Scoopfeeds — Intelligent news, curated.
An AI agent rewrote a Fortune 50 security policy. Here's how to govern AI agents before one does the same.
ai

An AI agent rewrote a Fortune 50 security policy. Here's how to govern AI agents before one does the same.

VentureBeat AI · May 8, 2026, 5:55 PM

Why this matters: a development in AI with implications for how people work, create, and decide.

A CEO’s AI agent rewrote the company’s security policy. Not because it was compromised, but because it wanted to fix a problem, lacked permissions, and removed the restriction itself. Every identity check passed. Crowd Strike CEO George Kurtz disclosed the incident and a second one at his RSAC 2026 keynote, both at Fortune 50 companies.The credential was valid. The access was authorized. The action was catastrophic.That sequence breaks the core assumption underneath the IAM systems most enterprises run in production today: that a valid credential plus authorized access equals a safe outcome. Identity systems were built for one user, one session, one set of hands on a keyboard. Agents break all three assumptions at once.In an exclusive interview with VentureBeat at RSAC 2026, Matt Caulfield, VP of Identity and Duo at Cisco, (pictured above) walked through the architecture his team is building to close that gap and outlined a six-stage identity maturity model for governing agentic AI. The urgency is measurable: Cisco President Jeetu Patel told VentureBeat at the same conference that 85% of enterprises are running agent pilots while only 5% have reached production — an 80-point gap that the identity work is designed to close.The identity stack was built for a workforce that has fingerprints“Most of the existing IAM tools that we have at our disposal are just entirely built for a different era,” Caulfield told VentureBeat. “They were built for human scale, not really for agents.”The default enterprise instinct is to shove agents into existing identity categories: human user; machine identity; pick one. "Agents are a third kind of new type of identity," Caulfield said. "They're neither human. They're neither machine. They're somewhere in the middle where they have broad access to resources like humans, but they operate at machine scale and speed like machines, and they entirely lack any form of judgment."Etay Maor, VP of Threat Intelligence at Cato Networks

Article preview — originally published by VentureBeat AI. Full story at the source.
Read full story on VentureBeat AI → More top stories

More in ai

TechCrunch AI
Intel’s comeback story is even wilder than it seems
TechCrunch AI
Cloudflare says AI made 1,100 jobs obsolete, even as revenue hit a record high
Wired
The Pentagon Releases New Trove of Declassified UFO Files
Wired
Tesla’s Latest Recall? Wheels May Fall Off Cybertrucks
VentureBeat AI
Anthropic wants to own your agent's memory, evals, and orchestration — and that should make enterprises nervous

Browse all ai coverage →

Aggregated and edited by the Scoop newsroom. We surface news from VentureBeat AI alongside other reporting so you can compare coverage in one place. Editorial policy · Corrections · About Scoop