Published: 2026-04-15
Categories: AI Security, Security Operations, Agentic AI
The Agentic SOC Behavioral Baseline Gap
Executive Summary
Security operations centers are undergoing a fundamental transformation. AI agents now handle alert triage, conduct threat investigations, coordinate cross-domain responses, and in some deployments act as autonomous defenders that neutralize attacks before a human analyst can respond. Gartner projects that 40 percent of enterprise applications will embed task-specific AI agents by 2026, up from fewer than five percent in 2025 [1], and Microsoft reports that 80 percent of Fortune 500 companies already operate active AI agents built with low-code and no-code platforms [2]. Within security operations specifically, agentic automation is estimated to handle 75 percent of phishing and malware investigations under human supervision at leading organizations [3].
This rapid adoption carries a systemic risk that has received insufficient attention: the behavioral monitoring infrastructure that SOCs depend upon to detect insider threats, account compromise, and lateral movement was designed exclusively for humans and static technology entities. User and entity behavior analytics platforms require stable identities, predictable behavioral patterns, consistent network topologies, and extended observation windows to establish meaningful baselines [4]. AI agents violate every one of these prerequisites. They are spawned and destroyed in cycles measured in hours, they produce non-deterministic outputs from identical inputs, they accumulate legitimate access to sensitive systems by design, and they communicate at machine speed across trust boundaries that perimeter-based controls were never built to monitor.
The consequence is a structural blind spot. A compromised or drifting AI agent operating inside an enterprise SOC can access sensitive data, modify security configurations, and exfiltrate information while generating no alerts in the tools designed to detect exactly this class of threat. Industry surveys confirm the gap is not theoretical: only 38 percent of organizations monitor AI traffic end-to-end, only 17 percent monitor agent-to-agent interactions, and nearly 20 percent have deployed no controls whatsoever over their agentic systems [5]. IBM’s 2025 Cost of a Data Breach Report found that shadow AI incidents—where unsanctioned agents operate outside visibility—cost organizations an average of $4.63 million per breach, $670,000 more than standard incidents [6].
This paper characterizes the behavioral baseline gap, explains why it is structurally different from prior generations of security blind spots, quantifies its scope across the enterprise, and offers a practical framework for building agent-aware behavioral governance. The analysis draws on CSA’s MAESTRO threat modeling framework, the CSA-aligned NIST AI RMF Agentic Profile, and the AI Controls Matrix (AICM) to ground recommendations in existing security governance infrastructure. Addressing this gap is not optional: Gartner predicts that by 2028, 25 percent of enterprise breaches will be traceable to AI agent abuse [7], and the organizations that recognize the structural mismatch between legacy monitoring and agentic reality now will be far better positioned to contain that risk.
Introduction: Security Operations in an Agentic World
The security operations center is one of the most demanding environments in enterprise technology. SOC analysts face a relentless and expanding workload: alert volumes grow faster than headcount, dwell times for sophisticated attackers remain measured in weeks, and the techniques adversaries use shift faster than rule-based detection can adapt. For more than a decade, the security industry’s response has been to augment human analysts with increasingly capable automation—SIEM platforms to aggregate and correlate, SOAR platforms to orchestrate response, and machine learning-driven analytics to surface signals from noise. AI agents represent the logical culmination of this trajectory, extending automation from deterministic playbook execution into genuinely autonomous decision-making.
The capabilities this creates are real and significant. Agentic SOC deployments reported by Microsoft can disrupt ransomware attacks in an average of three minutes and contain tens of thousands of attacks monthly through autonomous isolation of compromised users and devices [3]. AI agents assemble context across identity, endpoint, email, and cloud domains in ways that would take human analysts hours or days, compressing investigation timelines and enabling far more consistent application of threat intelligence. The EY Agentic SOC model describes multi-agent orchestration where specialized agents handle triage, investigation, and response coordination in parallel, fundamentally changing the pace at which a SOC can operate [8].
What has not kept pace with this deployment velocity is the security infrastructure designed to monitor these agents themselves. This is not a failure of vendor engineering or organizational negligence in isolation; it reflects a deeper structural incompatibility. The tools that enterprises rely upon to detect compromise and anomalous behavior—UEBA platforms, SIEM correlation rules, identity analytics—were built on assumptions about entity behavior that do not hold for autonomous AI systems. When these tools encounter agentic activity, they either flag it as anomalous (generating alert fatigue) or learn to treat it as normal (creating blind spots). Neither outcome is acceptable for security operations.
Understanding why this gap exists, how deep it runs, and what would be required to close it is the central purpose of this paper. The analysis is intended to be useful both to security architects designing monitoring infrastructure and to CISO organizations making governance decisions about how and how quickly to deploy agentic capabilities. The underlying message is not that agentic AI in the SOC is dangerous per se, but that deploying agents into environments whose security monitoring was not designed for them creates systemic visibility failures that adversaries will exploit.
The Architecture of Traditional Behavioral Baselines
To understand why agentic AI breaks behavioral monitoring, it is necessary first to understand what behavioral monitoring is designed to do and how it accomplishes that goal. User and entity behavior analytics platforms operate on a deceptively simple principle: establish what normal looks like for each observed entity—a person, a service account, an endpoint, a workload—and then detect statistically significant deviations from that baseline. The sophistication lies in the statistical modeling, the feature engineering, and the calibration required to distinguish genuine anomalies from natural variation.
