Agentic AI in Security Operations: The Opportunity Nobody Prepared For
TL;DR
Agentic AI is showing up in security tools fast. Gartner projects 40% of enterprise applications will include AI agents by the end of 2026, up from under 5% the year before (Gartner, 2026). Meanwhile, BigID's 2025 survey found that only about 6% of organisations have an advanced AI security strategy in place. That gap is the story. The Australian Cyber Security Centre (ACSC) published guidance in May 2026 that maps agentic AI risks and opportunities across six Information Security Manual (ISM) functions. This post breaks down what agentic AI actually is, where it fits in security operations, where it can hurt you, and what your team should do right now.
What Agentic AI Actually Is
Agentic AI is not a chatbot with a nicer interface. It is a system that independently plans, decides, and takes actions to achieve a goal. The ACSC's May 2026 advisory defines it as AI that uses large language models combined with external tools, data sources, memory, and predefined workflows to complete tasks with limited human involvement. It can adapt its behaviour based on context, create subtasks, and even spin up subagents to handle pieces of a larger job.
Think of it this way: a traditional AI model answers a question. An agentic AI system identifies that a question needs answering, figures out what information it needs, pulls that information from multiple sources, cross-references the results, decides on a course of action, executes that action, and then evaluates whether it worked. All without a human clicking "next" between each step.
That autonomy is the whole point, and it is also the whole problem. When you reduce human involvement in the loop, you gain speed and scale. You also lose the natural checkpoint that catches errors, misinterpretations, and malicious manipulation. The ACSC is blunt about this: agentic AI introduces additional risk precisely because of that reduced human oversight.
The Security Use Cases
Despite the risks, agentic AI has genuine, practical value in security operations. The ACSC maps specific use cases across its ISM framework. Three stand out for security teams.
Threat Detection and Triage
In the Detect function, agentic AI can run inside a SOC platform to correlate DNS queries, API calls, and network flow data in parallel. Instead of an analyst writing a query, waiting for results, adjusting the query, and repeating, an agentic system can orchestrate that entire investigative loop. It pulls from multiple data sources, identifies patterns that cross traditional tool boundaries, and surfaces the findings with context already attached.
For resource-constrained teams, this is the difference between catching an attack in progress and reading about it in a post-mortem. The system does not replace the analyst. It compresses the time between "something looks odd" and "here is what is happening, here is the evidence, and here are the likely next steps."
Incident Response Surge Capacity
In the Respond function, agentic AI can sequence response actions, draft incident updates for stakeholders, and augment surge capacity when an incident overwhelms the on-call team. When a breach kicks off at 2 AM and your three-person SOC is drowning in alerts, an agentic system can triage incoming signals, group related alerts into a single incident, suggest containment actions, and prepare a status report for leadership before the first coffee is brewed.
This is not theoretical. Large enterprises are already deploying these capabilities. The key constraint from the ACSC: any AI-assisted action must be traceable and reviewable. You need to know what the AI did, why it did it, and be able to reconstruct that chain of reasoning after the fact.
Recovery Automation
In the Recover function, agentic AI can trigger automated recovery actions like restoring from backup, reconfiguring firewall rules, or rotating compromised credentials. The ACSC draws a hard line here: human approval is required for any destructive or irreversible changes. An agent can prepare the recovery plan and queue the actions, but a human must confirm before the system tears down a compromised instance or wipes a tainted database.
That boundary matters. Recovery is where speed and caution are both critical. Agentic AI gives you the speed to prepare and execute routine recovery steps. Human approval gives you the caution to avoid making a bad situation worse.
The Risks
The same capabilities that make agentic AI useful in security operations make it dangerous when deployed without controls.
Reduced Human Oversight
The ACSC's primary concern is straightforward: less human involvement means less human catching mistakes. An agentic system operating at speed can execute dozens of actions across multiple systems before a human notices something is wrong. If the system's goal is misaligned with the organisation's intent, even slightly, the scale of impact multiplies fast.
Unverified Actions
Agentic AI can chain tools together in ways that were not anticipated by the developers of any individual tool. An agent might query a threat intelligence feed, use the results to trigger a firewall change, and then send a notification to an external partner, all as part of a single workflow. If any step in that chain is based on a flawed inference, every subsequent step compounds the error.
