Tom Gillis, Cisco’s SVP of Infrastructure and Security, framed the problem perfectly in his RSAC 2026 keynote: “AI agents have the privileges of a human but the common sense of a printer.”

That line captures the 80-point gap Cisco found in its own survey — 85% of enterprises are piloting AI agents, but only 5% have moved them to production. The missing piece isn’t capability. It’s trust. And Cisco just shipped four answers to that trust gap.

Zero Trust Access for AI Agents

The core insight: we’ve spent decades building identity and access management for humans. AI agents need the same treatment — verified identity, least-privilege access, continuous monitoring, and accountability linked to a human.

Cisco is extending Zero Trust principles to AI agents through Cisco Secure Access, its SSE (Security Service Edge) solution. The key architectural move: an MCP proxy sits inside SSE, routing all agent-to-agent and agent-to-tool traffic through a policy enforcement point.

What this means in practice:

  • Agent discovery in Cisco Identity Intelligence — visibility into which agents exist in your environment
  • Agentic IAM in Duo — every agent gets an identity linked to a human employee
  • MCP traffic treated like HTTP — the same granular policies, monitoring, and access controls that protect web traffic now protect agent communications
  • Intent-aware monitoring — not just logging what agents access, but understanding what they’re trying to do

This is the first major enterprise SSE vendor to treat MCP as a first-class protocol requiring policy enforcement. For organizations running OpenClaw or any MCP-enabled agent stack, Cisco just provided the network-level security layer that didn’t exist before.

DefenseClaw: Open-Source Secure Agent Framework

Cisco’s open-source strategy continues with DefenseClaw, a secure agent framework that integrates with Nvidia’s OpenShell and bundles five security tools into a single developer experience:

  • Skills Scanner — scans agent skills for malicious behavior before they execute
  • MCP Scanner — checks MCP servers for exposed or dangerous actions
  • AI BoM (Bill of Materials) — automatically inventories every model, memory store, dependency, and skill in an agent system
  • CodeGuard — detects vulnerabilities in AI-generated code before deployment
  • Model Provenance — verifies model origins and detects unauthorized modifications

The design philosophy: zero manual security steps, zero separate tool installs. A developer deploys an agent through DefenseClaw and every skill is scanned, every MCP server is verified, and every asset is inventoried automatically.

For the OpenClaw community, this directly addresses the ClawHavoc problem — the campaign that found 800+ malicious skills in ClawHub earlier this year. DefenseClaw’s Skills Scanner and AI BoM provide exactly the kind of supply-chain visibility that was missing when those malicious skills went undetected.

AI Defense: Explorer Edition

Cisco’s AI Defense platform, launched last year, gets a self-service tier aimed at developers and AppSec teams. Explorer Edition lets teams red-team their own AI models and agent applications before production:

  • Dynamic multi-turn adversarial testing — simulates prompt injection, jailbreaks, and unsafe output generation across extended agent conversations
  • CI/CD integration via API — plug red teaming into GitHub Actions and existing pipelines
  • Security reporting and team collaboration — share findings across dev and security teams
  • LLM Security Leaderboard — objective, adversarial benchmarks for model robustness (not just performance)

The multi-turn testing is significant. Single-prompt injection tests miss the sophisticated attacks that unfold over multiple conversational turns — the kind that recently compromised Claude in an eight-hour attack chain. Explorer Edition tests against that class of threat.

Agentic SOC: Six Specialized AI Agents

Cisco introduced six AI agents for Security Operations Center automation, leveraging Splunk’s federated search for cross-environment data handling:

AgentFunctionStatus
Malware Threat Reversing AgentAutonomous malware analysis and reverse engineeringGA now
Detection Builder AgentCreates and tunes detection rulesComing Q2 2026
SOP AgentAutomates standard operating proceduresComing Q2 2026
Triage AgentInitial alert assessment and prioritizationComing Q2 2026
Guided Response AgentRecommends and executes response actionsComing Q2 2026
Automation Builder AgentCreates automation workflows from analyst patternsComing June 2026

The Malware Threat Reversing Agent — the only one generally available today — handles automated malware analysis that typically requires specialized reverse engineering skills. The others roll out in phases through June 2026.

The Splunk integration matters here: federated search means SOC agents can query data across environments without moving it, handling the massive data volumes that AI model testing and agent monitoring generate.

The Agent Runtime SDK

A quieter but potentially more impactful announcement: the Agent Runtime SDK embeds policy enforcement directly into agent workflows at build time. It supports major frameworks including AWS Bedrock, Google Vertex, Azure AI, and LangChain.

This shifts security left — instead of adding guardrails after an agent is built, the SDK makes policy enforcement a native part of the agent’s runtime. For organizations building custom agents on any major cloud platform, this provides a vendor-neutral security layer at the framework level.

What It Means for OpenClaw Users

Cisco’s announcements hit several pain points the OpenClaw community has been dealing with:

  1. MCP security — the MCP proxy in Cisco Secure Access provides network-level visibility and control that’s been missing from agent-to-tool communications
  2. Skill supply chain — DefenseClaw’s Skills Scanner and AI BoM directly address the malicious skill problem
  3. Identity governance — agent discovery and Duo IAM integration solve the “shadow agent” visibility gap that enterprises have been struggling with
  4. Red teaming — Explorer Edition makes adversarial testing accessible to teams that can’t build custom red-teaming infrastructure

The 85%-to-5% gap between pilot and production tells the real story. The tools exist to build powerful AI agents. The tools to deploy them safely in production are just now arriving — and Cisco just dropped a comprehensive set of them.

Cisco is a Diamond Sponsor of RSAC 2026. DefenseClaw is available as open source. AI Defense Explorer Edition is available now. SOC agents roll out in phases through June 2026.