Autonomous Agent Attacks Are Already Here. Are Enterprise Cyber Teams Prepared?

The same week Google's cybersecurity forecast flagged agentic risks as rising, Anthropic documented a fully agent-driven attack executed by operators clicking prompts from China. Agents planned the attack. Agents decided the next steps. Enterprise cyber ecosystems are now facing adversaries that operate at machine scale while defenders still run serial compliance processes built for the previous era.

Sandeep Shilawat is Partner, Hybrid Cloud CTO Lead, and AI/Automation Leader at IBM, where he leads the AI and Automation Practice for U.S. Federal clients. He has built FedRAMP High and DoD IL5-compliant GenAI offerings and delivered over $200M in federal deals. He is the author of Trustworthy AI, which proposes an enforcement-first architecture for securing AI systems at scale.

"The agentic risks are rising. It's not a theoretical risk anymore. It is an operational risk. The future that we thought was in the distance is actually occurring here and now," said Shilawat.

Alignment is a failed approach

Shilawat drew a sharp line between alignment and enforcement. AI systems have two properties: emergence, how the model decides its behavior, and alignment, the probabilistic expectation that the model will behave as intended. For mission-critical operations, alignment is not enough.

"Alignment is a probabilistic approach. It can be used for low-criticality events where failures don't matter," Shilawat said. "But when you're doing mission-critical stuff, you cannot have probabilistic results. You need a definitive result. You need enforcement." He pointed to a reported incident where a target was struck because the model was trained on old data and fired on a new data set. "What was true yesterday might not have been true today."

Current compliance processes are serial and periodic. Shilawat argued they cannot function against real-time agentic threats. "You need continuous red teaming and continuous compliance on an ongoing basis that enforces your will on the model, rather than hoping probabilistically that it will work," he said. "And the trust model has to change. In a zero trust world, never trust, always verify. Take the same approach with AI."

Observe, predict, act

Shilawat proposed restructuring the security operations cycle itself. Most teams follow an observe-check-act sequence, reviewing events after they happen and deciding what to do next. He argued prediction has to sit inside the observation layer, running continuously, so action can begin the moment risk shifts rather than after a report lands.

"As you are observing, you should be predicting. The patterns of behavior should give you the ability to predict, and that prediction ability should exist in real time with your risk dashboard," Shilawat said. "The moment you see risk growing, you should get into action mode instead of waiting for events to occur."

That shift exposes the cultural gap. "You have a workforce born out of the culture of yesterday facing a problem of tomorrow," Shilawat said. "If you are looking at an Excel sheet or a report on your table, you are living in yesterday." Teams trained to read static reports cannot match adversaries that plan, adapt, and execute at machine scale.

The cyber dome

Shilawat's most provocative argument was structural. Siloed enterprise defenses cannot match adversaries that operate without constraints at national scale. He proposed a Cyber Dome: a collaborative, real-time defense infrastructure that would connect hyperscalers, enterprises, and government agencies into a unified protective layer.

"Individual rationality leads to collective insanity," Shilawat said. "Everybody's here to make money. But nobody collectively is thinking that if we don't do this, we all fail." Cloud providers are building protective layers around their own ecosystems, but those domes are not connected, exposing organizations to AI security risks that siloed defenses cannot address. A consortium-based approach with governance and compliance infrastructure is what Shilawat saw as the path forward.

Tactical starting points for CISOs

For security leaders looking to act now, Shilawat offered three priorities. On people: mandate AI defense learning and build real-time governance dashboards and train teams on agentic attack scenarios rather than yesterday's threat models. On process: stop relying on periodic reports and automate compliance into live dashboards that CISOs can act on immediately. On technology: partner with hyperscalers, model makers, and agent orchestration platforms rather than assembling isolated point tools.

"We are just in a very early curve of AI today," Shilawat said. "Things are going to get a lot more complex and a lot faster. And God forbid if quantum computing threats show up, our problem just multiplies. We have created the problem, and like in history, we have solved them. I hope we solve this one as well."