Palo Alto Networks EVP:
Securing AI Agents in the Enterprise
Enterprises are deploying AI agents faster than security teams can see or govern them, and those agents inherit user credentials and sessions. Anand Oswal of Palo Alto Networks explains how CISOs can discover, control, and secure agents in the enterprise.
As AI agents spread through the enterprise in 2026, CISOs must secure systems that move at machine speed without slowing the business that depends on them. Anand Oswal, EVP, Network Security at Palo Alto Networks, examines the four surfaces where agents run, why discovery comes first, and runtime threats, including prompt injection and memory poisoning. The conversation also covers agent identity, the centralized AI gateway, and a platform approach over stitched-together point products.
Key Points
- Discovery comes first because you cannot secure agents you cannot see, and agents now span enterprise, SaaS, endpoint, and browser surfaces.
- Agents introduce runtime threats such as prompt injection, memory poisoning, tool misuse, and model denial-of-service attacks, and they inherit user credentials, enabling identity impersonation.
- Route all agentic traffic through a centralized AI gateway and one unified security platform rather than stitching together separate point products.
Enterprises are adopting AI agents faster than security teams can find them, making agentic AI security an urgent CISO priority in 2026. Agents hold credentials, call tools, and act autonomously, so one exploited agent operates with its user's full access at machine speed. In episode 926 of CXOTalk, Anand Oswal, EVP of AI and Network Security at Palo Alto Networks, describes a practical sequence: discover every agent first, then apply identity, runtime, and governance controls through a centralized AI gateway.
What the conversation covers
- The four surfaces where agents run: enterprise, SaaS platforms, endpoints, and the browser
- Why vibe coding agents and third-party MCP servers expand the supply chain attack surface
- How browser agents holding live sessions and cookies enable identity impersonation
- New runtime threats: prompt injection, memory poisoning, tool misuse, and model denial of service
- Agent identity: deciding what an agent can connect to, with what permissions, for how long
- Why a centralized AI gateway and a unified platform beat stitched-together point products
Episode Participants
Anand Oswal is the Executive Vice President and General Manager of AI and Network Security at cyber security leader Palo Alto Networks.
Michael Krigsman is a globally recognized analyst, strategic advisor, and industry commentator known for his deep expertise in business transformation, innovation, and AI leadership.
In This Episode
Agent memory poisoning and tool misuse
Michael Krigsman: AI application agents drive amazing level of productivity. They do not want to be slowed down by the IT teams and the security teams. At the same time, the IT and security teams want to make sure that they have governance, they have control, and that their environment is secure. What happens when agents fail or get exploited at machine speed, and what should security leaders do about it?
Anand Oswal: Securing an AI application is different from securing a regular application. Now, if you think of an agent, it extends that architecture. So agents will have short-term memory because they need to recall what they did in the past for you, and agents need to have long-term memory because they need to get personalized to what you wanted, your behavior. Now, there are new types of attacks of memory poisoning. If I poison the memory, then I can alter the behavior of the agent. They will do tool calls. They will call different things.
What if I now have tool misuse or tool abuse? So this is the kind of things that differentiate agents from just regular applications.
Discovering shadow agents across four surfaces
Michael Krigsman: Agents aren't hypothetical anymore. Nearly every group in a large enterprise is building or buying agents. Security teams don't keep an inventory. Users are vibe coding with Codex, Claude Code, Cursor, and others. Already, there are more agents running in the enterprise than security knows exist.
Anand Oswal: Agents are really in 4 different digital surfaces, Michael: enterprise agents, agents on SaaS platforms, agents on your endpoints, and agents in the browser. And while many of the controls and mechanisms that they have to secure it will be similar, each of them come with their nuances. You first need to have complete discovery. If you don't know what's running in your enterprise, you can't secure it. A complete inventory of everything around your AI ecosystem, your applications, your agents, your models, your tools, your plugins, your infrastructure.
You need to know how AI flows in your enterprise. And then you can apply the right level of controls, your controls for posture, your controls for supply chain, your controls for runtime, your controls for identity, having governance, et cetera. AI application agents drive an amazing level of productivity for the businesses. You're seeing it across every single enterprise across the board. They do not want to be slowed down by the IT teams and the security teams.