Cascading Failures
Because agentic systems can create subtasks and subagents, a failure at one level can cascade through an entire operation. A misconfigured subagent might block legitimate traffic, which triggers alerts, which the parent agent interprets as an attack, which leads to further containment actions. The ACSC specifically flags this risk: interdependent agentic workflows can amplify small errors into major incidents.
Model Poisoning and Adversarial Manipulation
NIST AI 100-2 E2025 provides a taxonomy of adversarial machine learning attacks that is directly relevant here. An attacker who can influence the training data or prompt inputs for an agentic system can steer its behaviour in subtle ways. Google's Threat Intelligence Group identified PROMPTSPY, autonomous malware that uses agentic capabilities to evade detection and adapt to defences in real time. Research from the University of Illinois Urbana-Champaign (2024) showed that GPT-4 can autonomously exploit known CVEs at an 87% success rate. The offensive side of agentic AI is advancing as fast as the defensive side, possibly faster.
ISO 42001 AI Governance Pack — Coming Soon
Policy templates, risk assessment frameworks, and implementation guidance for organisations deploying AI systems. Join the waitlist for early access.
Join the Waitlist →Governance Principles
The ACSC does not say "don't use agentic AI." It says use it with tight governance, clear limitations, and strong human oversight. Based on the ACSC guidance and the broader regulatory landscape including ETSI's EN 304-223 global cybersecurity standard for AI, here are the principles that matter.
Human-in-the-Loop for State-Changing Actions
Any action that changes the state of a system, whether that is closing a port, quarantining a host, or deleting a record, requires explicit human approval. Agentic AI can recommend, prepare, and queue these actions. It cannot execute them without a human saying yes. This is the single most important governance rule, and it is non-negotiable.
Sandboxing
Agentic AI systems should operate in sandboxed environments where their actions are constrained to approved tools and data sources. The ACSC guidance is clear: define what the agent can and cannot access, and enforce those boundaries at the infrastructure level, not just at the application level. If an agent should not be able to reach production databases, that restriction needs to exist in the network layer, not just in a configuration file the agent might modify.
Traceability
Every action an agentic AI system takes must be logged with enough detail to reconstruct the decision-making process. That means capturing the inputs the agent received, the reasoning chain it followed, the tools it invoked, and the outputs it produced. IBM and Ponemon's 2025 research found that 97% of breached organisations lack AI access controls. You cannot secure what you cannot see, and you cannot audit what you did not log.
Least Privilege
Agentic AI systems should have the minimum permissions necessary to perform their designated tasks. If an agent's job is to correlate logs and surface anomalies, it does not need write access to the firewall. If its job is to draft incident reports, it does not need the ability to send those reports externally. Gartner's 2026 data shows enterprises spend 17 times more on AI tools than on securing AI itself. Least privilege is free to implement and expensive to ignore.
AI-Specific Incident Response
Your incident response plan needs a section for AI-specific incidents. What happens when an agentic system goes rogue? Who has the authority to shut it down? How do you revoke its credentials? How do you recover from actions it already took? These questions need answers before deployment, not during an incident.
The Vendor Questions
The ACSC includes appendices (A and B) with specific questions organisations should ask vendors who are embedding agentic AI in their products. These are worth quoting directly in spirit if not in letter.
Ask your vendors: What actions can the AI agent take autonomously, and what requires human approval? Can you show me the audit trail for every action the agent has taken in the last 30 days? How is the agent's behaviour constrained, and who controls those constraints? What happens to the agent if it loses connectivity to the control plane? How do you protect the agent's prompts and memory from adversarial manipulation? Has the agent been tested against the NIST AI 100-2 adversarial taxonomy? What is your process for updating the agent's behaviour when a new threat or vulnerability is identified?
If a vendor cannot answer these questions clearly and with evidence, that is a signal. Agentic AI in security products is a feature that carries real risk, and vendors who take that risk seriously will have ready, detailed answers.
What SMBs Should Do Now
Small and mid-sized businesses do not have the luxury of building agentic AI systems from scratch. That is fine. The practical path forward looks different than it does for a Fortune 500.
Start With Embedded AI in Existing Tools
Do not chase frontier models. Start with the AI features already built into your existing security tools. Most major SIEM, EDR, and SOAR platforms now include AI-assisted detection and response capabilities. These embedded features come with vendor-managed guardrails, which means you get the benefit of agentic AI without taking on the full governance burden yourself. Turn these features on, configure them conservatively, and learn how they behave in your environment before expanding.
