Automation, Intent, and Ownership: What to Learn from the AI Agent Security Summit

When the AI Agent Security Summit launched in San Francisco last October, agent-based threats had already escalated from a novel consideration to a predominant blocker for enterprise adoption. The security community was laser-focused on recognizing and minimizing the blast radius posed by agentic vulnerabilities, whether that meant indirect prompt injection, MCP poisoning, or hallucinations.

"Anything an agent is capable of doing, it can be tricked into doing."

— Naveed Makhani, Product Lead for AI Security, Google (2025 Summit Platform Panelist)

Though attendees left with the ability and intent to take steps toward secure agentic deployment, one question seemed to hang in the air of the Commonwealth Club:

"What else will agents be capable of doing that we don't yet know?"

Fast forward to May 27, 2026. The AI Agent Security Summit returned to San Francisco with a completely transformed security landscape. Since October, agentic workflows have expanded into browsers and open-source tools. New frameworks and standards have provided professional guidance and disrupted existing AI security protocols. And beyond securing agents themselves, autonomous security tools have made waves, raising questions about the role security practitioners will need to play in the future.

19 sessions. Over 20 speakers. Here are the four themes that kept coming up.

1. Mythos is Here, and It's Not Alone

Autonomous security isn't a new concept, but when Anthropic's Project Glasswing launched in April 2026, security teams took careful notice. Claude Mythos revealed thousands of zero-day vulnerabilities across operating systems, web browsers, and many other critical software programs for the world's largest enterprises, making the value of AI security tools impossible to ignore. With the recent introduction of OpenAI's GPT-5.5-Cyber and other VulnOps frontier models on the way, the writing is on the wall: AI for security is here to stay.

For security teams to enhance the value they bring to organizations, their task is the same as when any other frontier technology has been introduced in the last few decades: embrace it, learn how it adds value, and take responsibility for its successful and secure implementation.

"Cybersecurity experts need to be the most knowledgeable people about AI in their organization."

— Jim Reavis, CEO, Cloud Security Alliance

2. In 2026, Security Means Shared Ownership

With automation increasing and traditional vulnerability management becoming more operational, security teams are charged with both securing and using AI in a way that evolves the traditional security approach into something that will stand the test of the future.

"The good path is not 'AI helps security write more tickets.' It is security owning systems that reduce risk directly."

— Travis McPeak, Security Lead, Cursor

At the same time, AI agents can dangerously democratize risk. Slalom Director of Responsible AI Alexandra Robinson and Senior Principal Mark Milone led a live simulation of email prompt injection in a sample HR agent. Walking through the perspectives of those involved, including CISO, Legal Counsel, Product Owner, and HR Manager, it became increasingly clear that the onus of end-to-end security doesn't fall on one party alone. Lifecycle security means all participants taking responsibility for agentic behavior: from those who build the product, to those who enforce boundaries, to those with the identities and permissions the agent accesses.

3. Skills, Permissions, and Persistence Cause Real Risk

Builders like using skills in their programs because they don't require hard code. Attackers like them for the same reason. Agents have persistent and broad access, meaning they pose a risk surface that can be reached at any time, touching a greater expanse of sensitive information. Add to this that an agent's goals can be overridden in natural language, and the vulnerabilities become impossible to ignore.

Earlier this year, open-source AI skill registries like ClawHub made this undeniable:

"AI skill registries didn't exist until January 2026. By February, there were over 700 malicious skills in the wild."

— Jenn Gile, Co-founder, OpenSourceMalware

4. Understanding Intent is the Key to Prescribing Security for Agents

As the enterprise security perimeter shifts to accommodate new technologies, agents have proven to disrupt existing understandings of legacy security practices. Agentic workflows span across processes, identities, and confidential knowledge sources by nature. This makes model, application, identity, and endpoint security programs unable to work in silos.

"Intent is understanding business context. It's understanding why things happen, if they matter, and why they matter."

— Michael Bargury, Co-founder & CTO, Zenity

Agent intent puts the pieces together. It helps security teams trace any malicious action back to its source by showing the full picture, and more importantly, it provides a layer of broader understanding that allows for holistic and informed risk prioritization. When security teams take ownership of business success, their value is exponentially amplified.

When the AI Agent Security Summit arrives later this year in New York, EMEA, and APAC, the security conversation will have undoubtedly shifted. What matters is that whatever changes unfold until then are recognized and addressed as a community. AI is forcing enterprises to move at a pace many thought impossible just a few years back. To stay focused, relevant, and valuable, the community must stay continuously aligned.

The agents are already in the room. Coming together as a community to understand the security implications and how to enable the business to use them responsibly will determine how the next chapter of the journey unfolds.

Stay in the know for future summits.