At the same time, the IT and security teams want to make sure that they have governance, they have control, and that their environment is secure. From a security perspective, we have to be right every time. We can't miss anything. The attackers, they have to be right once.
Vibe coding agents and MCP risk
Michael Krigsman: Let's discuss each of these agent types one by one. First, the most common type of agent in the enterprise, vibe coding agents. Developers are using open source MCP connectors and integrations to ship software faster than ever. These agents need deep access to users' computers, files, terminals, source code, enterprise apps, and cloud storage. Palo Alto Networks research suggests that one third of publicly available MCP servers carry takeover level vulnerabilities, and that doesn't even count open source MCP servers that have intentionally malicious code.
Coding agents are already on developer laptops with deep access to source code, terminals, and cloud credentials. What should CISOs do?
Anand Oswal: The most popular agents in the enterprise today are agents for coding. These are vibe coding agents. For these agents to really vibe, as they call it, they need privileges. They need to access your local file system, read and write permissions. These vibe coding agents, they also will access the Internet. They'll access third-party MCP servers, third-party GitHub servers. So now you have these things which are not just on your laptop, but accessing things outside your managed ecosystem of your endpoint.
At the same time, they're also downloading things like skills, tools, and plugins or local MCP servers. Now, these can have a variety of different risks. It increases your attack surface. You need to first understand what's running on your employees' laptops. Discovery is the first step. Then you need to scan artifacts or skills for any threats that you see for your supply chain risks. Then you need to make sure that only things that you sanction are running on the employee's workstation.
Then you need to provide the right level of controls from both an access perspective as these agents talk to the outside world and as the agents do things. And then when you get responses back to the vibe coding agent, you need to scan them for runtime threats. So you require a comprehensive view over from discovery to scanning for supply chain risk, from privilege control and runtime threats to secure your vibe coding agent on your employee's managed desktop.
Browser agents and session misuse
Michael Krigsman: So that's vibe coding agents. Let's now talk about agents in the browser. A sales rep uses an agentic browser to research prospects while she's on a Zoom call. Her agent visits a web page containing a hidden prompt injection. The agent uses her active session to forward customer data before she finishes the call. What's the specific risk when an agent operating through a browser holds the same login credentials and session cookies as a human?
Anand Oswal: The browser is now your de facto workspace. When you have agents in the browser, these browsers are going to work for you 24x7, doing things on your behalf. It's great for productivity. But imagine now the risks associated with as well. These agents will have access to your session history, your cookies, your passwords, the files that are local on the browser itself. This is increasing your attack surface. If they are calling some tools and plugins on your behalf, they're doing identity impersonation on your behalf.
You have to protect all of these things holistically. And just like the example I talked about, the vibe coding agent, browser agents need to also be secured consistently from understanding what's running to discovery to protecting on runtime threats and the right level of privilege controls. Majority of the time you spend is in the browser, or as some people joke sometimes, we live in the browser. That's where all the threats come in as well. How do I protect from runtime threats like screen scraping and other threats, URL phishing attacks, et cetera?
So all of these things had to be thought holistically to secure these agentic browsers.
Runtime threats and prompt injection
Michael Krigsman: Speaking of runtime threats, the most dangerous attacks on agents occur while they're working on live production systems with real code, real corporate data, and real customer accounts. Anand, what are the runtime threats against agents that CISOs should understand?
Anand Oswal: There are new types of runtime threats. You have these things called prompt injection. In a very simple way, prompt injection is making the application or the agent deviate from the guardrails that you had set when you built it. So now I'm able to get information from the application agent that is not intended for me. So if I'm an agent for a banking application, I'm able to get, say, Michael, your bank balance instead of mine. I'm able to fool it to deviate from its guardrails.
And then there are model DoS attacks, there are tool misuse attacks. All of these are different runtime threats that exist as we are going with AI applications and agents.
Agent-to-agent protocols and attack surface
Michael Krigsman: Besides runtime threats, are there any other inherent challenges to securing agents? For starters, they need access to your apps, your code, and your computer data, and they don't work alone.