Document Your AI Use Cases
Create a simple inventory of every place AI is touching your security operations. That includes AI features in commercial tools, internal scripts that call LLM APIs, and any third-party services that use AI to process your data. You cannot govern what you have not catalogued. This inventory does not need to be complex. A spreadsheet with columns for tool name, AI capability, data it accesses, and human oversight level is enough to start.
Enforce Least Privilege From Day One
Every AI-enabled tool in your stack should run under dedicated service accounts with the minimum permissions necessary. Do not reuse admin credentials for AI agents. Do not give an agent read access to systems it does not need. Review these permissions quarterly. Gartner's 17x spending gap between AI tools and AI security suggests that most organisations are skipping this step. Being in the minority that does it is a genuine competitive advantage.
Test Your Fallbacks
Agentic AI systems will fail. They will produce false positives, execute on flawed reasoning, and occasionally do something unexpected. Your fallback procedures, the manual processes that take over when the AI is wrong or unavailable, need to work. Test them regularly. Run tabletop exercises where the AI agent makes a bad call and your team has to catch it and recover. The ACSC emphasises that AI-assisted actions must be reviewable. Reviewability only matters if someone is actually reviewing.
Where This Heads
The numbers tell the story. Under 5% of enterprise apps included AI agents recently. By the end of 2026, that number hits 40% (Gartner, 2026). Only 6% of organisations are ready for it (BigID, 2025). That gap is not going to close on its own.
Agentic AI in security operations is not a future problem. It is a current problem that most organisations are not tracking yet. The ACSC's guidance is a useful starting framework. ETSI's EN 304-223 provides international standards to align against. NIST AI 100-2 gives you the threat model.
The organisations that get this right will not be the ones with the biggest AI budgets. They will be the ones that asked the boring questions first: who approves what, what gets logged, what happens when it breaks, and who can pull the plug. lilMONSTER security tools are built with those questions as default, not afterthought.
The opportunity in agentic AI is real. So is the exposure. The gap between the two is where the work happens.
Work With Us
Ready to strengthen your security posture?
lilMONSTER assesses your risks, builds the tools, and stays with you after the engagement ends. No clipboard-and-leave consulting.
Book a Free Consultation →TL;DR
- 1 in 5 computers has security software that isn't working properly
- This leaves businesses unprotected for 76 days per year
- 24% of patch management systems aren't keeping software up to date
- 10% of business computers can never be updated — they're permanently vulnerable
- Important Windows updates are delayed by 127 days on average
The Broken Lock: What 20% Failure Means
Imagine if the lock on your front door worked only 4 out of 5 times. That would be pretty scary, right? Someone could walk right in and you wouldn't know until it was too late.
That's exactly what's happening with computer security software. A new report found that 20% of business computers have security software that isn't working properly [1]. That's 1 in 5 computers.
What this means in real life:
- Businesses are unprotected for 76 days per year — that's over 2 months!
- Hackers can break in through these unprotected computers
- The security tools you paid for aren't actually protecting you
It's like paying for a security guard who falls asleep one day out of every work week.
Why Security Software Stops Working
You might think: "But we bought good security software! Why isn't it working?"
Here's the thing: It's not usually about buying bad software. It's about the software not running properly or not being kept up to date [1]. Think of it like this:
Your security software might fail because:
- It crashed and no one restarted it (like your phone freezing)
- It needs an update but hasn't been updated in months
- It's fighting with other security software and both stopped working
- It's installed on old computers that can't run it properly
- Someone turned it off to install something else and forgot to turn it back on
The problem: These failures happen silently. Your computer still works fine, so you don't know your protection is gone until a hacker breaks in.
The Update Problem: 127 Days Too Late
Here's another scary number: Important Windows updates are delayed by 127 days on average [1]. That's over 4 months!
Think of it like this: A safety recall is issued for your car. It's dangerous to drive it. But instead of fixing it right away, you wait 4 months. During those 4 months, you're driving a dangerous car every day.
With computers, here's what happens:
- Microsoft discovers a security problem in Windows
- They create a fix (called a "patch") and release it
- Businesses should install the fix immediately
- But many businesses wait 127 days — over 4 months!
During those 4 months:
- Hackers know about the security problem
- Hackers create tools to break in through that problem
- Your business computers are still vulnerable
It's like leaving your house key under the mat for 4 months after the police warned everyone that thieves know about that trick.
