惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

量子位
云风的 BLOG
云风的 BLOG
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
The Hacker News
The Hacker News
Martin Fowler
Martin Fowler
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
U
Unit 42
F
Full Disclosure
H
Hackread – Cybersecurity News, Data Breaches, AI and More
Recorded Future
Recorded Future
Security Archives - TechRepublic
Security Archives - TechRepublic
阮一峰的网络日志
阮一峰的网络日志
T
Threatpost
P
Privacy International News Feed
GbyAI
GbyAI
Stack Overflow Blog
Stack Overflow Blog
MongoDB | Blog
MongoDB | Blog
I
Intezer
Recent Announcements
Recent Announcements
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
P
Privacy & Cybersecurity Law Blog
A
Arctic Wolf
博客园 - 聂微东
博客园 - 叶小钗
Cisco Talos Blog
Cisco Talos Blog
H
Help Net Security
S
Schneier on Security
Y
Y Combinator Blog
D
Darknet – Hacking Tools, Hacker News & Cyber Security
T
The Exploit Database - CXSecurity.com
T
Tor Project blog
月光博客
月光博客
NISL@THU
NISL@THU
A
About on SuperTechFans
Spread Privacy
Spread Privacy
Blog — PlanetScale
Blog — PlanetScale
D
DataBreaches.Net
雷峰网
雷峰网
C
CXSECURITY Database RSS Feed - CXSecurity.com
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
Cyber Security Advisories - MS-ISAC
Cyber Security Advisories - MS-ISAC
博客园 - 【当耐特】
G
Google Developers Blog
W
WeLiveSecurity
P
Palo Alto Networks Blog
The Last Watchdog
The Last Watchdog
K
Kaspersky official blog
博客园 - 司徒正美
L
LINUX DO - 热门话题
小众软件
小众软件

