Kiteworks | Your Private Data Network

Enabling Zero Trust Data Exchange in One Platform

Free Trial EXPLORE KITEWORKS
Home > Security and Compliance Blog > Cybersecurity Risk Management > The Agentic AI Security Paradox: Why Deploying AI to Defend Your Organization Might Be Your Biggest Vulnerability

The Agentic AI Security Paradox: Why Deploying AI to Defend Your Organization Might Be Your Biggest Vulnerability

by Tim Freestone updated February 25, 2026 Cybersecurity Risk Management
Reading Time: 12 minutes

Here’s the trap that almost nobody is talking about.

Security teams need AI agents to defend against AI-powered attacks. But deploying those agents creates the exact data exposure risks they’re trying to prevent.

That’s not a hypothetical. It’s a finding. Ivanti’s 2026 State of Cybersecurity Report: Bridging the Divide, drawing on insights from more than 1,200 cybersecurity professionals worldwide, reveals that 87% of security teams consider integrating agentic AI a priority. Seventy-seven percent express comfort with letting autonomous systems act without human review. The appetite for AI-powered defense is enormous.

But the same report exposes the other side of that coin. Organizations lack the processes and skills to operationalize AI safely. The rush to deploy AI for defense — driven by escalating threats, alert fatigue, talent shortages, and fragmented tooling — is outrunning the governance needed to keep it from becoming the problem it was supposed to solve.

Ivanti’s CSO Daniel Spicer frames it as the “Cybersecurity Readiness Deficit” — a persistent, year-over-year widening gap between the threats organizations face and their ability to defend against them. The promise of AI is supposed to close that gap. Without governance, it widens it.

5 Key Takeaways

  1. 87% of Security Teams Prioritize Agentic AI — But Can’t Operationalize It Safely. Ivanti’s 2026 State of Cybersecurity Report, surveying more than 1,200 cybersecurity professionals worldwide, found that 87% of security teams consider integrating agentic AI a priority. Yet the same report reveals a critical gap: most organizations lack the processes and skills to deploy AI agents safely. The eagerness outpaces the readiness by a wide margin.
  2. Security AI Agents Need Access to the Most Dangerous Data in Your Organization. To be effective, security AI agents require access to security logs, vulnerability scan results, threat intelligence, identity and access data, network topology, and incident response records. This is the exact information attackers would use to map your entire defensive posture. Granting an AI agent access to this data without governance is like handing a stranger the blueprint to your vault.
  3. The Cybersecurity Readiness Deficit Is Widening, Not Closing. Ivanti identifies a “Cybersecurity Readiness Deficit” — a persistent, year-over-year widening gap between the threats organizations face and their ability to defend against them. Seventy-seven percent of organizations have already been targeted by deepfake attacks, yet only 27% consider themselves very prepared. The gap between risk awareness and actual preparedness runs 21 points.
  4. IT and Security Teams Are Working Against Each Other. Nearly half (48%) of security professionals say IT teams do not respond urgently to cybersecurity concerns, while 40% believe IT lacks understanding of their organization’s risk tolerance. This rift is particularly damaging when AI agents require cross-functional governance that depends on IT and security working together.
  5. Burnout Is a Systemic Vulnerability — Not Just a People Problem. Forty-three percent of security professionals report high stress, and 79% say it harms their physical and mental health. Lack of skilled talent is the number one barrier to cybersecurity excellence. This is the workforce that’s supposed to govern AI agents safely — while already running on empty.

What Security AI Agents Actually Need Access To — and Why That Should Scare You

Think about what a security AI agent requires to do its job. Not a productivity chatbot summarizing meeting notes. Not a marketing tool drafting email copy. A security agent — one built for threat detection, incident response, or vulnerability management.

It needs access to your security logs and SIEM data: firewall logs, intrusion detection alerts, authentication logs, endpoint telemetry. If exposed, attackers learn what you can and can’t detect. It needs vulnerability scan results: unpatched systems, misconfigurations, exploitable weaknesses. If exposed, that’s a complete roadmap for attackers. It needs threat intelligence: indicators of compromise, tactics and techniques, incident response playbooks. If exposed, attackers know your defensive capabilities and blind spots. It needs identity and access data: user accounts, privileged credentials, access patterns, authentication methods. If exposed, attackers get credential theft and privilege escalation paths laid out for them. And it needs network topology: network diagrams, critical systems, data flow maps, segmentation boundaries. If exposed, adversaries have a complete attack surface map.

