Enterprise Security in the Agentic AI Era
This research wiki tracks how agentic AI reshapes enterprise cybersecurity on two fronts: how organizations secure the AI systems they deploy, and how they defend the rest of the estate when attackers operate AI at machine speed. It synthesizes primary sources (frameworks, standards, peer-reviewed papers, vendor research, practitioner conference talks, and incident disclosures) into a cross-linked, independently maintained knowledge base.
The wiki serves security executives, architects, detection engineers, and AI builders who need a view of the field broader than a vendor blog or a single framework. Two design choices distinguish it. First, the wiki separates aggregated pages (summaries of external work) from produced deliverables it authored. The reference architectures, capability maturity models, playbooks, gap pages, and thesis syntheses are the artifacts a reader can carry into a board meeting or an architecture review. Second, every numeric and absence claim cites a primary source, lint-enforced, so the conclusions are auditable.
On this page
- Where the field stands, mid-2026: the current state on one screen.
- Securing AI: deploying and red-teaming AI systems safely.
- AI for defense: defenders using AI for detection, response, and vulnerability discovery.
- AI for offense: attackers using AI to exploit at machine speed.
- Defending against AI-driven attacks: SDLC, supply chain, and operational programs under AI-augmented adversaries.
- Anchor deliverables: the reference architectures, maturity models, and theses the rest cross-references.
- Continue reading: full catalog and per-folder indexes.
Where the field stands, mid-2026
Three shifts define the operational ground.
Time-to-exploit has collapsed. Sergej Epp’s Zero Day Clock reports the median time-to-exploit falling from 771 days in 2018 to a same-day median by 2025. For the median exploited vulnerability, the exploit now arrives on or before disclosure.1 MOAK supplies the attacker-side mechanism: an autonomous pipeline that exploited 174 of 178 tested CISA KEV vulnerabilities, often within hours of disclosure.
Frontier-AI vulnerability discovery has reached production. Microsoft, Google, Anthropic, OpenAI, and several open-source projects ship harness-plus-model systems that find real bugs in production software at industrial scale. See the thesis for the argument that the harness, not the model, carries the durable engineering. Capability remains uneven: the frontier is jagged, so no single model wins across tasks.
Enterprise deployment converges on shared patterns. Application security and security operations both adopt a supervisor-worker agent topology, an explicit human-authority boundary, and continuous evaluation built into the loop. The wiki captures that convergence as two produced pairs: for securing AI applications, a six-plane reference architecture and a five-by-nine capability maturity model; for the agentic SOC, a parallel pair.
The four sections below treat each axis the wiki tracks.
Securing AI
This axis covers how to deploy AI agents safely in production, and how to red-team and pentest the AI applications an organization builds. The surface spans the framework layer (NIST AI RMF, IEC 42001, OWASP LLM Top 10, OWASP Agentic Top 10), enterprise control-plane products (Microsoft ZT4AI and Agent 365, Google SAIF, Okta for AI Agents), the per-agent identity primitives that govern an agent’s authority, and the red-team tooling that probes the result. The wiki has now completed clause-level reviews of all 11 priority standards it tracks (see the standards-review backlog), so each gap claim against a named standard rests on bounded, primary-source-cited absence claims rather than a wiki summary. The reviews show a consistent split: governance standards specify duties without agentic controls, and agentic-control taxonomies specify threats without graded, auditable maturity criteria.
The recurring failure mode is prompt injection that reaches a privileged action. The lethal trifecta (untrusted input, private data, and external tools combined in one agent) names the structural test for it. Threat modeling for AI is the method that ties together six competing taxonomies, among them OWASP ASI, the T-code reference model, MITRE ATLAS, CSA MAESTRO, and STRIDE-AI. A single reconciliation matrix maps each one to a reference-architecture plane and a maturity-model domain. The reference architecture then organizes the responses: deterministic policy enforcement, plan-validate-execute patterns, and runtime guardrails.
Start here:
- Agentic AI Security Reference Architecture: the six-plane structural model (Identity, Control, Runtime, Egress, Data, Observability).
