SecurityAt RSA 2026, the SANS panel on the five most dangerous new attack techniques listed irresponsible AI adoption as one of them. Not a threat actor. Not a malware family. An adoption pattern. The sentence that framed it: Your LLM is a target. If someone gets hold of your AI and compromises it, what can an attacker learn? Rush to market with no validation. Your name is on the final report. Not your AI’s.
That framing deserves more than a nod. It names the thing the industry has been working very hard not to say out loud.
The numbers that make the avoidance untenable
The adoption numbers make the avoidance look increasingly untenable. A report published in February found that while 80 percent of technical teams have AI agents in active testing or production, only 14 percent are launching them with full security and IT approval. A separate survey found that 82 percent of executives feel confident their existing policies protect them from unauthorized agent actions, while simultaneously, nearly half of organizations are using shared API keys for agent-to-agent authentication and only one in five treat agents as independent, identity-bearing entities. These are not the numbers of an industry that has accountability under control. They are the numbers of an industry that has convinced itself the accountability question can be deferred until the technology matures.
When the agent acts, accountability migrates
The technology does not wait for governance to catch up. Agentic systems are in production now, making decisions now, at speeds that make human review a formality rather than a genuine checkpoint. When an agent triages an alert, escalates an incident, or takes a remediation action autonomously, the accountability for that action does not dissolve into the architecture. It migrates. It migrates to whoever configured the agent, whoever approved its deployment, whoever signed off on the risk. That is a person. In most organizations, that person does not yet know they own that accountability, because no one has told them directly, and the frameworks they would need to act on that ownership do not fully exist yet.
The attack surface most teams underweight
This is where the attack surface the SANS panel was describing becomes worth examining carefully. The framing of irresponsible AI adoption as an attack technique was not primarily about defenders being careless. It was about attackers understanding the gap better than defenders do. An AI system that is trusted to act autonomously but governed loosely is an attack surface in a specific and underappreciated sense: compromise the model, compromise the agent, compromise the data it reasons over, and you inherit the permissions that were granted to that system in good faith. The attacker does not need to break your security controls if they can subvert the entity your controls have delegated authority to. And when the breach is eventually investigated, the question of how an autonomous system came to take those actions will trace back, every time, to a human decision about how much trust to extend and under what conditions.
The controls are chasing the capability
The governance research confirms that most organizations have not yet built the infrastructure to answer that question cleanly. NIST SP 800-53, the foundational control framework for most mature security programs, was designed for environments where you can attribute actions to identifiable actors. In a multi-agent ecosystem where agents can spawn and task other agents, that attribution assumption fails at the architecture level. The standards bodies know this. NIST is developing control overlays specifically for agentic systems, but as of early 2026, those overlays are still in development while production deployments are already underway. The controls are chasing the capability, not leading it.
Diffused responsibility is the attacker’s leverage point
None of this is an argument against deploying agentic security tools. The operational case is real: analysts are drowning in alert volume, attackers are already operating at machine speed, and a human-paced defense against an AI-accelerated offense is not a sustainable long-term position. The argument is about sequencing and honesty. Deploying agents before accountability structures exist is not just a governance risk; it is a cognitive one. It creates the conditions for what researchers studying high-stakes decision environments describe as diffused responsibility, where the presence of an autonomous system gives the humans around it a false sense that someone or something else has ownership of the outcome. No one in the chain feels fully responsible. Everyone assumes the system handled it, or that someone else reviewed it, or that the policy covers it. That diffusion is exactly what a patient attacker can exploit once they have mapped how your organization actually makes decisions.
The conversation that has to happen next
The five techniques the SANS panel named at RSA were chosen carefully by people who have watched the threat landscape evolve across multiple technology transitions. What made the fourth technique notable was not the technical mechanics. It was the framing. Not understanding AI is irresponsible. Your name is on the final report.
The industry has spent three years getting very good at explaining what agentic AI can do. The next necessary conversation is simpler and considerably less comfortable: when the agent acts on your behalf, you acted. Building accountability structures worthy of that fact is not a future problem. It is the present one.