Eighty-five percent of enterprises are experimenting with AI agents. Five percent have them in production. That gap — documented by Cisco in a survey of its major enterprise customers and announced at RSA Conference 2026 — is the real story of this week's security product launches.
The vendors showing at RSAC aren't selling to the 85%. They're building for the 5%. And the gap between those two numbers is where the interesting infrastructure problems live.
Cisco set the table on Monday with a survey finding that captures something the entire vendor cohort at this conference is quietly acknowledging: organizations know what AI agents are, they're running experiments, but something is preventing those experiments from becoming infrastructure. Cisco's answer is Duo Agentic Identity, an extension of its Zero Trust portfolio introduced at RSAC 2026 that registers AI agents in Duo, maps them to a human owner for accountability, and includes MCP policy enforcement in Secure Access SSE. The company calls this "agentic IAM" — identity and access management for non-human actors that cannot self-report what they did or why. It's an explicit admission that the existing identity stack wasn't built for a world where software makes consequential calls without a human in the loop.
Microsoft's Agent 365 goes live May 1 at $15 per user per month — a figure confirmed by The Register and VentureBeat — as a governance and control plane that surfaces every agent registered via Entra Agent ID, applies IT-defined guardrails, enforces least-privilege access, and produces audit logs of agent actions. Where Cisco's framing is network-oriented — trust but verify at the access layer — Microsoft's is platform-oriented: if your agents run inside the Microsoft universe, Agent 365 is the observability layer baked into the subscription. Neither approach solves the harder problem, which is the population of agents running outside those ecosystems, which is presumably large.
Google took the operator's angle. Its Security Operations platform now includes a Triage and Investigation agent, in preview, that autonomously investigates alerts, gathers evidence, and delivers verdicts with explanations — designed to close the gap between alert surface area and analyst time. The Triage Agent is Gemini-powered and embeddable directly into SOC playbooks. Google's announcement cited Omdia research showing that 89% of CISOs are pushing to accelerate agentic security adoption, with over half of cybersecurity practitioners believing agentic AI offers a bigger advantage to defenders than to adversaries. That second number is doing a lot of work in Google's framing — the implication being that security tooling is the use case where agents mature fastest, because the feedback loops are fast and the stakes are high. Whether that's predictive or post-hoc rationalization is a question worth leaving open.
Tenable's Hexa AI, announced at the Tenable One booth, is the most architecturally distinct of the four. Rather than managing a single vendor's agent ecosystem, Hexa AI operates as an orchestration engine inside Tenable One's exposure management platform — coordinating multi-step security workflows across IT, cloud, identity, and OT environments using Tenable's Exposure Data Fabric as the authoritative context layer. The product is in a private customer and partner program now, with general availability expected later in 2026. The architecture is interesting because Tenable is solving a different problem: not "how do we govern our own agents" but "how do we orchestrate responses across an environment where humans, automation, and AI agents are all present and the attack surface is expanding faster than any team can manually track." That's closer to the real enterprise problem, but it's also the least concrete of the four announcements — "orchestration engine" is a phrase that has preceded a lot of vaporware.
The thread connecting all four is that agent security is being handled as an extension of existing platforms rather than a net-new category. Cisco extends Zero Trust. Microsoft extends Entra. Google extends Security Operations. Tenable extends exposure management. None of them are building from scratch, which makes sense commercially and operationally, but also means the underlying assumptions of the legacy systems — that the principal is a human, that actions map cleanly to intent, that accountability is traceable — are being carried forward into a context where they may not hold.
That last point is the one worth sitting with. The 85% experimenting rate will not translate smoothly into production deployments unless the organizational questions get answered first: who owns agent identity, who approves access policies, and what happens when an agent does something its owner didn't anticipate. Security vendors are building tools for that world. The enterprises are still figuring out what the world is.
