Why Cisco, Why Now: How Cisco’s RSAC 2026 Strategy Reframes Agentic AI Risk for CISOs
At RSAC 2026, Cisco focused on the importance of controlling AI agents. Instead of highlighting advanced features or automation, Cisco stressed the need for strong governance in areas like identity, access, testing, inventory, and response. This approach is important for CISOs who must approve agent pilots and need clear accountability structures.
Image Source: Cisco 2026 Analyst Briefing March 2026.
What Cisco Announced at RSAC 2026 (March 2026)
Note: Some capabilities are available now. Others are on the roadmap through mid‑2026.
1. Treating AI Agents as Identities, Not Applications
Cisco announced that AI agents will be governed using the same zero trust access principles historically applied to human users. Through Duo IAM, Cisco Identity Intelligence, and Secure Access, organizations can register AI agents as identities, map them to accountable human owners, discover nonhuman and agentic identities already operating in the environment, and enforce fine‑grained, time‑bound access controls.
Cisco’s framing is that agentic risk is fundamentally different from chatbot risk. The concern is no longer what AI systems say, but what they do. As agents gain autonomy, security must govern actions, permissions, and tool usage, not just prompts and outputs. Cisco positions model context protocol (MCP) – aware policy enforcement as the mechanism for controlling how agents interact with enterprise data and tools.
This reframes agent security as an access and accountability problem rather than a model quality issue. Instead of creating a parallel governance stack for agents, Cisco is extending existing IAM and zero trust constructs to cover nonhuman actors.
Why this matters to you:
If your organization is piloting or planning AI agents, Cisco is providing a familiar control model that security, audit, and risk teams already understand. By treating agents as identities with owners and least‑privilege access, you gain a defensible way to approve agent use without expanding the blast radius or introducing undefined accountability.
2. Moving Agent Security Left With Pre‑Deployment Testing and Guardrails
Cisco expanded its AI Defense portfolio with the launch of AI Defense: Explorer Edition, a self‑service offering designed to test AI models and agent workflows before they reach production. The focus is on multiturn adversarial testing, including resistance to prompt injection, jailbreaks, and unsafe behaviors that only emerge over extended interactions.
Cisco also introduced its Agent Runtime Software Development Kit (SDK) to embed policy enforcement directly into agent workflows across major agent frameworks. The intent is to make security validation and guardrails part of the development lifecycle rather than a late‑stage approval step or a purely runtime monitoring exercise.
This reflects Cisco’s view that many agent failures will not appear as immediate security incidents but as gradual governance breakdowns that surface only after agents begin acting autonomously.
Why this matters to you:
If your security team is being asked to approve agent pilots, Cisco’s approach gives you a way to demand evidence before deployment. Pre‑deployment testing and embedded guardrails make it easier to justify risk decisions to regulators, auditors, and executive leadership, and reduce the likelihood that agents will fail in subtle but damaging ways once they are live.
3. Open‑Sourcing Agent Governance With DefenseClaw
Cisco introduced DefenseClaw, an open‑source secure agent framework that automates agent inventory, skills scanning, MCP validation, and AI bill‑of‑materials generation. Cisco stated that DefenseClaw will integrate with NVIDIA NIM as a sandboxed inference environment, reducing reliance on manual security reviews and ad hoc processes. OpenClaw, the open-source personal AI agent framework, has grown rapidly in enterprise adoption. DefenseClaw, an open-source security project from Cisco, provides the governance layer that organizations need to deploy OpenClaw safely in production environments. Rather than positioning DefenseClaw as a standalone product, Cisco framed it as a reference architecture for secure agent deployment. By open‑sourcing the framework, Cisco is attempting to standardize what “secure by default” looks like for agent development across the industry.
This move suggests Cisco is less concerned with immediate monetization and more focused on shaping expectations around agent hygiene, visibility, and governance.
Why this matters to you:
Even if you do not adopt DefenseClaw directly, it provides a concrete checklist for evaluating agent readiness. CISOs and CTOs can use its concepts to set internal standards or vendor requirements for agent inventory, dependency tracking, and sandboxed execution, reducing reliance on trust and tacit knowledge.
4. Using the SOC as the Proving Ground for Agentic AI
Cisco also outlined an agentic SOC roadmap powered by Splunk Enterprise Security. This includes asset and identity visibility through Exposure Analytics, detection engineering through Detection Studio, cross‑environment investigation with Federated Search, and a set of specialized AI agents designed to automate triage, investigation, and response workflows.
Rather than positioning agents as autonomous decision-makers across the business, Cisco emphasized their use in security operations, where automation is already accepted and outcomes are tightly measured. The SOC becomes the controlled environment where organizations can gain experience managing agent behavior at scale.
This reflects a pragmatic adoption path: build trust in agents internally before extending autonomy to customer‑ or revenue‑impacting workflows.
Why this matters to you:
If you are cautious about deploying AI agents broadly, the SOC offers a lower‑risk entry point. Applying agentic automation to security operations allows teams to test governance models, monitoring, and accountability in an environment where failures are visible and contained, rather than business‑critical.
Our Take
Cisco’s RSAC story this year is essentially a bet that enterprise security teams will be the bottleneck for agentic AI adoption, and that whoever solves the governance problem first wins the deployment conversation. That is not a flashy position. It is a calculated one, and it makes more sense the longer you sit with it.
Most CISOs being asked to greenlight an agent pilot right now have no established framework for doing it. They know how to govern a SaaS application. They know how to handle a privileged user. Agents are neither, and the gap between “interesting technology” and “something I can defend to my board” is exactly where Cisco is planting its flag. The identity-first approach is not technically groundbreaking, but it is politically useful, which may matter more right now.
Microsoft, CrowdStrike, and Palo Alto are all working this problem too, and none of them are standing still. But their approaches largely treat governance as a layer on top of a platform that was built for something else. Cisco is starting from governance as the premise, with the NVIDIA NIM partnership signaling that this extends to the inference layer, not just policy enforcement sitting above it. That is a meaningful architectural difference, even if it takes another 12 months to play out in the product.
The open-source release of DefenseClaw is worth paying attention to even if you never run a Cisco product. The concepts it operationalizes, including agent inventory, skills scanning, MCP validation, and AI bill of materials are things every security team should be demanding from vendors regardless of stack. If you are running agents on AWS or Azure today and cannot answer basic questions about what those agents are authorized to do, who owns them, and what happens when they behave unexpectedly, you have a governance gap. DefenseClaw is a reasonable starting point for defining what “good” looks like, even if you build your own controls around the deployment of OpenClaw in the enterprise.
Cisco is suggesting that the question is not how you secure the model but how you identify the agent and control its permissions. Models are someone else’s problem. The question is what your agents are permitted to do, with whose data, and what your organization is liable for when something goes wrong. Security vendors are starting to offer answers. CISOs need to start asking the right questions first.