What is Agent Security Intelligence?
Here’s a question worth sitting with: your AI agents are being monitored. But are they actually secure?
Most organisations deploying agentic AI today would say yes — they have observability tools in place, they can see what their agents are doing, they have traces and dashboards. What they have, though, is performance data. Latency, token usage, error rates. That’s not the same thing as security.
Agent security intelligence is the dedicated layer that fills this gap — monitoring, tracing, and governing AI agent behaviour from a security perspective, not just an operational one. Think of it the way you think about SIEM in traditional software: not a replacement for your performance monitoring, but a completely separate function that’s asking different questions. Not “is this agent running?” but “is this agent safe?”
Right now, for most agentic AI deployments, that layer doesn’t exist.
This article is based on our recent webinar on agent security intelligence. Watch the full recording on YouTube
Why Monitoring Your Agents Isn’t The Same As Securing Them
If you’re running an enterprise agentic AI platform, you’re almost certainly using OpenTelemetry — or something built on top of it, like LangSmith, Helicone, or Datadog’s AI monitoring. These tools are genuinely useful. They tell you:
- Latency and response times
- Token usage and costs
- Tool call traces
- Error rates and retries
- Agent execution spans
What they can’t tell you is whether your agents have been compromised.
Agentic platforms aren’t simple pipelines. They operate across complex topologies — hierarchical architectures, peer-to-peer swarm configurations, and multi-agent chains where one agent spins up others. And across those topologies, OpenTelemetry has real blind spots:
- Taint propagation: if a poisoned instruction enters Agent A and gets passed to Agent B and then Agent C, OpenTelemetry won’t trace that. It sees spans, not contamination.
- Multi-step attack chains: a sophisticated attacker doesn’t hit one agent — they traverse multiple, using different entry and exit points. Standard monitoring can’t reconstruct that chain.
- Policy violations at runtime: there’s no mechanism for checking whether agents are actually operating within their defined boundaries, only that they’re operating.
- Data exfiltration paths: OpenTelemetry can’t tell you which routes your sensitive data could travel externally.
- Kill switch enforcement: in most setups, there’s simply no way to halt a rogue agent mid-execution.
In traditional software, everyone understands that performance monitoring (APM) and security monitoring (SIEM/XDR) are different things that work together. We need the same separation for agentic AI, but that security intelligence layer is largely missing from the market right now.
The Numbers
The MIT AI Agent Index 2025 audited 29 production AI agents — not demos, not POCs, actual production systems — and found:
- 69% have zero security monitoring
- 49% don’t identify themselves as AI when interacting with other systems or users
- 25% have no kill switch whatsoever
What does this mean? Three in four production AI agents are running with no security monitoring at all. One in four can’t be stopped if something goes wrong.
These aren’t projections. These are systems your peers are running today.
Three Attacks That Have Already Happened
It’s easy to treat agentic AI security as a future problem. These three cases from the past few months suggest otherwise.
1. The developer who stole 195 million government records (alone, in 30 days)
A single developer used an AI coding agent to exfiltrate 195 million records from Mexican government agencies. The attack ran for 30 consecutive days. Not a single security alert was triggered.
What made it possible wasn’t sophistication in the traditional sense — it was that the agent could do things standard monitoring was never built to catch:
- Prompt manipulation: the coding platform was disguised as a bug bounty tool, which was enough to bypass the safety guardrails on government chatbots
- Agentic persistence: the agent ran autonomously for a month with no human check-ins and no alerts
- Multi-model pivoting: Claude Code and GPT-4.1 were used across different attack phases — if one hit a rate limit, the other picked up
- AI as the exfiltration vector: 150GB across 10 agencies. The AI wasn’t a tool used in the breach. It was the breach.
Source: VentureBeat — Claude Mexico breach analysis, March 2026
2. De-anonymising 90,000 people for $2,000
This one came out of academic research — MATS, ETH Zurich, and Anthropic — but the implications are very much real-world.
The team demonstrated that LLM agents can de-anonymise 90,000 users at 90% precision. The pipeline was three steps:
- Extract: the LLM analyses text for identity signals — writing style, location references, professional context
- Search: semantic embeddings match anonymous accounts against a candidate pool like LinkedIn
- Verify: the LLM reasons over the top candidates to confirm identity
Total cost: around $2,000. Now think about pointing that capability inward at your enterprise network, at your employees, your customers, your internal communications.
