A large multinational semiconductor manufacturer turned on Cisco AI Defense and discovered four unknown agents running in its Amazon Web Services environment, plus 33 AI models it had not logged. The security team did not know its own cloud had agents in it. That detail is not a product pitch. It is a description of where most enterprises are right now, and it is the most important thing Cisco's April 2026 analyst briefing communicated.

The briefing was led by Akshay Bhargava, VP of Product Management for AI Software and Platform, and Lars Urbaniak, Director of Product Management for Duo Security. It was the first time the full Cisco AI security story came together as a coherent architecture rather than a series of independent announcements. My prior coverage tracked each piece separately: the DefenseClaw open-source release at RSA Conference 2026, the Galileo acquisition in April, and the Astrix intent-to-acquire announced in May. The briefing is where those pieces resolve into a platform argument.

The Constraint the Industry Keeps Avoiding

Cisco's State of AI Security 2026 report found that 85% of enterprises are experimenting with agents. Roughly 5% have moved them into production. That gap is not because the technology is immature. It is because security teams will not approve what they cannot audit, and the governance tools have not kept pace with the deployment tools.

Traditional applications are deterministic. Run the same input, get the same output. Agents are not. They make decisions, chain tools, call external services, and operate across long sessions. That variability is the feature. It is also the attack surface. A developer deploys an agent connected to email, a file system, a database, and a few external APIs. The agent performs well. Nobody revisits its access. Six months later it is still running, still connected, and the access it accumulated was never revoked because agents do not resign.

"Know every agent, authorize every action, and adapt to risk in real time. Agents do not retire. Without lifecycle management, they accumulate."

The semiconductor manufacturer story is the operational reality version of that problem. Four unknown agents and 33 unlogged models in a cloud environment that a sophisticated enterprise believed it had visibility into. Discovering them required turning on a security product specifically designed for agent discovery. Before that product existed, the inventory gap was invisible.

The Number That Changes the Conversation

Cisco tested eight widely used open-weight AI models against a consistent attack protocol. Single-session attacks were blocked reasonably well. Multi-session attacks were not. When adversaries probed the same guardrail from different angles across an extended conversation, they broke through more than 90% of the time.

This is the number that should be on every Chief Information Security Officer's slide deck. Agents operate across long sessions by design. A retrieval-augmented generation workflow, a multi-step research task, a contract review process: these are all extended sessions, and extended sessions are the relevant attack pattern. A guardrail that holds for one exchange is not the same thing as a guardrail that holds across ten. Predeployment testing catches single-session vulnerabilities. It does not simulate a persistent adversary who comes back across sessions until the guardrail fails.

What Cisco Actually Shipped

Several announcements from RSA Conference 2026 were detailed in the briefing. They deserve to be read as a portfolio, not as independent products.

DefenseClaw is a secure framework for OpenClaw-compatible deployments, sitting on top of NVIDIA's OpenShell runtime. It reached nearly 500 GitHub stars in its first three weeks. Cisco is using open-source traction as a developer acquisition strategy. The early signal is real. The question I raised in the Galileo analysis remains relevant: what happens to open-source artifacts once they sit inside a commercial security platform Cisco wants to monetize. DefenseClaw's open-source license protects the artifact. It says nothing about where the roadmap goes.

AI Defense Explorer Edition is a self-serve, free-tier product built on AI Defense's multi-agent red-teaming engine. It targets AI engineers, application security teams, and developers who need to red-team agents without going through an enterprise procurement cycle. The path from self-serve to enterprise is the point: Cisco is seeding pipeline through a product developers can access immediately rather than waiting for a procurement decision that may take months.

The LLM Security Leaderboard ranks AI models by safety rather than capability. The question it answers is not which model is fastest, but which one is safe enough to deploy in a specific enterprise context. It is built on Cisco's own security taxonomy and cross-referenced against OWASP, MITRE, and NIST frameworks. That cross-referencing matters for regulated industries where compliance documentation requires traceable standards alignment, not proprietary scoring alone.

The open-source toolkit has expanded to include a skills scanner, an agent-to-agent protocol scanner, an MCP scanner, and an AI bill of materials tool for inventorying framework components. Algorithmic red-teaming runs extended attack sequences against agents before and after deployment, continuously, across multiple languages, simulating a persistent adversary rather than a one-time probe. That last phrase is the key one. Continuous simulation of persistent adversaries is how you catch the multi-session vulnerability the 90% number describes.

Agentic IAM Is the Governance Bet

Cisco's Agentic IAM product, built on its Zero Trust Access Platform through Duo, applies the zero-trust model to AI agents. The framing maps to what CIOs already understand from human workforce governance: every agent gets registered, assigned a human owner, and scoped to a specific task. Access is granted just in time and revoked when the task ends.

The model is correct. The execution challenge is scale. Lifecycle management for human employees works because the population is bounded and the events that trigger access changes are legible: a person joins, transfers departments, or leaves. Agents have none of those natural lifecycle signals. They can be spun up by a developer, run indefinitely in the background, and accumulate access with no event that prompts a review. Getting organizations to operationalize agent lifecycle management at any significant deployment scale is a process and cultural problem, not a technology problem. Cisco can solve the technology side. The process side is on the customer.

Customer Evidence Is Harder to Dismiss Than a Pilot Reference

Two customer cases from the briefing are worth noting specifically because they describe operational constraints, not proof-of-concept deployments.

The semiconductor manufacturer case has already been described. The second case is a healthcare company whose internal governance review process could not keep pace with production demand for agent deployment. Cisco's automated testing was set up and running in under 24 hours. That speed matters in healthcare where governance backlogs directly slow clinical and operational innovation. A manual review process that takes weeks is not a governance process for agentic infrastructure. It is a bottleneck that developers route around.

"A governance review that takes weeks is not a governance process for agentic infrastructure. It is a bottleneck that developers route around."

Where the Competitive Frame Gets Interesting

Cisco now covers the full agent security lifecycle as a platform argument: find the agents, test them before deployment, monitor them at runtime, control their identity and access, and give developers tools to build securely from the start. No other vendor has assembled that full stack from owned product, but that does not mean no competitor is credible.

Palo Alto Networks announced Prisma AIRS 3.0 at RSA Conference 2026 with a credible agentic security story built around platformization. CrowdStrike is extending its platform into the AI workload layer. Point-solution vendors are moving fast in specific layers. The right evaluation question is not who has the most impressive individual product. It is where each vendor's coverage stops, because the gaps are where the risk lives.

Cisco's open-source commitment is consistent and documented: DefenseClaw under an open-source license, Galileo's Agent Control under Apache 2.0 before the acquisition, and Astrix's open-source MCP Secret Wrapper contributing to Center for Internet Security guidance on agent governance. The open-source thread is a developer trust strategy. The question it eventually raises is what happens to community-oriented artifacts once they are fully inside a monetized commercial platform. That question deserves a direct answer at Cisco Live.

CIO / CISO Viability Question

Start with an inventory of agents in your environment. You cannot secure what you have not found. Once you have that inventory, answer two questions: Which agents have

About Shashi Bellamkonda

Loading bio…

LinkedIn Profile

Disclaimer: This blog reflects my personal views only. Content does not represent the views of my employer, Info-Tech Research Group. AI tools may have been used for brevity, structure, or research support. Please independently verify any information before relying on it.

Get new posts by email:

Subscribe

Powered by