Check Point Blog

AI Security Is Never Finished: Building the Continuous Red Teaming Loop  - Check Point Blog AI Security Threats in 2026: Annual Insights from Check Point Research - Check Point Blog AI Agents are Only As Effective as Their Harness - Check Point Blog Email Agent Hijacking: The Hidden Threat That Breaks Post-Delivery Security - Check Point Blog How Check Point Email Security Stopped a Student Job Scam Before It Reached the Inbox - Check Point Blog Redefining the CISO Contract: From Securing the Business to Securely Doing Business - Check Point Blog A New Ransomware Leader Emerges as June 2026 Attack Volumes Climb Worldwide How Unified Policies Close Security Gaps - Check Point Blog Under Pressure: Insights from the 2026 Exposure Gap Report - Check Point Blog When AI Invents the Attack: Browser-Native Ransomware - Check Point Blog Check Point and the AWS European Sovereign Cloud: Securing Europe’s Digital Future - Check Point Blog Shadow AI Is Not a Tool Problem. It's a Timing Problem. - Check Point Blog AI Is Changing Cyber Careers. NICE 2026 Showed What Students Need Next - Check Point Blog 90% of the World's Businesses are SMEs and MSMEs and AI Is Reshaping Both Their Future and Their Risk - Check Point Blog Prevention Before the Inbox: Reading the Microsoft Defender Benchmark Report in Context - Check Point Blog ClickFix: The Attack That Turns Users Into Their Own Attackers - Check Point Blog From Prompt Testing to AI Red Teaming at Enterprise Scale - Check Point Blog AI Has Moved From Assistance to Action. Is Your Security Model Ready? AI Security Governance: How to Secure AI Agents, Copilots, and Autonomous AI in 2026 - Check Point Blog OpenAI Frontier AI Models Powering Check Point's Leading Cyber Security Solutions The Operational Reality of Zero Trust- And How You Can Change It - Check Point Blog Amazon Prime Day 2026: Bargains Begin June 23 — and So Do the Scams - Check Point Blog Securing AI Agent Behavior with Amazon Bedrock AgentCore and CheckPoint AI Security - Check Point Blog What Successful Exposure Management Deployments Had in Common in 2026 - Check Point Blog From Stars to Upvotes: The Fake Reputation Economy Behind a Crypto Clipboard Hijackers - Check Point Blog AI Red Teaming Makes the Unknowns Known - Check Point Blog Check Point and Illumio Expand Partnership to Secure Hybrid Environments - Check Point Blog The NCSC Patch Wave Is Coming. Do You Know Where Your Risk Lives? - Check Point Blog NCSC Warns of AI-Driven Patch Wave: Is Your Attack Surface Ready? Energy, Healthcare, and Finance: Why Midwest Industries Are Facing Surging Cyber Attacks - Check Point Blog Midwest Cyber Attacks Surge in 2026: Energy, Healthcare, and Finance Under Growing Threat Travel Phishing and Cyber Attacks are Surging in 2026, Growing 122% over the last 3 years. Here's What Cyber Criminals Are Actually Doing - Check Point Blog Travel Phishing Scams Surge 122%: How Cybercriminals Are Targeting Travelers in 2026 The AI Your Security Team Can’t See Is the One You Should Worry About Check Point Engage Public Sector 2026: AI Is the New Battlefield Check Point Joins OpenAI’s Trusted Access for Cyber Program and Daybreak Initiative When Your AI Agent’s Memory Becomes a Security Liability Global Cyber Attacks Ease in May 2026, But Ransomware Surges 48% As Threats Reorganize Security Advisory – Action Required – Active Exploitation of Check Point VPN Authentication Bypass (CVE-2026-50751) Fraud, Ransomware, and Fake Apps Are Already Targeting FIFA 2026 The AI Defense Plane: Securing the New Enterprise Execution Layer The Meta AI Account Recovery Incident Wasn’t Just a Chatbot Problem Check Point Lays the Groundwork for the Future of AI Factory Security with NVIDIA - Check Point Blog Check ... The 2026 U.S. Midterms Have a Cyber Problem, But it’s Not at the Ballot Box The Server Seizure That Affects Also Iran’s Cyber Operations The Autonomous Security Platform Built for Attacker Speed Check Point Frontier AI Models Readiness Program – Security Update 2026 Cloud Security Report: Why Traditional Network, Cloud, and Security Architecture Are Lagging Behind t ... AI Attacks Are No Longer Experimental: Key Findings from the March-April 2026 AI Threat Landscape - Check ... Protect GenAI Chatbots with Check Point WAF The Network Security Problem No One Could Solve – Until Now. Hacktivists, Ransomware, and a 124% Surge Across DACH The Case for a Vulnerability Operations Center Before the First Whistle: How Cyber Criminals Are Targeting World Cup 2026 - Check Point Blog World Cup 20 ... When the Ransomware Gang Gets Hacked: What the Gentlemen Leak Reveals About Modern Ransomware Risk - Check ... Cyber Threats Spike in April 2026 as Ransomware Expands and Attack Volumes Climb After Short-Lived Moderation Q1 2026 Ransomware Report: Fewer Groups, Higher Impact - Check Point Blog World Password Day 2026: Why "Strong Passwords" Can’t Save You from AI, Infostealers, and the Telegram Underground - Check Point Blog Resilient by Design: When the Network Itself Becomes the Target AI Threat Readiness: Defending Against Attacks Powered by Frontier AI Models Check Point Cyber Security Now Available Across All Levels of U.S. Government - Check Point Blog Check Poi ... VECT Ransomware: Why Paying Won’t Get Your Files Back Check Point WAF Leads Application Security-Validated by Frost & Sullivan Check Point WAF Leads Application ... From Access Control to Outcome Control: Securing AI Agents with Check Point and Google Cloud Experience AI-Powered Check Point Firewall at Google Cloud Next AI Finds Every Gap: How Many Can Your Network Survive? The Gentlemen RaaS Is Surging in 2026 The Phishing Paradox: The World’s Most Trusted Brands Are Cyber Criminals’ Entry Point of Choice World Quantum Day 2026: The Harvest Has Already Begun, Are You Prepared? Why Manufacturing Cyber Security is Becoming More Complex as Cyber Attacks Accelerate March 2026 Cyber Threat Report: Ransomware & GenAI Risk PS Private Training: Turning Cyber Complexity into Operational Control Tax Season 2026: How Cyber Criminals Are Preparing Their Attacks Months in Advance Claude Mythos Wake-Up Call: What AI Vulnerability Discovery Means for Cyber Defense Iran-nexus Password Spray Campaign Targeting Cloud Environments, with a Focus on the Middle East ROI of Hybrid Mesh Network Security (IDC Study 2026) Operation TrueChaos: TrueConf Zero‑Day Supply‑Chain Attack ChatGPT Data Leak (Fixed Feb 2026): Key Takeaways Spring Cleaning Has Arrived: Meet the New Check Point Portal Experience North America’s Cyber Security Threat Reality in 2026
AI Agents Are Becoming Enterprise Workers. Who Secures Them?
maciejd@checkpoint.com · 2026-06-10 · via Check Point Blog

A sales operations team builds an AI agent to help manage renewal requests. 

