As SVP of Engineering at Elpha Secure, Ratnesh Pandey drives cyber strategies & security portfolios that protect SMEs against cyber threats.getty​Every enterprise I talk to has crossed the same threshold in the last year. They've moved past experimenting with AI assistants and started deploying agents that reason, plan and act with limited human oversight. They can read the support inbox, reconcile the records, file the ticket and sometimes execute the transaction. The work that used to require a person now happens autonomously, at machine speed, around the clock.That shift is real, but it has quietly created the largest visibility gap most security teams have ever faced, and very few of them know it yet.The numbers are stark. VentureBeat cited Gravitee's State of AI Agent Security 2026 survey, which polled more than 900 executives and practitioners and found that 88% of respondents reported AI agent security incidents in the previous 12 months—yet only 21% had runtime visibility into what their agents were actually doing. Sit with that pairing for a moment. Nearly nine in 10 organizations have already been bitten, and barely one in five can see the behavior that bit them.Why The Old Playbooks Aren't Relevant AnymoreThe old security playbook was built around the human session. A person logs in, performs a few predictable actions and logs out. Agents don't behave that way. They run continuously for hours, chain together tool calls across many systems inside a single workflow and make decisions based on memory and context that no one ever inspected.This is no longer a theoretical concern. In December 2025, OWASP's GenAI Security Project published the Top 10 for Agentic Applications, and report co-lead Keren Katz put the state of play bluntly: "Companies are already exposed to agentic AI attacks – often without realizing that agents are running in their environments."The framework itself is built on incidents observed in real systems, and OWASP's own tracker includes confirmed cases of agent-mediated data exfiltration, remote code execution, memory poisoning and supply chain compromise. Agentic risk, in other words, has stopped being a research topic and become an operational security domain.You can't least-privilege what you haven't discovered. You can't monitor what you haven't instrumented. It takes three things to monitor an agent's whereabouts, and they're not optional.​Visibility Into The Operational PlaneYou must be able to see the full path—from the prompt an agent received, through its reasoning, to every tool call it made and every real-world effect that followed. If you can't reconstruct that chain after the fact, you can't investigate an incident, and you certainly can't prevent the next one.Correlation Across Agents Rather Than Isolated Per-Agent LogsA single agent's activity often looks perfectly clean on its own. The malicious pattern only becomes visible when you connect the traces across agents. The interesting attacks don't stay inside one agent. They move, as one compromised component affects the behavior of several others. A single agent log in isolation will tell you everything except the thing that matters.​Detection That Operates At Runtime And At Machine SpeedPre-deployment testing and configuration scanning matter, but they secure the agent you tested in the lab, not the one running under live attack in production.​ An agent behaving today could be very different than an agent that was configured with a given intent in the past.Identity Alone Isn't The Answer​​Together, these three are a single layer; consider it a control plane for agent behavior. Identity systems already gave us a control plane for who an agent is and what it's allowed to reach. What's missing is the equivalent plane for what the agent actually does once it starts acting: a place where every prompt, decision, tool call and side effect is observed, correlated across agents and judged in real time with a given context. One plane governs identity. The other has to govern behavior. Most enterprises have built the first and assumed it covers the second. It doesn't.This is why identity, on its own, can't be the answer. Knowing who an agent is and what it may access tells you nothing about whether what it just did was supposed to happen. Most of the breaches will be caused by a legitimate, authenticated, correctly scoped agent that read the wrong email and did precisely what it was told or got its intent hijacked. The only thing that would've caught it is a layer watching the action, not the identity.Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?