Source: Lermen et al., arXiv 2602.16800 — MATS, ETH Zurich, Anthropic
3. OpenClaw: the agent China’s banks couldn’t stop
You’ve probably heard of OpenClaw — it went viral earlier this year. What got less coverage was China’s response: the national CERT issued two emergency warnings and banned it from banks and state agencies, citing a CVSS score of 8.8.
The vulnerabilities were a preview of what agentic AI security problems actually look like:
- Prompt injection via web: malicious instructions embedded in web pages would override agent behaviour, with no input sanitisation in place
- Poisoned plugins: plugins from open-source marketplaces could grant agents excessive read, write, and delete permissions over user files and connected apps
- Credential theft: the CVSS 8.8 flaw allowed full gateway compromise with no detection
- No halt mechanism: one user reported OpenClaw gained iMessage access and sent hundreds of messages — and there was nothing to stop it
The deeper issue: OpenClaw doesn’t emit standard OpenTelemetry signals. It’s effectively invisible to the monitoring tools most organisations rely on.
Sources: China National CERT (WeChat, March 2026)
Where Agent Security Intelligence Fits In The Stack
If you map the current state of agentic AI security, it breaks down into five layers:
| Layer | Function | Example tools |
|---|---|---|
| Layer 5 — Agent knowledge | Memory and tool access | MCP (Anthropic), Mem0, LlamaIndex |
| Layer 4 — Agent orchestration | Building and running agents | OpenAI Frontier, Azure AI Foundry, AWS AgentCore, LangGraph, OpenClaw |
| Layer 3 — Agent security intelligence | Security governance | TraceCtrl (this layer is largely absent today) |
| Layer 2 — Agent observability | Performance monitoring | OpenTelemetry, LangSmith, Datadog, Helicone |
| Layer 1 — Code security | Shift-left scanning | Snyk, SonarQube, SAST tools |
Most organisations have Layers 1 and 2 covered. Almost none have Layer 3. That’s the gap.
What An Agent Security Intelligence Platform Actually Needs To Do
Four things, specifically:
1. Taint tracing
This is the ability to track how a compromised instruction or piece of data moves through a multi-agent system — from Agent A to Agent B to Agent C. NIST AI RMF requires it. The EU AI Act is moving toward requiring it for high-risk deployments. CSA Singapore’s Securing Agentic AI addendum already recommends it specifically for Level 2–3 systems. Currently, most organisations doing this are doing it manually.
2. Attack path visualisation
Knowing that a vulnerability exists in one agent isn’t enough — you need to see the full exploitation chain. How would an attacker move through your agent topology? Which entry points lead where? What’s the blast radius if Agent 4 in a 12-agent system is compromised?
3. Runtime policy enforcement
Think of this as IAM policies for autonomous agents — not guidelines, but enforced constraints on what each agent can and cannot do at runtime. Right now, most agent security is advisory. It needs to be enforceable.
4. Kill switch and audit controls
The ability to stop an agent mid-execution when something goes wrong, paired with comprehensive audit trails that can satisfy regulators. These are the controls that NIST, the EU AI Act, and CSA Singapore are all pointing toward.
Six Questions Worth Asking Before Your Board Does
Regulators under NIST AI RMF, the EU AI Act, and CSA Singapore’s agentic AI framework are starting to formalise requirements around these. Better to work through them now than when an auditor is asking.
Start here:
- How many AI agents are deployed across our environment, and what data can each one access?
- If an agent is compromised, what’s the blast radius — which systems and data are reachable?
Then:
- Do we have enforceable security policies governing what each agent can and cannot do at runtime?
- Can we shut down a rogue agent within 60 seconds?
And ultimately:
- Can we produce audit evidence of every agent action for regulators?
- Are we aligned with NIST AI RMF, EU AI Act, and CSA Singapore’s guidance?
If the honest answer to most of these is “not yet” — that’s not unusual. But the window for getting ahead of this is narrowing.
The Regulatory Context
Three frameworks now explicitly address agentic AI security, and they’re moving in the same direction:
- NIST AI Risk Management Framework: requires audit trails and risk tracing for autonomous AI systems
- EU AI Act: mandates risk tracing and human oversight mechanisms for high-risk agentic deployments
- CSA Singapore — Securing Agentic AI Addendum: recommends taint tracing for Level 2–3 systems; notes that current manual approaches are insufficient
The organisations building the agent security intelligence layer now will be better positioned than those waiting for enforcement to force the issue.
Watch The Webinar
This article covers the key ideas from CloudsineAI’s March 2026 webinar on agent security intelligence. The full session goes deeper on all three attack cases, includes a live walkthrough of the email responder attack path, and ends with a Q&A.