight never materializes. IEEE senior member Kayne McGladrey observed that organizations default to cloning human user profiles for agents, and permission sprawl begins immediately. Carter Rees of Reputation identified the structural cause: the flat authorization plane of an LLM fails to respect user permissions. Cato Networks' Etay Maor put it plainly at RSAC 2026—agents need an HR model: onboarding, monitoring, offboarding.
Dickman's framework crystallizes around a personal moment: watching a medical transcription agent manage his family member's records in a hospital exam room, with a doctor approving each step. The security implications landed differently with a loved one's data on the screen. His prescription is deliberate governance built rapidly: register each agent with defined permitted actions and a named human accountable for its behavior, then enforce least-privileged access through microsegmentation so that when something goes wrong, the damage is contained.
His five priorities before production are unambiguous—force cross-functional alignment across business, IT, and security leadership; mature IAM and PAM systems for agentic workloads; adopt platform networking that enables cross-domain data sharing; design hybrid architectures from the start; and make the first deployments bulletproof on trust. The enterprises that do this first will deploy at a pace others cannot match. The ones still debating will watch the gap widen. Theoretical trust does not ship.
A doctor stands in a hospital exam room watching an agent update a patient's electronic health records, suggest prescriptions, and pull up medical history—all in real time. On a factory floor, another agent inspects products at speeds no human can match. Both systems generate identities that most companies cannot track, control, or shut down when something goes wrong. This gap between what autonomous agents can do and what enterprises can safely govern them to do is the real bottleneck holding artificial intelligence back from the factory floor and the clinic.
Cisco President Jeetu Patel reported at RSAC 2026 that 85% of enterprises are running agent pilots. Only 5% have moved to production. That 80-point gap is not a problem of computing power or model capability. It is a problem of trust infrastructure. When a CISO asks which agents have access to sensitive systems and who is accountable if one acts outside its boundaries, most organizations cannot answer. IANS Research found that businesses still lack role-based access control mature enough for human identities alone. Agents will make the problem exponentially harder. The 2026 IBM X-Force Threat Intelligence Index documented a 44% increase in attacks exploiting public-facing applications, driven by missing authentication controls and AI-enabled vulnerability discovery.
Michael Dickman, senior vice president and general manager of Cisco's Campus Networking business, frames the problem as architectural rather than merely a matter of better tools. Before Cisco, he led product strategy at Gigamon and Aruba Networks. He argues that the network observes what other monitoring systems cannot: actual system-to-system communications rather than inferred activity. "It's that difference of knowing versus guessing," he said. "What the network can see are actual data communications—not, I think this system needs to talk to that system, but which systems are actually talking together." That raw behavioral data becomes the foundation for correlation across domains, and without it, organizations have no way to enforce agent policy at the speed machines operate.
Dickman identifies four conditions that must precede production deployment. First is secure delegation: defining what an agent is permitted to do and maintaining a clear chain of human accountability. Second is cultural readiness. Alert fatigue has traditionally been solved by aggregating alerts so analysts see fewer items. But when agents can evaluate every alert, the entire workflow changes. "It is now possible for an agent to go through all alerts," Dickman said. "You can actually start to think about different workflows in a different way." Third is token economics—every agent action carries computational cost, which Dickman sees solved through hybrid architectures where agents handle reasoning while deterministic tools execute actions. Fourth is human judgment. When his team used an AI tool to draft a product requirements document, the agent produced 60 pages of repetitive filler that revealed technical responsiveness but required extensive refinement to become useful. "There's no substitute for the human judgment and the talent that's needed to be dextrous with AI," he said.
The most common failure pattern emerges when teams work in silos. Team A builds Agent A on top of Data A. Team B builds Agent B on top of Data B. Each produces incremental automation. The cross-domain insight never materializes. Kayne McGladrey, an IEEE senior member, observed that organizations default to cloning human user profiles for agents, and permission sprawl begins immediately. Carter Rees, vice president of AI at Reputation, identified the structural reason: "A significant vulnerability in enterprise AI is broken access control, where the flat authorization plane of an LLM fails to respect user permissions." Etay Maor, vice president of Threat Intelligence at Cato Networks, reached the same conclusion from an adversarial perspective. "We need an HR view of agents," Maor said at RSAC 2026. "Onboarding, monitoring, offboarding."