Anand Oswal: AI agents are calling a variety of different agents, and also they are doing that via new protocols, MCP, A2A, and there'll be other protocols in the future. So now when you think about all of these attacks, it increases your attack surface. You have different protocols, different tool calls, and different identities that you are connecting to. So all of this needs to be secured by design. It all starts with discovery, understanding what's in your enterprise, and ensuring that you have all the right level of controls.
You cannot have unsecured and ungoverned agents in your enterprise because these will call unauthenticated MCP servers, different tools, and do different actions on your behalf.
Agent identity and the control plane
Michael Krigsman: Agents also have the capability to behave autonomously on behalf of you. When an agent uses your credentials, whether a password, an API key, or a session token, that agent now operates with your full access. If an attacker manipulates the agent, your security and privacy are at risk. Anand, how can enterprise security leaders manage identity when automated agents can secretly impersonate users?
Anand Oswal: You need to ensure that you have agents that are governed. So agents which are unsecured, are ungoverned, are not existing in your enterprise. You need to have a centralized security control plane and an operational control plane for all your agentic traffic to go through. Now, that is the right place for you to apply all the levels of identity controls. What can the agent connect to? What kind of permission does it have? How long is that permission for? Can it do privileged tasks?
Is it acting on behalf of the user or having its own identity? All of these are very critical and can be solved at the centralized gateway. When you have this plethora of different agents in the enterprise, your risks don't just multiply, your risks will mutate.
Centralizing control at the AI gateway
Michael Krigsman: Most companies developing AI applications and agents lack the infrastructure needed for observability, governance, and policy enforcement. Anand, how does Palo Alto Networks recommend solving the problem of agent safety and governance? We've been hearing about AI gateways. What's that?
Anand Oswal: Now, if you think about agents getting deployed in the enterprise en masse, it can be quite chaotic because your lack of operational governance and control. So it's very important to have all this agentic traffic go through a centralized AI gateway. That AI gateway is now the one stop where you're applying all your operational controls, but also you're applying your security controls. Now, when I say operational controls, it means financial operations controls, tokenomics, what model I'm using, how can I have high availability, routing, et cetera.
When I think of security controls, I think of runtime controls, I think of identity controls. I want end-to-end observability of the agent. Without a centralized AI gateway, it'll be very chaotic. It'll be hard to manage as we have so many agents in the enterprise.
Zero trust and an AI-driven SOC
Michael Krigsman: Agents are reshaping enterprise workflows and have the potential to completely change how companies operate. For an enterprise experimenting with agents today, where should the CISO focus?
Anand Oswal: This is happening in the enterprise. The benefits are huge. You get productivity benefits, agility, speed, optimizing your costs, and so on and so forth. So there's a big demand from the businesses that they go on this journey quickly. Now, if you think of a CISO, their biggest concern is that, how do I ensure that I don't slow the business down? At the same time, I do this in a secure manner. I also need to understand that it's not just about AI security and agent security.
I need to up-level all the constructs I have from a 0 trust perspective, from an AI-driven SOC perspective, because all of these need to be in line in real time. But it's also important to up-level the security posture of an entire organization. Projects have been on the back burner for how do you have 0 trust across the enterprise. You need to have an AI-driven SOC. These threats cannot be stopped manually anymore. You have to bring in products and tools which leverage AI to fight AI.
One platform, not point products
Michael Krigsman: Anand, if a CISO walks away from this conversation with one thing they must do now, what should it be?
Anand Oswal: Have a platform-centric approach to secure your AI applications and agents. You can't fight tomorrow's battle with tools and theories you had yesterday. Plethora of different point product that you're stitching it together. It is not going to work. Have a unified AI security platform that can provide you all the capabilities, model scanning, agent artifact scanning, red teaming, posture management, all the runtime controls, all the identity controls, a centralized AI gateway to give you that operational control, that governance, the observability, all these stitched together, delivered as a unique platform. And that's Prisma AI from Palo Alto Networks.
Michael Krigsman: Anand Oswal, Executive Vice President of Palo Alto Networks, thank you for taking time today.
Anand Oswal: Thank you, Michael.