The Permanently Broken: 10% You Can Never Fix
The most worrying part: 10% of business computers can never be updated [1]. They're permanently vulnerable.
Why can't they be updated?
- They're running old software that companies don't support anymore (like Windows 10)
- They're too old to run new software
- They have special programs that break if you update them
Think of it this way: It's like having a car that's so old the company doesn't make parts for it anymore. If something breaks, you can't fix it. You just have to hope nothing goes wrong.
The problem: Hackers know which computers are old and unsupported. They specifically target these computers because they know they can't be protected.
Why Compliance Is Getting Worse, Not Better
Here's something strange: Businesses are buying more security tools than ever, but security is getting worse, not better.
The report found that 24% of patch management systems aren't working properly — that's up from 20% last year [1].
Why more tools = worse security:
- Too many tools — Each tool does something different, but they don't work together
- Alert fatigue — Security teams get so many warnings that they ignore them all
- No one is in charge — Everyone thinks someone else is handling it
- Tools without plans — Buying tools is easy; using them properly is hard
Think of it like this: If you buy 10 different fitness trackers but never exercise, you're not going to get fit. Security tools are the same — you have to actually use them properly.
What This Means for Your Business
Let's make this real. If your security software fails 20% of the time:
Increased risk:
- Hackers have more chances to break in
- When they do break in, they stay hidden longer
- By the time you catch them, they've done more damage
Higher costs:
- Cleaning up after a breach costs more if hackers had months of access
- You might lose customer data or business secrets
- Your reputation could be damaged
Legal problems:
- Some laws require you to have good security
- If you're breached because you didn't update your software, you could be in trouble
- Fines and lawsuits can cost more than fixing the problem would have
What You Can Do: Simple Steps to Fix the Gap
The good news: You don't need to spend millions to fix this problem. Here are practical steps that actually work:
1. Check If Your Security Is Actually Running
Most businesses have security software, but they never check if it's actually working.
What to do:
- Check regularly that security software is running on all computers
- Set up alerts if protection stops working
- Make a list of all your computers and check them monthly
- Test your security by trying to access things you shouldn't be able to
Simple example: It's like checking that you actually locked the door before you leave the house. Not assuming you locked it — actually checking.
2. Update Software Automatically (Within 48 Hours)
Remember the 127-day delay problem? You can fix this by automating updates.
What to do:
- Turn on automatic updates for Windows and other software
- Set a schedule: Check for updates every week
- Install important updates within 48 hours (2 days)
- Test updates first on one computer before putting them on all computers
Why this matters: Most hackers break in through old problems that already have fixes. If you install fixes quickly, you close the doors they're trying to open.
3. Plan for Old Software Before It Becomes a Problem
Windows 10 stopped being supported in October 2025. This was announced years in advance [1].
What to do:
- Make a list of all software you use
- Find out when each one will stop being supported
- Plan to replace software 1-2 years before it stops being supported
- Budget for replacements — old computers and software cost more to keep than to replace
The car analogy: Don't wait until your car breaks down on the highway to think about replacing it. Replace it before it becomes a problem.
4. Use Fewer Tools That Work Together
Instead of buying 10 different security tools that don't talk to each other, buy 2-3 that work together.
What to do:
- Audit what security tools you have
- Get rid of tools that overlap or don't work
- Choose tools that integrate with each other
- Make sure one person is in charge of each tool
Think of it like a toolbox: You don't need 10 different hammers. You need a few good tools that work well together.
5. Make Someone Responsible
The 24% non-compliance problem exists because no one is actually accountable [1].
What to do:
- Assign one person to be in charge of security updates
- Give them the authority to schedule updates and restarts
- Create a simple checklist: Update, verify, report
- Review security monthly as part of regular business operations
Why this works: When everyone is responsible, no one is responsible. When one person is responsible, things actually get done.
6. Test Your Security Regularly
You can't assume your security works. You have to prove it.
What to do:
- Run a quarterly scan to find unpatched computers
- Try to break into your own systems (or hire someone to do it)
- Practice what you'll do if you get hacked
- Check security logs to see if your tools are actually detecting things
The fire drill analogy: You don't wait until there's a fire to figure out how the fire extinguisher works. You practice beforehand. Security is the same.
The New Mindset: Resilience Over Perfection
Here's the most important thing to understand: You cannot stop every attack. Even the biggest companies with the best security get hacked.
