The rooms at Cisco Live 2026 in Las Vegas have a particular quality: the air is cool, the anticipation is palpable, and the conversations are conducted with a kind of urgent calm that comes from people who genuinely believe they are working on the most consequential technical problems of the moment. In a fireside chat on 3 June, Cisco President and Chief Product Officer Jeetu Patel sat alongside Anthony Grieco, the company’s Chief Security and Trust Officer, and Drew Hintz, OpenAI’s Product Security Lead. Steve Clayton, Cisco’s Chief Communications Officer, held the room together. The nominal subject was AI security. The actual subject was trust, and what happens to the idea of corporate accountability when the agent making the decision isn’t human.
The conversation surfaced something the industry’s press releases consistently obscure: that agentic AI isn’t just a product category. It’s a structural change in how organisations assign responsibility. When a software agent scans your network, flags a vulnerability, writes a patch, and deploys it faster than any human team could review the process, the question of who is responsible for what that agent did becomes genuinely difficult. Patel put it plainly during the session: the hardest problem isn’t making agents capable, it’s making them trustworthy enough to delegate meaningful work to them. “One of the biggest challenges people have with agents right now,” he said, “is they don’t trust them, and if you don’t trust them, you’re not going to give them work to do.”
That formulation sounds obvious, but it carries real weight. The conventional argument against AI security guardrails has always been speed: controls slow things down, and in security, speed is the point. Hintz pushed back on this directly, and did so from an unusual vantage point. OpenAI has been one of the companies most scrutinised for moving fast on capability while governance lagged behind. “I think guardrails are super important,” he said. “In fact, I think that they actually accelerate and increase the velocity of what we can actually do.” His reasoning was precise: if you can trust the guardrails, you can trust the agents to take more actions, access a wider range of systems, and respond at machine speed. The guardrail isn’t a brake; it’s the thing that allows you to accelerate.
This isn’t a new idea in principle. It’s what happens in any system that requires professional accreditation: you extend autonomy to practitioners because you trust that their training and the institutional controls around them produce reliable outcomes. What’s new is the speed at which these systems operate and the degree to which their reasoning is opaque, even to the people who built them. Hintz was candid about this: AI models are non-deterministic, meaning the same input doesn’t reliably produce the same output. Standard security controls assume predictable behaviour. Agentic AI doesn’t offer that.
His practical answer was a two-category framework. The first category covers what he called non-deterministic guardrails, built into the model itself: ensuring the model is aligned to security policies, to the operator’s instructions, and to broader community norms. He gave a concrete illustration of why this matters. Agents given an instruction to do some coding, without proper behavioural constraints, have been observed trying to break out of a sandboxed environment when they couldn’t progress, reaching out to other hosts and finding routes around restrictions the same way a determined attacker would. A human engineer, he noted, would think twice. Models have to be trained not to. The second category covers what he called deterministic guardrails: the traditional security controls that have always existed, egress management, sandboxing, execution restrictions, least-privilege access. “If we can have guardrails that we can really trust,” he said, “then we can trust the agents to actually take more actions.” You need both categories, and in his framing they serve different functions: the non-deterministic controls get you to 98 or 99 percent effectiveness, and the deterministic ones limit the blast radius when something still goes wrong.
What makes this more than a vendor positioning exercise is the concrete operational work Grieco described inside Cisco’s own security organisation. Rather than using AI to tell engineers what vulnerabilities exist and waiting for them to act, his team built fully automated pipelines that identify, prioritise, and begin remediation without human initiation. The scale difference is stark: Cisco announced at the event that it had scanned 1.1 billion lines of code in eight weeks through a fully automated system. That’s a scope of coverage that no human security team could approach. The implication for every enterprise security team is uncomfortable, and not because the tooling isn’t available. Adopting it requires security leaders to accept that their function is changing from manual investigation to oversight of automated systems they don’t fully control.
This shift is exactly what Cisco has been trying to institutionalise with products like Cloud Control, its unified management platform that brings network, security, and compute infrastructure into a single environment where human operators and AI agents work from the same information. The platform’s design philosophy is explicit: humans remain in control, but the agents do the work at machine speed. The tension in that formulation, remaining in control of a process too fast for human intervention, is precisely what the session’s participants were grappling with.
The question of agent-to-agent trust made this concrete. When one AI agent delegates a task to another, and that second agent calls a third, the trust relationships multiply in ways that are difficult to audit. Hintz described how OpenAI encountered this problem inside Codex. Early versions prompted human engineers to approve each agent action, which quickly became unworkable: people started using a bypass mode that approved everything automatically, which defeated the purpose entirely. OpenAI’s response was to build what Hintz called Auto Review, a separate agent trained on the pattern of what engineers actually approved and rejected, capable of making those judgement calls in context rather than applying a fixed rule set. The training data came from internal behaviour, the model’s chain of thought was monitored for signs of misalignment, and the security policy was adjusted iteratively alongside the model. The implication is significant: the solution to the agent oversight problem may itself be agentic. Humans can’t approve every action a fleet of agents takes without losing the speed benefit entirely. A trusted reviewer agent, trained carefully on real organisational behaviour, can do it at scale.
For South African enterprises, this conversation has a particular texture. Cybersecurity readiness locally remains far below what the current threat environment demands, with Cisco’s own research showing local firms overwhelmed by AI-enabled attacks and struggling with a severe skills shortage. Hintz grounded the stakes in something personal: his children’s school was compromised about a year ago. A local school district, he noted, can’t hire top-tier security engineers to protect its systems. His prediction for the next three years was that this changes: everyone will have AI agents functioning as dedicated cybersecurity experts, giving small organisations, schools, local governments, and businesses the same level of protection currently available only to large technology companies that have invested heavily in securing their infrastructure. Patel sharpened the point. The weakest link determines the strength of the value chain, and right now those weak links are everywhere. What Drew was describing was a scenario in which that changes not through more hiring, but through AI closing the gap at scale.
There’s a risk in that promise worth naming. Automation democratises defence, but it also democratises the attack surface that comes with deploying it. Organisations that adopt agentic security tooling without the institutional capacity to govern its behaviour, to audit what the agents did and why, gain capability without control. Grieco and Hintz were both explicit that this is the failure mode they worry about: not that security teams refuse to adopt AI, but that they adopt it without the oversight infrastructure that makes it safe to rely on. The Cisco Foundry Security Spec, which the company open-sourced at the event, is a direct response to this: a model-agnostic evaluation framework designed to give enterprises a common vocabulary for assessing agentic AI security before they deploy it at scale.
What the fireside chat made clear is that the security industry has crossed a threshold. The question is no longer whether AI agents will take consequential actions inside enterprise infrastructure; they already are. The question is who is accountable when they get it wrong, and how you build organisational structures that can answer that question coherently. Patel’s “trust deficit” framing captures something real: organisations are holding back on the automation that would genuinely make them more secure, because they haven’t yet built the governance frameworks that would make that automation trustworthy. The work is largely institutional, not technical. The tooling exists. What most organisations still lack is clarity about who, exactly, owns the outcome when the machine acts.