Dickman grounds his framework in a personal moment. A family member broke an ankle, and he found himself in a hospital exam room watching a medical transcription agent update the electronic health record, prompt prescription options, and surface patient history. The doctor approved each decision, but the agent handled tasks that previously required manual entry across multiple systems. The security implications hit differently when it is a loved one's records on the screen. "I would call it do governance slowly. But do the enforcement and implementation rapidly," he said. "It must be done in machine speed." That starts with agentic identity and access management, where each agent is registered with defined permitted actions and a human accountable for its behavior. That identity layer feeds microsegmentation—a network-enforced boundary that enforces least-privileged access and limits the damage if something goes wrong.
Dickman outlines five priorities before agents reach production. First, force cross-functional alignment now across line-of-business, IT, and security leadership. The human coordination layer is moving more slowly than the technology, and that gap is the bottleneck. Second, get identity and access management and privileged access management production-ready for agents. These systems are not mature enough for agentic workloads today. Third, adopt a platform approach to networking infrastructure that enables data sharing across domains in ways fragmented point solutions cannot. Fourth, design hybrid architectures from the start where agents handle reasoning and planning while deterministic tools execute actions. Fifth, make the first use cases bulletproof on trust by picking two or three high-value deployments and building them with role-based access control, privileged access management, and microsegmentation from day one. "You can guarantee that trust to the organization, and that will unleash the speed," Dickman said.
The 85% of enterprises stuck in pilot mode are not waiting for better models. They are waiting for the identity governance, the cross-domain visibility, and the policy enforcement infrastructure that makes production deployment defensible. Organizations that satisfy these prerequisites first will deploy agents at a pace the rest cannot match, because every new agent inherits the trust architecture the first ones required. The ones still debating whether to start will watch that gap widen. Theoretical trust does not ship.
Citações Notáveis
It's that difference of knowing versus guessing. What the network can see are actual data communications—not, I think this system needs to talk to that system, but which systems are actually talking together.— Michael Dickman, Cisco SVP and GM of Campus Networking
A significant vulnerability in enterprise AI is broken access control, where the flat authorization plane of an LLM fails to respect user permissions.— Carter Rees, VP of AI at Reputation
A Conversa do Hearth Outra perspectiva sobre a história
Why is identity governance the actual blocker and not, say, the quality of the AI models themselves?
Because a model can be brilliant at reasoning, but if you can't control what it's allowed to do, you can't let it near production. A transcription agent that updates patient records needs to know exactly which records it can touch and which it cannot. Most enterprises built their access control systems for humans—people who log in, do work, log out. Agents don't work that way. They operate continuously, at machine speed, and if their identity is misconfigured, the blast radius is enormous.
The source mentions that 85% are in pilots but only 5% in production. That's a huge gap. Is that gap actually about identity governance, or could it be something else?
It's identity governance. When a CISO asks "which agents have access to what, and who is accountable if one goes rogue," most organizations cannot answer. They don't have the infrastructure to inventory agent identities, scope their permissions, or revoke access at machine speed. Everything else—the models, the compute, the use cases—those are solved problems. Identity governance is the structural blocker.
You mentioned hybrid architectures as a solution. Why not just build pure agent systems?
Token economics. Every action an agent takes costs compute. If you have an agent reasoning about a problem and then executing the solution, you're paying for both. But if you have an agent reason and then hand off to a deterministic tool to execute, you get the intelligence of the foundation model with the efficiency and predictability of conventional software. It's cheaper, it fails more predictably, and it's easier to audit.
The hospital example—a doctor watching an agent update records—that feels like it could go wrong very quickly.
It does. That's why Dickman grounds his entire framework in that scenario. The agent is handling tasks that previously required manual entry across multiple systems. If that agent's identity is compromised or misconfigured, patient records could be altered. The security implications hit differently when it's a loved one's data on the screen. That's why he says governance must be done slowly but enforcement must happen at machine speed.
What does "cross-domain visibility" actually mean in practice?
Most enterprise data is fragmented. Team A has their observability tools, Team B has their application platforms, Team C has their security stack. Each team sees their own slice. Cross-domain visibility means the network sees actual system-to-system communications across all those silos. It's the difference between knowing which systems are actually talking to each other versus guessing based on what you think should happen. That real data becomes the foundation for enforcing policy.
If an organization gets this right—identity governance, microsegmentation, the whole framework—what changes?
Everything accelerates. Once you've built the trust architecture for your first two or three agents, every new agent inherits that infrastructure. Organizations that move first will deploy at a pace the rest cannot match. The ones still debating whether to start will watch the gap widen. It's not theoretical anymore—it's competitive advantage.