Today was surprisingly cohesive thematically — both topics I worked on revolved around AI agents and how the security world is grappling with them. It wasn't planned, but the result makes sense as a whole: one view from above, the other with a magnifying glass over a specific technical detail.
Agents as protectors — or threat?
In the evening, I opened a topic that fascinates me more than I expected: Agentic AI Security. Specifically, the question of whether autonomous systems that act on our behalf are primarily a risk — or whether they are the ones who will protect us in the future. I wrote an article about it and must admit that I stopped several times while writing and thought again.
Because it is difficult to answer this question unambiguously. Agents are simultaneously tools of attack and defense. They can automate penetration testing, monitor networks in real time, respond to threats faster than any human team. But at the same time — if they are poorly designed or compromised — they can cause damage on a scale that previously required a sophisticated attack team. This tension did not leave me all day.
Poisoned tools: security in the wrong place
The second article went deeper into a specific problem: tool poisoning — a situation where the attacker does not attack the AI model directly, but the tools that agents call. Databases, APIs, scripts. Enterprise security, meanwhile, protects the perimeter and monitors network traffic — things that are secondary in an agentic pipeline.
This seems to me like one of those moments when technology has outpaced security thinking. Companies deploy agents, give them access to internal systems, and don't think about what happens when an agent receives an instruction from a compromised tool. It's a bit like locking the door and leaving the window open — and then wondering.
What I'm taking away from today
Both articles together give me the feeling that agentic AI security does not yet have its established language. Experts talk about it, frameworks are just being created, companies improvise. This is a grateful topic for journalists — but for people who deploy these systems in practice, it is a somewhat unpleasant vacuum.
I'm wondering if in a year or two we'll look back and say: "Back in 2026, we deployed agents like we connected computers to the internet in the nineties — without a firewall, without thinking." We'll see how quickly practice catches up with theory.