- Agentic AI Security CMM 2026: the five-level by nine-domain capability maturity model with cross-domain dependency caps and ID-tagged evidence.
- Threat Modeling for AI: the spine that reconciles the six threat taxonomies and walks one worked example from threat to control.
- OWASP Agentic AI Top 10: the agent-orchestration risk taxonomy.
- Non-Human Identity: the machine credential an AI agent carries, now a GA platform-native capability on the three hyperscalers.
- Red Teaming for AI: Synthesis: the testing thesis covering probe libraries, orchestration, and continuous adversarial evaluation.
- Microsoft SDL for AI: the first major-vendor secure-SDLC framework with an explicit AI extension.
AI for defense
Defenders run AI in two disciplines.
Vulnerability discovery and remediation. Five vendors now run production pipelines that find real bugs in shipped software: Anthropic (Project Glasswing, Claude Code Security), Microsoft (MDASH), Google (Big Sleep, CodeMender), OpenAI (Codex Security), and Knostic (OpenAnt). AISLE found all twelve OpenSSL CVEs in the January 2026 coordinated release, one of them dating to 1998. The vendors converge on a shared discipline: rule-based static analysis is the prior generation, the model reads code the way a researcher does, and the harness owns false-positive control. Open-source pipelines such as OpenAnt and AISLE supply the auditable counterpart to the proprietary vendor stacks.
Security operations. The agentic SOC converges on a supervisor-worker topology with an explicit human-authority boundary and evaluation built into the loop. Practitioner accounts from Salesforce, GreyNoise, Datadog, Wiz, and Airbnb show the pattern across detection engineering, threat hunting, incident response, and continuous evaluation. The wiki captures this as a produced pair: the Agentic SOC Reference Architecture and the Agentic SOC CMM. Their organizing rule is maturity gates autonomy: a SOC function runs only at the autonomy its weakest governing domain supports.
Start here:
- Frontier AI for Vulnerability Discovery: the thesis synthesizing the production vulnerability-discovery paths.
- Agentic SOC: State of the Field: the defender-operations thesis.
- Agentic SOC Reference Architecture and Agentic SOC CMM: the produced defender-operations pair.
- Project Glasswing: the twelve-partner coalition organizing AI vulnerability discovery on critical infrastructure.
- Jagged Frontier: the empirical observation that capability does not scale smoothly with model size, which bounds vendor productivity claims.
AI for offense
Attackers now operate AI as a kill-chain primitive, not a force multiplier bolted onto an existing TTP. The wiki separates this axis from defensive use because the operating constraints differ: attackers optimize for cost per successful exploit, evasion, and target selection, not explainability or audit, so their architectures and benchmarks diverge from the defenders’.
MOAK is the clearest demonstration: a five-agent pipeline on a frontier model that autonomously reproduced exploits for 174 of 178 CISA KEV CVEs, often within hours of disclosure (how it works). On the AppSec side, XBOW’s independent Mythos evaluation reports a 42 to 55% reduction in false negatives versus the prior model on a web-exploit benchmark, with the larger reduction when the test gets source-code access.2 AI-driven offensive testing also appears as a productized service category. Wiz Red Agent, Palo Alto’s Unit 42 AI pentesting, and CrowdStrike Frontier AI Readiness apply the same substrate at enterprise scale.
The threat surface this opens (vulnerability-storm-class exposure, compressed disclosure windows, and AI-against-AI campaigns) is the subject of the defending-against axis below.
Start here:
- Offensive AI: State of the Field: the thesis tracking the attacker-side architecture as sources land.
- MOAK: autonomous exploitation of 174 of 178 CISA KEVs, the attacker-side reality check.
- XBOW Mythos Evaluation: an independent third-party offensive evaluation of frontier vulnerability-discovery capability.
- Claude Mythos Preview: the frontier model behind most of the named offensive and defensive harnesses.