This is the paradox at the heart of Ivanti’s findings. Eighty-seven percent of security teams want to give AI agents access to this data — the most sensitive information in the organization — to improve threat detection and response. But most lack the governance to do it without creating exactly the kind of exposure they’re trying to prevent.

If a security AI agent is compromised or misconfigured, it doesn’t just leak customer records or financial data. It exposes your entire defensive posture. An attacker who compromises a security agent gets the keys to the kingdom: what you can detect, what you can’t, where your systems are vulnerable, and how you respond to incidents. They can learn from your past breaches to improve their future attacks.

You Trust Your Organization is Secure. But Can You Verify It?

Read Now

Dual AI Agent Challenge: Business Risk Meets Security Risk

Ivanti’s report lands at a moment when organizations are already struggling to govern AI agents on the business side. Microsoft’s Cyber Pulse report confirms that more than 80% of Fortune 500 companies deploy active AI agents, and warns these agents are “scaling faster than some companies can see them.” Proofpoint’s 2025 Data Security Landscape report describes an “agentic workspace” that most organizations lack the visibility and controls to govern. And Proofpoint found that 32% of organizations consider unsupervised AI agent data access a critical threat.

Now add a second front. Organizations are simultaneously deploying AI agents for security operations — threat detection, incident response, vulnerability management — with an entirely different set of data access requirements and an entirely different risk profile.

Business AI agents access customer records, financial data, intellectual property, and contracts. The risk is data exfiltration to public AI models, shadow AI, and prompt injection. Security AI agents access logs, threat intelligence, vulnerabilities, identities, and network architecture. The risk is exposure of your entire security posture, attack surface mapping for adversaries, and credential leakage.

The compounding problem: most organizations are deploying AI agents across both domains without unified governance across either one. The business side has its governance gaps. The security side has its own. And the two rarely talk to each other — a dynamic Ivanti’s own data confirms, with 48% of security professionals saying IT doesn’t respond urgently to cybersecurity concerns and 40% believing IT lacks understanding of organizational risk tolerance.

Alert Fatigue, Talent Shortages, and the Pressure to Automate

Ivanti’s report explains exactly why security teams are moving so fast toward agentic AI — and why that speed itself creates risk.

Alert fatigue is crushing security operations. Teams are overwhelmed by the volume of alerts they need to triage, investigate, and act on. Ninety-two percent of respondents say automation reduces their team’s mean time to respond. AI agents that can triage alerts, correlate threat intelligence, and prioritize responses are not a luxury — they’re a lifeline. But when you’re drowning, you don’t always check the safety rating of the rope someone throws you.

Talent shortages are making it worse. Lack of skilled talent is the number one barrier to cybersecurity excellence, according to Ivanti’s survey. Forty-three percent of security professionals report high stress and 79% say it harms their physical and mental health. When you don’t have enough people, and the people you have are burning out, the temptation to hand work over to AI agents without proper governance is enormous. The talent shortage doesn’t just create a staffing problem — it creates a governance problem, because the people who would normally ensure AI is deployed safely are the same people who are stretched too thin to do it.

Fragmented tooling compounds the challenge. Security AI agents need to access data across multiple tools — SIEM, EDR, vulnerability scanners, threat intelligence platforms — each with different access controls and audit capabilities. Ivanti’s report identifies this fragmentation as a barrier to effective AI-driven automation. And fragmented tools mean fragmented governance: each tool has its own policy engine, its own log format, its own access model. When an AI agent operates across all of them, the governance gaps multiply.

The result is a pattern Ivanti’s data makes disturbingly clear: security teams deploying AI agents at speed, under pressure, without the processes to do it safely. The adoption is running well ahead of the readiness — just as it did on the business side.

Attacks Against AI Agents Are Already Proven

If the governance gap were only a compliance concern, it would be serious enough. But the threat is active and demonstrated.

Trend Micro’s research on AI agent vulnerabilities demonstrated that multi-modal AI agents can be manipulated through hidden instructions embedded in images or documents, triggering sensitive data exfiltration with zero user interaction. The attack categories at risk include personal data, financial information, protected health information, business secrets, authentication credentials, and confidential uploaded documents (Trend Micro executive brief).

Researchers on arXiv built a complete end-to-end exploit against a RAG-based AI agent. A malicious web page with hidden instructions caused the agent to retrieve secrets from its internal knowledge base and send them to an attacker-controlled server — using the agent’s own legitimate web search tool as the exfiltration channel. Their conclusion: current LLM agents with tool use and RAG exhibit a “fundamental vulnerability” to indirect prompt injection, and built-in model safety features are insufficient without additional defensive layers.

