Categories don’t announce themselves. They consolidate. One vendor’s announcement is a product. Two vendors’ competing approaches to the same problem is a market. RSAC 2026 produced the second kind.
The prior-cycle brief, “Agentic AI News: Four Vendors Reveal Competing Security Approaches for AI Agents at RSAC 2026” – established the landscape: multiple major security vendors treating AI agent governance as a defined, named security problem. This piece asks the follow-on question: now that the category exists, what does it actually require enterprise security architects to decide?
The Architecture Divide
CrowdStrike’s RSAC 2026 AI agent security work centers on identity-centric risk graphing and normalized agent views, a framework that treats AI agents as identity objects subject to the same risk assessment, privilege management, and behavioral monitoring applied to human and non-human identities. According to CrowdStrike’s announced approach, the platform surfaces unified views of agent activity across integrated platforms. The confirmed integration list includes Microsoft Copilot, Salesforce Agentforce, and ChatGPT Enterprise, per CrowdStrike’s announced integrations. Independent verification of specific feature capabilities is not yet available; these characterizations are attributed to CrowdStrike’s announcements at RSAC 2026. A working source URL for the full product detail is pending; see CrowdStrike’s blog announcement.
Cisco took a different structural approach. Rather than folding AI agent governance into the identity layer, Cisco treated it as an authentication and access management problem from the ground up. Duo Agentic Identity, one of the named products Cisco announced, according to Network World’s RSAC coverage, applies adaptive MFA and authentication principles to AI agent interactions. DefenseClaw and AI Defense: Explorer Edition address detection and self-service security testing for organizations deploying AI agents. These characterizations are attributed to Cisco’s RSAC announcements and await working-URL confirmation.
The distinction is real. CrowdStrike starts from identity and risk graphing. Cisco starts from authentication and access control. Both end up in roughly the same place, monitoring what AI agents do and constraining what they can access, but the architectural path matters for how these frameworks integrate with existing security infrastructure.
What They Agree On
The consensus threat model is more revealing than the architectural differences. Both vendors have oriented their frameworks around the same three problems:
*Shadow AI*, agents deployed without security team awareness or authorization. The threat is not primarily that authorized agents are compromised, but that an unknown number of agents are operating outside the governed perimeter entirely.
*Excessive privilege*, agents operating with broader access than their task requires. The principle of least privilege is the foundation of zero-trust architecture. Agentic systems with broad tool access violate it by design unless constrained at deployment.
*Unmonitored agent behavior*, agents that don’t generate auditable logs, or that generate logs that aren’t integrated into the SIEM/SOC workflow. Monitoring agents the way you monitor users requires that agents have persistent, traceable identities.
This consensus is significant. When competing vendors converge on the same threat model, it usually means they’ve done independent customer research and found the same problems. Enterprise security teams facing these three issues can start their AI agent governance program with reasonable confidence that they’re working on the right problems.
What Enterprises Must Decide
Three architectural questions now require answers from security teams deploying AI agents at scale.
*Integration path.* CrowdStrike’s approach works within an existing identity governance infrastructure. Cisco’s approach extends IAM principles to a new class of entity. The right choice depends heavily on which vendor’s security stack is already in place, and whether your organization’s primary security identity tooling is built on CrowdStrike Falcon or Cisco’s security platform. Enterprises with neither will face a build-or-buy decision without a clear platform anchor.
*Scope definition.* Neither framework visibly addresses the full agent lifecycle. Authorization at deployment is not the same as continuous behavioral monitoring across a long-running agent’s operational lifespan. Security teams need to define what “governed” means, initial authorization only, or continuous runtime monitoring with anomaly detection. That scope definition should precede vendor selection.
*Kill-switch and human-in-the-loop design.* This is the governance gap both frameworks leave partially unaddressed. Neither CrowdStrike’s identity-centric approach nor Cisco’s IAM extension describes a systematic kill-switch mechanism, a defined, tested procedure for interrupting an agent’s operation when it exhibits unexpected behavior. The NIST AI RMF’s guidance on human-in-the-loop design is the relevant framework here. Organizations that deploy AI agents without a tested kill-switch procedure are making a governance decision, whether or not they’ve framed it that way.
The Governance Gap
The vendor frameworks cover detection, authorization, and visibility. They don’t cover the governance architecture that lives upstream of the security tooling. Who authorizes which agents to run with which privileges? What’s the process for escalating anomalous agent behavior to human decision-makers? What’s the accountability chain when an agent acts outside its intended scope?
These aren’t product questions. They’re policy and process questions. The security vendors’ frameworks presuppose that the policy layer exists. For most enterprise organizations, it doesn’t yet. Building the product layer before the policy layer is a common enterprise technology pattern, and it usually creates the same outcome: tools deployed without the governance structures to use them well.
TJS synthesis: RSAC 2026 gave the AI agent security category its commercial form. CrowdStrike and Cisco have done the product work. The gap is now squarely on the enterprise side. Security architects who walk away from this week’s announcements asking “which vendor do we buy?” are asking the second question. The first question is: what is our AI agent authorization policy, and who owns it? The security products are ready. The governance programs that need to deploy alongside them, in most organizations, are not.