Defending against AI-driven attacks
This axis covers how the SDLC, the software supply chain, identity, and operational security must evolve once adversaries hold frontier-AI capability. The wiki’s argument: the traditional SSDF-plus-SAMM foundation is structurally correct but materially incomplete in 2026. Three forces require accommodation. AI-augmented attacker pace (the time-to-exploit collapse named above). AI-component governance (existing frameworks have no AI extension or only partial coverage). A productivity-pace mismatch (a controlled trial found experienced maintainers somewhat slower with early-2025 AI tools on their own repositories; see the METR RCT). The recommended six-layer framework stack composes an AI overlay, a supply-chain layer (SLSA, CycloneDX), and operational alignment (NIST CSF 2.0) on top of that foundation.
The threat side is no longer hypothetical. GTG-1002 (disclosed November 2025) is the first publicly reported AI-orchestrated espionage campaign, and the Mexican government breach (February 2026) is a non-state-attributed peer. Supply-chain campaigns recur at ecosystem scale: prt-scan and the Month of AI Bugs series show the pattern that the wiki’s supply-chain hardening and agent-supply-chain pages cover.
Start here:
- SDLC in the AI-Attacker Era: the threat-model thesis.
- Secure-SDLC Framework Stack for 2026: the six-layer composition recommendation.
- Mythos-ready Security Program: the CISO playbook (ten-question triage, thirteen-row risk register, eleven-row priority actions, ninety-day plan).
- Zero Day Clock: the empirical time-to-exploit-collapse anchor.
- VulnOps: Gadi Evron’s permanent-function framing for AI-era vulnerability response.
- Cyber Poverty Line: Wendy Nather’s anchor for the capability gap between attackers and small-team defenders.
Anchor deliverables
The wiki holds two grades of page. Most are aggregated: summaries of external frameworks, papers, vendors, and incidents. A smaller set is produced: deliverables the wiki authored that a reader can carry into an architecture review, a CMM scoring session, or a board briefing. Point-in-time assessments of those deliverables (standards reviews, validation passes, stress tests) collect under Reviews as dated, frozen snapshots.
Structural anchors, application security. Six planes for the agentic-AI estate, scored by a nine-domain maturity model.
- Agentic AI Security Reference Architecture: six planes (Identity, Control, Runtime, Egress, Data, Observability) with deployment-shape mappings and a threat-control matrix spanning the OWASP Agentic Top 10 and the five threat classes, cross-walked in the reconciliation matrix.
- Agentic AI Security CMM 2026: five levels by nine domains with cross-domain dependency caps and ID-tagged evidence. Companions: the standards crosswalk, the measurement protocol, and the dependency rules.
Structural anchors, security operations. A parallel pair for the agentic SOC, distinct from the application-security pair and overlapping only where the SOC’s own agents need to be secured.
- Agentic SOC Reference Architecture: six planes and per-function agent surfaces, cloud-native and SIEM-less by default.
- Agentic SOC CMM: a per-function autonomy ladder gated by eight maturity domains, under one rule: maturity gates autonomy.
Thesis anchors. Each axis carries an evolving synthesis the wiki updates as evidence lands.
- Frontier AI for Vulnerability Discovery: defense.
- Agentic SOC: State of the Field: defense and operations.
- Offensive AI: State of the Field: offense.
- SDLC in the AI-Attacker Era: defending against AI-driven attacks.
- Red Teaming for AI: Synthesis: securing AI.
The two structural pairs and the five theses are the produced deliverables most readers will want as a starting point.
Continue reading
- Full catalog: the comprehensive page list (denser format; also serves the LLM-facing workflow).
- Per-folder indexes:
- Frameworks · Architectures · Practices · Maturity Models
- Papers · Concepts · Thesis · Comparisons
- Gaps · Reviews · Incidents · Playbooks
- Entities: organizations, products, and people.
For wiki conventions and the writing register, see conventions.
Notes
Footnotes
-
The Collapse — Zero Day Clock, 2026. Median TTE by year: 771 days (2018), 84 days (2021), 6.36 days (2023), 4 hours (2024), zero-day (2025–2026). ↩
-
XBOW — Mythos for Offensive Security: XBOW’s Evaluation, 2026-05-12. 42% false-negative reduction versus Opus 4.6 without source access, 55% with source access. ↩