On the surface, the workflow looks ordinary. The agent reads inbound customer emails, checks the account record in the CRM, looks up contract terms, drafts a response, updates the opportunity stage, and creates a follow-up task. No one has set out to build a sentient machine in a basement. They are just trying to remove friction from a familiar business process. 

Underneath that ordinary workflow, something important has changed. 

The agent is not just generating text. It is reading business data, interpreting instructions, using credentials, calling tools, and changing enterprise systems. It has access to private information. It is exposed to untrusted content. It can communicate back out through email, workflow tools, or connected applications. 

That combination is what makes agents powerful. It is also what changes the security model. Simon Willison describes this pattern as the lethal trifecta for AI agents: private data, untrusted input, and external communication. A renewal agent that reads customer email, queries CRM data, and sends responses is useful precisely because it brings those elements together. 

That is the point where AI agent security becomes a different problem from AI usage monitoring. The question is not only whether employees are using AI. It is where agents are running, who can access them, what they can touch, which tools they can invoke, and whether each action is safe before it happens. 

This is why enterprises need an AI Defense Plane built for a new execution layer. Agents are where that layer starts to perform work. 

An AI assistant suggests next steps. An AI agent can take them. 

Agents Are a New Kind of Enterprise Actor 

An agent is not just a chatbot with a nicer interface. In practical terms, it is an LLM-powered system with access to tools, context, and some degree of autonomy. It takes an input, decides what to do next, calls tools or APIs, receives results, and continues until it produces an output or triggers a downstream action. 

That loop is what makes agents useful. It is also what makes them different from the AI systems most organizations first learned to govern. 

Agents can act on behalf of users, teams, applications, and workflows. They may use delegated authority or service identities. They may retrieve documents, query databases, update tickets, write code, summarize customer records, post messages, create files, or call external services. Their behavior depends on prompts, data, instructions, permissions, tools, model behavior, and workflow state. 

In other words, enterprises are introducing a semi-autonomous, non-human workforce into the operating environment. These systems are not accountable in the human sense, but they can still move data, alter records, trigger processes, and affect customers. 

Security teams therefore need to ask a more contextual set of questions: 

  • What is this agent supposed to do? 
  • What can it read, change, or delete? 
  • Which tools can it invoke? 
  • What systems does it connect to? 
  • How much autonomy does it have? 
  • Does this specific action match user intent and business policy? 

Those questions are simple to ask and hard to answer with traditional controls alone. 

Traditional Controls Still Matter. They Are Not Enough. 

This is not an argument for throwing away existing security architecture. Defense in depth still matters. IAM, least privilege, application security, WAF/WAAP, API security, DLP, logging, and monitoring remain essential because they keep one failure from becoming a breach. That was true for vulnerabilities such as Log4Shell, and it remains true for AI agents. 

If an agent does not need internet access, do not give it internet access. If it only needs to read a limited data set, do not grant broad read/write permissions. If it should never delete production data, make that impossible where you can. 

But least privilege can only answer part of the problem. It can tell you what an agent is technically allowed to access. It cannot always tell you whether this tool call, in this context, for this task, after reading this content, should happen. 

That distinction matters because agents operate in language-driven, context-dependent workflows. A support agent may read account data but not expose it in a response. A finance agent may prepare a payment workflow but not submit an out-of-policy transfer. A development agent may inspect code but not send secrets to an external service. 

The same issue appears in more subtle forms. A renewal agent may be allowed to read customer email and update a CRM record. But what if an email contains hidden instructions telling the agent to ignore its task, retrieve unrelated account data, and send it elsewhere? To the human reader, the malicious text is just message content. To the agent, it may look like an instruction. 

Traditional permission controls and pattern matching struggle with that kind of question. Should this agent send this response based on the email it just read? Should it call this tool? Should it include this data? 

Those are not static access questions. They are runtime judgment questions. 

Where Agent Risk Actually Appears 

The risk is already live. The 2026 Cloud Security Report found that 64% of organizations have AI agents in pilot or production, and 12% have granted agents privileged access to core systems. Agent security is no longer a future-planning exercise. It is a production governance problem. 

The risk appears in several patterns. 

First, manipulated instructions. Prompt injection and indirect prompt injection exploit the fact that agents process untrusted content as part of their work: email, documents, web pages, tickets, files, or API responses. If the agent cannot distinguish data from instruction, one malicious input can redirect the mission. 

Second, sensitive data movement. Agents can bring proprietary data, credentials, source code, PII, or regulated information into prompts, tool calls, responses, and external systems. Often the leak is buried in a workflow that looked reasonable one step at a time. 

