Agentic security in 2026 has two faces, and most organisations confuse them. One face is defensive use of AI agents — autonomous SOC, threat hunting, incident response. The other face is securing the AI agents your own organisation deploys — preventing prompt injection, prompt theft, credential leakage, and tool abuse.
Both matter. They require different controls, different teams, and different regulatory alignment. This article is the practitioner's view of both faces, with the governance scaffold that ties them together.
Face 1: Defending with agents
The two faces of agentic security
The defensive use of AI agents is now mature enough for production deployment in mid-market and enterprise contexts. Industry analysis shows nearly two-thirds of organisations experimenting with AI agents in security, but fewer than one in four have deployed them in production. 2026 is the inflection point.
The patterns that consistently work:
- Tier-1 alert triage. Agents handle the first-pass classification and correlation that previously consumed most analyst time. Volume capacity 10×–50× better than human analysts.
- Continuous threat hunting. Federated agents running hypothesis-driven hunts across telemetry, surfacing findings for human review. Covered in our earlier article.
- Investigation co-pilot. Agents drafting timelines, correlating across data sources, and proposing containment options for human responders.
- Pre-approved containment. For narrow high-confidence patterns, agents executing containment actions automatically with audit logging.
What remains human work: novel hypothesis generation, ambiguous containment decisions, detection engineering, agent supervision, and business communication. The role of the security analyst evolves toward senior investigator and detection engineer.
Face 2: Defending against (and securing) agents
The other face is the harder one. As organisations deploy AI agents internally — for customer service, finance automation, operations, marketing — those agents become a new attack surface. The threat model is genuinely new, and most security teams have not yet built the muscle to defend it.
The threats that matter, drawn from the OWASP Top 10 for LLM Applications and MITRE ATLAS:
Prompt injection (direct and indirect)
Direct prompt injection — an attacker provides input designed to override the agent's instructions. Indirect prompt injection — malicious content in documents, emails, or web pages the agent reads, which then alters the agent's behaviour. Indirect is harder to defend against and more common in real incidents.
Prompt theft and system prompt extraction
Attackers attempting to extract the proprietary system prompt and embedded business logic from a deployed agent. Often the first step in cloning competitive functionality or in further attack planning.
AI secret and credential exposure
Agents typically have credentials to call internal systems. Compromised agents become a credential exfiltration vehicle. Hardcoded API keys, tokens passed in prompt context, and credentials in tool definitions are the common failure modes.
Insecure agent tool use
Agents with overbroad tool surfaces — too many tools, too much access per tool, no allowlist — can be manipulated into actions far outside their intended scope.
Sensitive data disclosure
Agents inadvertently surfacing personal data, regulated financial information, or confidential business data through their responses. Particularly problematic when agents have access to RAG systems containing sensitive documents.
The defensive controls that work
- Allowlist tool surfaces. Agents should have access to a small set of explicitly defined tools, not arbitrary code execution. Each tool should have its own narrow contract.
- Input filtering and output validation. Both directions. Filter inputs that contain prompt injection patterns; validate outputs that should not contain personal data, credentials, or specific scope-violating content.
- Human-in-the-loop on consequential actions. For at least the first 90 days of any agent deployment, no outbound message, transaction, or irreversible action should execute without human approval.
- Hard spend caps and rate limits. The economic dimension of agent abuse — runaway LLM costs, denial-of-service through expensive prompts — is real and is best controlled at the infrastructure layer.
- Audit logging. Every input, every decision, every output. Retention aligned with regulatory requirements.
- Kill switches. Single configuration flag to disable an agent without removing it. Tested at least quarterly.
The Malaysian regulatory scaffold
The November 2025 revision of BNM RMiT applies to AI deployments in financial institutions just as it does to any other technology. The cybersecurity requirements, audit trail expectations, and shared-responsibility accountability all extend to agentic systems.
Across all sectors, PDPA applies. The National Guidelines on AI Governance and Ethics from MOSTI provide the broader policy framework, with the National AI Action Plan 2026–2030 expected to formalise additional requirements.
For Malaysian organisations, the practical posture is:
- Build the agent governance scaffold (approved-model registry, audit logging, fairness audits, quarterly review) before deploying agents at scale.
- Map every agent deployment to a specific data classification and lawful processing basis.
- Document the threat model for each agent, including the OWASP LLM Top 10 and MITRE ATLAS techniques relevant to its scope.
- Conduct regular red team assessment of deployed agents, ideally through both human-led and agentic methods.
The tension and the resolution
The two faces of agentic security can pull in different directions. Defensive agent deployments increase the attack surface (more agents to secure). Securing your agents adds latency and friction to your AI workflows (controls slow agents down). The tension is real.
The resolution is mature governance. Organisations that treat agentic security as a single coherent capability — defending with agents and securing the agents you deploy, under one governance scaffold — manage the tension successfully. Organisations that treat them as separate tracks routinely produce gaps that adversaries exploit.
For Malaysian security teams building this capability with regulatory alignment, our AI Agentic Security programme covers both faces — defensive agent deployment and AI agent security — with hands-on attack-and-defend exercises and full alignment to BNM RMiT, ISO 27001, PDPA, and the OWASP LLM Top 10. HRDC SBL-KHAS claimable for eligible employers.
