Security risk management is a cornerstone of a resilient cybersecurity program, requiring both strategic foresight and operational agility. AI agents are no longer a future concern - they are being deployed today across enterprise environments to automate decisions, execute tasks, and access sensitive systems with minimal human supervision. For security, audit, and risk professionals, this creates a category of risk that most existing frameworks were never designed to address: a non-human actor with real access, real authority, and no accountability trail.
This session draws on original threat research, hands-on red teaming experience, and active contributions to OWASP and CSA AI security standards to give ISACA members a practitioner's view of what agentic AI threats actually look like in the wild and what to do about them.
Attendees will leave with a clear understanding of how AI agents behave differently from traditional software and why that matters for audit and governance, a working knowledge of the top threat vectors targeting agentic systems including prompt injection, privilege escalation, identity spoofing, and shadow AI agents, and a practical lens for assessing and governing AI agent deployments within their own organizations.
Key Questions This Session Answers
- Why are AI agents a fundamentally different risk category from traditional applications or even RPA bots?
- What does an agentic attack chain look like, and how would your controls miss it?
- How do you apply least privilege, identity governance, and audit trails to systems that act autonomously?
- Which emerging standards (OWASP Agentic AI Top 10, CSA MAESTRO) should your organization be tracking right now?
- What should an AI agent audit or risk assessment cover?
Audience Takeaways
Attendees will walk away with a threat awareness framework mapped to audit and governance domains, real-world threat model examples drawn from open research on production AI agent platforms, and a practical starting checklist for assessing agentic AI risk in their organizations.
Estimated CPEs: 1