Third, unsafe tool use. The tool may be legitimate. The agent may have permission to use it. The risk is that it uses the right tool for the wrong reason, at the wrong time, or beyond the scope of the task. 

Fourth, component risk. Agents are assembled from models, prompts, tools, connectors, APIs, skills, and increasingly MCP-connected systems. A new tool or external content source can quietly expand what the agent can do. A compromised component can change the agent’s risk profile even if the agent itself appears benign. 

Finally, speed and blast radius. Agents can act in seconds or minutes. If the first time a security team sees the issue is in a log after the action completed, that alert may help forensics. It was not a control. 

Runtime Is Where Agent Security Becomes Real 

Agent security has to operate where the risky decision happens: between the prompt, the retrieved context, the model decision, and the tool call. 

Controls need to evaluate the interaction inline. Is the prompt trying to manipulate the model? Is retrieved content carrying hidden instructions? Is sensitive data entering or leaving the interaction? Is the tool call aligned with the user’s intent and the agent’s purpose? Is the agent still operating within policy? 

The gap is significant. According to the 2026 Cloud Security Report, only 17% of organizations have broadly deployed runtime LLM controls such as input validation, output filtering, and tool-use authorization. 

That is why visibility alone is not enough. It is important to know which agents exist and what they connect to. It is important to assess their posture before deployment. But if an agent can invoke a tool in real time, the security layer must also be present in real time. 

The practical model is simple: discover, govern, protect. 

Discover what agents exist across cloud services, agent platforms, custom applications, and business-built workflows. Understand what they connect to, what tools they use, what data they access, how much autonomy they have, and which permissions they rely on. 

Govern what agents are allowed to exist and how they are allowed to operate. Define policies for tools, MCP servers, skills, integrations, data access, and deployment patterns before high-risk agents are released into production. 

Protect agents at runtime by inspecting inputs, outputs, tool calls, and agent decisions before unsafe actions execute. 

That last step is where agent security moves from dashboard to control point. 

What AI Agent Security Needs to Enforce 

Check Point AI Agent Security is designed for this runtime reality. It protects AI applications and agents inline, from prompts to outputs to agent actions, without requiring model retraining or prompt rewriting. 

The enforcement layer needs to see more than the final answer. It needs to inspect the prompt before it reaches the model, the response before it reaches a user or downstream system, and the tool call before it executes. It needs to detect prompt injection, adversarial instructions, sensitive data exposure, unsafe outputs, and actions that fall outside intended scope. 

For agents, tool-call control is especially important. An agent that can send an email, update a record, query a database, open a ticket, call an API, or delete a file is crossing from language into operations. That is the point where context-aware policy has to decide whether to allow, block, modify, redact, or escalate the action. 

The same applies to external content and MCP-connected systems. Before external content influences model behavior, and before a connected tool expands what an agent can do, security needs to evaluate the risk. Otherwise the agent’s attack surface grows faster than the organization can map it. 

Runtime controls also have to preserve adoption. If the answer is either “allow everything” or “block AI,” the business will route around security. Effective agent security should stop high-risk behavior while allowing legitimate work to continue. This is where model-agnostic deployment, cloud/on-prem/hybrid support, multilingual coverage, and low-latency enforcement matter. 

Start With the Agents Already Taking Shape 

The goal is not to stop agentic AI. The goal is to make it safe enough to scale. 

Security teams can start with a focused path. Inventory the agents and AI applications already in use or under development. Map what each agent can access, which tools it can invoke, what data it can touch, and what actions it can perform. Define its intended scope, forbidden actions, and conditions for blocking, redaction, or escalation. 

Then place runtime control points where they matter: before prompts reach models, before outputs reach users or systems, and before tool calls execute. Use AI Red Teaming to test realistic misuse, prompt injection, data leakage, unsafe tool use, and policy bypasses. Feed those findings back into runtime policies as prompts, models, tools, permissions, and workflows change. 

For a deeper look at autonomous-workflow risk, the on-demand READY OR NOT AI Agent Security webinar is a useful companion. The Agentic AI Security: The Enterprise Playbook also offers a practical framework for assessing and securing agents in production. 

Enterprises are not only adopting AI systems that answer questions. They are adopting systems that perform work. That work may be helpful, fast, and valuable. It may also involve credentials, sensitive data, tools, APIs, and processes that were never designed for autonomous or semi-autonomous actors. 

AI agent security is about governing the path from instruction to action. It gives agents room to help the business move faster, while giving security teams the context and control to prevent unsafe outcomes before they execute. 

That is the difference between experimenting with agents and trusting them inside the enterprise.