But here's what you CAN do:
- Detect attacks fast — catch them within hours, not months
- Have good backups — so you can recover without paying hackers
- Have a plan — know what to do when something happens
- Learn from mistakes — each incident makes you stronger
This is called cyber resilience, and it's what separates businesses that survive attacks from businesses that go under.
Think of it like car accidents:
- You can't prevent every accident
- But you wear a seatbelt
- You buy insurance
- You drive carefully
- If you do have an accident, you know what to do
Cybersecurity is the same. You can't prevent every problem, but you can protect your business so you survive when problems happen.
The Cost of Doing Nothing
Let's talk about money. The average data breach costs about $4.88 million [2]. That's a lot of money for most businesses.
If fixing your security gaps:
- Costs: $10,000 - $50,000 per year for most small businesses
- Prevents even one $4.88 million breach
- You save $4.83 million
The question isn't: Can we afford to fix our security? The real question is: Can we afford NOT to?
Think of it this way: Would you spend $10,000 to protect your business from losing $4.88 million? Most business owners would say yes.
Where to Start: A Simple Checklist
If all of this feels overwhelming, here's where to start:
This week:
- Check if your security software is actually running on all computers
- Turn on automatic updates for Windows
- Make a list of all software you use
This month:
- Update everything that's out of date
- Assign one person to be in charge of security
- Test your backups (make sure they actually work)
This quarter:
- Replace any software that's no longer supported
- Create a simple security plan
- Run a vulnerability scan to find problems
This year:
- Hire a security consultant to review your setup
- Train your employees on security basics
- Practice your incident response plan
Start small. Start somewhere. Just start.
FAQ
It means that 1 in 5 business computers has security software that isn't working properly [1]. The software might be turned off, outdated, crashed, or misconfigured. This leaves businesses unprotected for 76 days per year on average.
Important security updates should be installed within 48 hours (2 days) [1]. But the average business delays critical Windows updates by 127 days — over 4 months. During those 4 months, hackers can exploit the known vulnerabilities.
Permanently unpatched systems are computers that can never receive security updates [1]. This happens when software reaches "end of life" and vendors stop supporting it (like Windows 10 in October 2025), or when computers are too old to run new software.
Security is getting worse because businesses are buying tools but not managing them properly. 24% of patch management systems are non-compliant (up from 20% last year) [1]. More tools create complexity, alert fatigue, and integration gaps without improving actual protection.
Small businesses can fix the protection gap by: monitoring tool health (not just threats), automating patch updates, planning for end-of-life software transitions, consolidating security tools, establishing clear accountability, and testing defenses regularly. The key is process and discipline, not buying more tools.
References
[1] Absolute Security, "2026 Resilience Risk Index," Absolute Security, March 2026. [Online]. Available: https://www.absolute.com
[2] IBM Security, "Cost of a Data Breach Report 2025," IBM, 2025. [Online]. Available: https://www.ibm.com/reports/data-breach
[3] Infosecurity Magazine, "Enterprise Cybersecurity Software Fails 20% of the Time, Warns Absolute Security," Infosecurity Magazine, March 2026. [Online]. Available: https://www.infosecurity-magazine.com/news/cybersecurity-software-failure-20/
[4] Mandiant Google Cloud, "M-Trends 2026: A Report on Threat Landscape and Tactics," Mandiant, March 2026. [Online]. Available: https://cloud.google.com/security/resources/m-trends
[5] Kaspersky Security Services, "Anatomy of a Cyber World Global Report 2026," Kaspersky Securelist, March 2026. [Online]. Available: https://securelist.com/global-report-security-services-2026/119233/
[6] PwC, "Annual Threat Dynamics 2026," PwC, March 2026. [Online]. Available: https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/annual-threat-dynamics.html
[7] N-able, "State of the SOC Report 2026," N-able, March 2026. [Online]. Available: https://www.n-able.com/resources/state-of-the-soc-report-2026
[8] Industrial Cyber, "M-Trends 2026 reveals threat landscape shaped by faster, coordinated, and industrialized cyberattacks," Industrial Cyber, March 2026. [Online]. Available: https://industrialcyber.co/reports/m-trends-2026-reveals-threat-landscape-shaped-by-faster-coordinated-and-industrialized-cyberattacks/
Your security tools only protect you if they're actually working. At lil.business, we help small businesses implement cybersecurity that works in practice, not just on paper. Get a free consultation and close your protection gap.