Now apply those attack vectors to a security AI agent. An agent with access to your vulnerability scan results, manipulated through prompt injection, could transmit your complete list of unpatched systems to an attacker. An agent with access to your incident response playbooks, compromised through a malicious plugin, could reveal exactly how you respond to breaches — giving attackers a step-by-step guide to evade your defenses. An agent with access to identity data could expose privileged credentials and escalation paths.

This isn’t speculation. The attack vectors are proven. The data security AI agents need to access is exactly the data attackers prize most. The only missing ingredient is governance — and Ivanti’s report tells us most organizations don’t have it.

77% Already Hit by Deepfakes. Only 27% Prepared. Now Add AI Agents to the Mix.

Ivanti’s report surfaces another dimension that intersects directly with the AI agent governance problem. Seventy-seven percent of organizations have already been targeted by deepfake attacks, with over half facing sophisticated, personalized phishing powered by deepfake technology. Forty-eight percent call synthetic digital content a high or critical threat — yet only 27% are very prepared. That’s a 21-point gap between awareness and readiness.

Just 30% of security professionals are confident their CEO could reliably identify a deepfake. And this is the environment into which organizations are deploying autonomous AI agents with broad access to sensitive systems.

The convergence is what matters. AI-powered attacks are getting more sophisticated. Security teams are deploying AI agents to fight back. Those agents need access to the most sensitive security data in the organization. And the governance to keep it all secure doesn’t exist yet for most organizations.

What Governing Security AI Agents Actually Requires

Microsoft’s Cyber Pulse report frames the right approach as Zero Trust for agents — applying the same principles used for human users: least-privilege access, explicit verification of “who or what” is requesting access, and an assumption of compromise as a design principle. For security AI agents, this means something specific and non-negotiable.

Security AI agents must access threat data through a governed gateway, not through direct database connections. A threat detection agent doesn’t need access to vulnerability scan results. An alert triage agent doesn’t need access to network topology. Every agent should access only the specific data required for its function — nothing more. Every request should be authenticated and authorized before data access, and every interaction should be logged in an immutable audit trail that can reconstruct exactly what data was accessed, when, and what the agent did with it.

Sandboxed execution is essential. AI agents must operate in isolated environments that prevent lateral movement if compromised. DLP controls must prevent security data — logs, vulnerability scans, threat intelligence — from flowing to external AI services. Anomaly detection must flag unusual access patterns, like an agent suddenly requesting bulk downloads of vulnerability data it doesn’t normally touch.

And critically, organizations need unified governance across both business AI and security AI. Running separate governance frameworks for productivity agents and security agents creates the same fragmentation that Ivanti identifies as a barrier to effective security automation. One platform, one policy engine, one audit trail — spanning every AI agent in the organization, regardless of function.

The Kiteworks Private Data Network provides this governance layer. Its AI Data Gateway creates a zero-trust bridge between AI systems — including security AI agents — and enterprise data, ensuring sensitive information never leaves the protected environment. Its Secure MCP Server sandboxes AI agent execution with OAuth 2.0 authentication, anomaly detection, and enforcement of existing governance frameworks. And its unified multi-channel governance covers file sharing, managed file transfer, email, web forms, APIs, and AI interactions under a single policy engine with a single immutable audit trail.

For security AI agents specifically, this means a threat detection agent gets governed access to alert data without being able to reach vulnerability scans or network topology. An incident response agent gets access to the data it needs for its specific function, logged and auditable. And if any agent is compromised, the organization can reconstruct exactly what data was exposed — with forensic-grade evidence that satisfies regulators and auditors.

The Stakes Are Higher Than a Data Breach

The financial exposure from AI governance failures is already well documented. The average data breach costs $4.88 million; in healthcare, $10.93 million (IBM Cost of a Data Breach Report, 2024). EU AI Act fines reach €35 million or 7% of global annual revenue. GDPR penalties hit €20 million or 4% of revenue.

But a compromised security AI agent creates a category of damage that goes beyond breach costs. When attackers gain access to your vulnerability scan results, they don’t need to probe your systems for weaknesses — they already have the list. When they get your incident response playbooks, they can design attacks specifically to evade your defenses. When they obtain your network topology, they can plan lateral movement before they even breach the perimeter.

This is the difference between a data breach and a complete strategic compromise. And it’s the risk that 87% of security teams are taking on when they deploy AI agents without the governance to control what those agents can access.

