An Agent Primer for CISOs, CROs, and CCOs
Agents are already here. It’s time to understand their impact on enterprise security and risk.
The speed at which agents have already infiltrated the enterprise is staggering.
When I first started chatting with CISOs and GRC leaders about agents in early 2024, most had not heard of them. And if they were familiar with agents, they were a theoretical problem.
Agents are not theoretical anymore.
Fast-forward a year later, and agents are proliferating across the enterprise. Organizations have turned on Microsoft 365 Copilot, are experimenting with Google Agentspace, leveraging Salesforce AgentForce, giving Cursor to their engineers, and building custom agents with n8n, LangChain, CrewAI, and custom frameworks.
Even CISOs and GRC leaders who think they have no agents in production get surprised when they realize that ServiceNow has enabled AI agents that might be accessing data in Sharepoint or that Microsoft 365 Copilot supports MCP and can write files to a local filesystem.
To borrow a turn of phrase coined by Dmitri Alperovitch, there are effectively two types of companies—those that know they have agents, and those that don’t.
What’s an Agent?
An agent is autonomous logic that can control the environment (i.e., it has agency over something). The driverless Waymo is a great example–it’s an agent that can autonomously take you from point A to point B by controlling the environment around it.
In the enterprise, agents can take the form of copilots. But what makes copilots special from ordinary LLM chatbots is that they can control the environment. They can retrieve files for you, send an email, save a file to disk, open a browser and watch YouTube, and print to the printer on the third floor.
Beyond copilots–which react to human prompting–many agents don’t have any prompts. Again, look at a Waymo–you just get in the car and go.
Without human prompting, agents can shift from reactive to proactive–a big shift as CISOs and GRC leaders think about controlling undesired agent behavior.
Proactive agents like an SRE agent that deploys code to production on a regular schedule or a marketing research agent that tracks competitors daily might simply be operating without any human interaction.
In short, these bits of logic have tools and capabilities giving them agency over their environment. And those capabilities are growing by the day.
Economic Pressures and Technological Progress Are Driving Agent Adoption
We are hurdling at breakneck speed toward a future of a multitude of agents across the enterprise. Economic and technological factors are driving this rapid adoption.
First, despite the uncertain economic environment and many enterprises reducing budgets, they nonetheless are continuing to spend enormous sums of money on GenAI. GenAI remains an existential technology that enterprises must adopt or see competitors who do fly past them.
However, while spending is unabated, the ROI on GenAI remains elusive. Organizations are struggling with seeing returns on their investments for a variety of reasons, from cultural issues to a lack of high value use cases.
Part of the challenge is that LLM chatbots–in and of themselves–have limited use cases in the enterprise. They save us time with emails and summarizing content, but game-changing use cases seem distant.
The reason that LLM chatbots seem cool but not quite as useful as you would hope is that they can’t change or manipulate the environment. The chatbots are an engine without the automobile wrapped around it.
Agents change all that–they wrap around LLMs and enable them to control the environment. Agents unlock the incredible potential of LLMs by making them truly useful.
The future of work is not typing into 97 chatbots all day. Agents are inevitable because they are the only way that enterprises will be able to recoup the investments they’ve made in GenAI.
Imagine how much value could be generated with proactive agents operating across the enterprise facilitating workflows, even just in security:
Threat hunting
Employee onboarding and offboarding
Automated financial reporting and analysis
Personalized customer engagement and support
Contract review and drafting
Logistics and inventory optimization
Data classification
Supply chain monitoring
Recognizing that agents are the way forward, Microsoft, Google, OpenAI, Anthropic, and legions of others are rising to meet the enterprise demand of delivering on the promised value of GenAI. As LLMs get better at planning and thinking, a slew of new standards and protocols are emerging to make agents incredibly powerful.
Agent studios are emerging, such as Microsoft’s Copilot Studio and Google’s Agentspace, with the goal of making agents as easy to build and use as possible.
Enterprises have been asking when they will see the huge ROI on their GenAI investments. The frontier labs and hyperscalers are answering with technology to give them agents.
In November 2024, Anthropic released Model Context Protocol (MCP), a new standard that enables agents to discover and call new tools and capabilities. Anthropic says, “Think of MCP like a USB-C port for AI applications.” Basically, you can “plug in” any capability offered by an MCP server.
In practice, any agent that supports MCP, such as Microsoft 365 Copilot, Claude, Cursor, VS Code, can get an instant ability to control the environment by connecting to an MCP server.
What kind of capabilities? There are scores of MCP server lists that give agents all kinds of tooling, a few examples are:
Read the contents of a user's local file system
Execute shell commands
Open and use the user’s browser
Send an email from the user's account
Interact with third-party APIs (e.g., GitHub, Slack, Jira)
Retrieve and write database records
Other standards are emerging like Google’s Agent2Agent (A2A) protocol, released in April 2025. While MCP provides tooling to agents, A2A enables different agents to communicate with each other.
For example, suppose Microsoft 365 Copilot, Salesforce AgentForce, and ServiceNow AI Agent all coordinate to draft a highly personalized and accurate customer update email about a product fix, significantly reducing a Customer Success representative's manual effort. It might work like this:
ServiceNow AI Agent identifies that a product fix is complete and knows which customers' cases are affected, providing the technical details of the solution.
Salesforce AgentForce then takes these customer IDs and retrieves their full relationship history, product details, and any specific interaction notes.
Microsoft 365 Copilot uses all this structured information from ServiceNow and Salesforce to generate a highly precise and tailored email draft, ready for the CS representative's quick review and send.
The security implications of MCP and A2A are manifold and are worth exploring separately.
All of this is to say: the agents are coming, and faster than you think.
How Security, Risk, and Compliance Leaders Can Stay Ahead
Agents are already in the enterprise, sometimes just getting turned on in SaaS apps you already own. Leaders can take some simple, proactive steps to get ahead of this agentic era:
Invest in dedicated training for cyber teams on agent capabilities, recognizing that protecting agents requires a fundamentally different approach than human-centric security models
Create an agent review process with relevant stakeholders from the platform, GRC, and security teams
Identify current agent activity in your environment
Model and catalog agent workflows and behavior to surface potential business and compliance risks
Define policies around agents to reduce business risk and ensure compliance with risk management frameworks
Ensure policies, standards, and controls related to agents conform with various emerging regulations in the US and the EU
Observe, model, and monitor agent activity as new agent capabilities are introduced into the environment
In future posts, I’ll be delving more into how security and GRC leaders should be thinking about assessing risk and securing agents while still enabling and accelerating their adoption.
It’s agents all the way down!