Three Priorities for Organizations Deploying Security AI Agents

First, apply least-privilege access to security AI agents with the same rigor you apply to human users — more rigor, actually. An alert triage agent should access alert data. A vulnerability management agent should access vulnerability data. Neither should have access to the other’s domain. Map every security AI agent’s data requirements to the minimum access needed for its specific function, and enforce those boundaries through a governed data gateway — not through trust in the model’s built-in safety features, which multiple researchers have shown are insufficient.

Second, unify governance across business AI and security AI under a single platform. Ivanti’s report identifies fragmented tooling as a barrier to effective security automation. Fragmented AI governance is worse. Running separate policies, separate audit trails, and separate access controls for productivity agents and security agents creates blind spots at the seams — exactly where attackers look. A single policy engine, a single audit trail, and a single visibility layer across every AI agent in the organization is the only architecture that scales.

Third, build incident response capabilities for AI agent compromise before you need them. If a security AI agent is compromised, can you reconstruct what data it accessed? Can you determine whether vulnerability scans, threat intelligence, or identity data was exfiltrated? Can you demonstrate to regulators that the agent operated within approved boundaries up until the point of compromise? Immutable audit logs, SIEM integration, and chain-of-custody documentation are not optional — they’re the foundation of AI incident response.

Ivanti’s report captures a moment of genuine tension in cybersecurity. Security teams are under extraordinary pressure — from escalating threats, from talent shortages, from burnout, from the widening readiness deficit. Agentic AI offers a real path forward. But only if the governance exists to keep it from becoming the biggest insider threat in the organization.

The 87% who prioritize agentic AI are right to do so. The question is whether they’ll secure it before it secures their data — for the wrong people.

To learn how Kiteworks can help, schedule a custom demo today.

Frequently Asked Questions

Business AI agents typically access customer records, contracts, and financial data — high-value targets, but limited in scope. Security AI agents must access SIEM data, vulnerability scan results, incident response playbooks, identity and access data, and network topology to function. If a security agent is compromised or manipulated through prompt injection, an attacker doesn’t just get sensitive records — they get a complete map of your defensive posture: what you can detect, where your systems are unpatched, and exactly how you respond to breaches. The blast radius of a compromised security agent is categorically larger.

The paradox is this: the same AI agents security teams need to defend against sophisticated, AI-powered attacks require broad access to the organization’s most sensitive security data — the exact data that makes them catastrophic targets if compromised. Ivanti’s 2026 report found 87% of security teams prioritize agentic AI, but most lack the governance processes to deploy it safely. The urgency driving adoption — alert fatigue, talent shortages, escalating threats — is also what makes safe deployment harder. Speed and pressure are the enemies of the governance that makes AI agents safe to deploy.

Prompt injection embeds hidden instructions in content an AI agent processes — a document, web page, or data feed — that override its original programming. Trend Micro demonstrated this works with zero user interaction; arXiv researchers built a working exploit that used a RAG-based agent’s own web search tool as the exfiltration channel. For a security agent with access to vulnerability data or threat intelligence, a successful injection is catastrophic. Built-in model safety features are insufficient — stopping it requires a governed data gateway enforcing zero-trust access, sandboxed agent execution, and DLP controls on outbound data flows.

Applying Zero Trust to AI agents means treating every agent as a distinct non-human identity requiring explicit authentication before each data request. Access is scoped to the minimum data required for the agent’s specific task — a threat detection agent accesses alert data only, not vulnerability scans or network diagrams. Every interaction is logged in an immutable audit trail. Sandboxed execution prevents lateral movement if an agent is compromised. Anomaly detection flags unusual patterns — bulk data requests, transmissions to unexpected destinations — at machine speed. Critically, access controls must be enforced at the data layer through a governed gateway, not through trust in the AI model’s own judgment.

An AI incident response plan needs to answer three questions quickly: what data did the compromised agent access, did any of it leave the environment, and can you prove to regulators that the agent operated within authorized boundaries before the breach? That requires immutable audit logs capturing every agent data interaction — user identity, timestamp, data accessed, action taken — combined with SIEM integration for real-time alerting and chain-of-custody documentation that satisfies forensic and compliance requirements. Organizations that build this infrastructure before a compromise can contain and document the incident. Those that build it after are doing forensics in the dark.

Additional Resources

Get started.

It’s easy to start ensuring regulatory compliance and effectively managing risk with Kiteworks. Join the thousands of organizations who are confident in how they exchange private data between people, machines, and systems. Get started today.

Schedule a Demo

Table of Contents

Table of Content
Share
Tweet
Share
Explore Kiteworks