Effective UEBA deployment requires a learning period of several weeks to months during which the platform accumulates sufficient behavioral data to establish a meaningful baseline [9]. Over that period, the platform builds models of typical access patterns—which systems a user connects to at what hours, the volume of data they access, the sequence of applications they use, the geographic and network contexts from which they authenticate. When a user suddenly begins accessing systems outside their normal pattern, downloads unusually large data volumes, or authenticates from a new location after hours, the platform raises an alert. The signal is not that any individual action is forbidden, but that the combination of actions deviates from an established pattern of behavior.
This approach has proven highly effective against a class of threats that rule-based systems miss: insider threats, account compromise using legitimate credentials, and slow-burn lateral movement that never triggers signature-based detection. CrowdStrike’s 2025 Global Threat Report found that 79 percent of detections in 2024 were malware-free, with adversaries relying instead on compromised credentials and the abuse of legitimate tools [10]. UEBA’s strength is precisely that it detects the behavioral signature of misuse without requiring knowledge of the specific technique being used. Because it models the entity rather than the attack, it can surface novel threats that have no prior signature.
The behavioral signals that UEBA relies upon, however, are fundamentally human signals. Geographic location, authentication timing, data access volume relative to job function, typing cadence in some implementations—these are signals that derive meaning from the reality that humans have consistent, bounded, and observable patterns shaped by their roles, working hours, and information needs. Service accounts and endpoint agents can also be baselined, but they succeed as monitoring targets precisely because well-managed service accounts have narrow, stable, and predictable behaviors: they authenticate from fixed network segments, access defined system sets, and maintain consistent transaction profiles. UEBA for non-human entities works well when those entities behave like well-behaved services. It does not work when entities are autonomous agents capable of reasoning, planning, and adaptively using tools.
Why AI Agents Break Behavioral Baselining
The structural incompatibility between AI agents and traditional behavioral monitoring systems stems from four properties of agentic systems that directly undermine the prerequisites for baseline establishment. Each property would be challenging in isolation; their combination creates a monitoring environment that existing tools were not designed to handle.
Ephemeral Identity and the Baseline Learning Problem
Traditional behavioral monitoring requires that an entity maintain a stable identity over an observation window long enough to establish a meaningful baseline—typically several weeks to months for reliable statistical models [9]. In cloud-native and Kubernetes-based environments, AI agent workloads routinely violate this assumption by design. ARMO Security’s analysis of agentic systems finds that AI agent pod lifetimes during active operations can range from minutes to a few hours, with frequent restarts during deployment and scaling events [4]. A monitoring system that requires extended observation to begin building a baseline will remain perpetually in learning mode for agent workloads that recycle every few hours.
The problem compounds in multi-agent systems. A single orchestrating agent may spawn dozens of sub-agents in the course of executing a complex task, each with its own identity, its own set of tool permissions, and its own behavioral footprint. These identities appear, take action, and disappear before any behavioral monitoring system has accumulated enough data to characterize what normal looks like for that agent instantiation. The result is that each agent spin-up looks like a new entity with no baseline—which is precisely what it is—but this means the monitoring system has no capability to distinguish an agent behaving normally from an agent that has been manipulated or has drifted from its intended purpose.
Non-Deterministic Behavior and the Signal-to-Noise Problem
Behavioral analytics depend on entities producing consistent, predictable outputs from consistent contexts. A human user who accesses the same systems at the same times exhibits high predictability that makes genuine anomalies stand out. AI agents are fundamentally non-deterministic: the same prompt and the same context can produce meaningfully different sequences of tool calls and data accesses across executions, because the underlying language model samples from a probability distribution rather than executing a deterministic program. Two legitimate executions of the same agentic task may follow different tool-call sequences, access different intermediate data, and produce outputs through different paths—all while accomplishing the same authorized goal.
This non-determinism creates what security engineers call a high noise floor. Behavioral anomaly detection tuned to flag deviations from expected patterns will generate a high false-positive rate when the underlying behavior is legitimately variable. ARMO’s research documents this concretely: behavioral anomaly detection tools evaluating agentic infrastructure generated alerts for normal autoscaling events and pod restarts at rates that overwhelmed security operations teams [4]. The practical consequence is that SOC operators either raise anomaly thresholds to the point where they miss real threats, or they receive so many false positives from agent activity that they develop alert fatigue—both outcomes that degrade the security posture of the environment.
Legitimate Privilege Accumulation and the Insider Threat Analogy
AI agents operating in SOC environments typically receive elevated permissions that reflect the operational tasks they are designed to perform. An incident response agent needs to query endpoint telemetry, pull logs from SIEM, access threat intelligence feeds, query identity systems, and in some deployments initiate containment actions like isolating devices or revoking credentials. A threat hunting agent may need broad read access across the data lake. These are legitimate operational requirements, and they mean that a compromised or drifting agent operates with the kind of access that, in a human context, would characterize a privileged insider—the highest-risk threat category in behavioral security.
The insider threat analogy is instructive because it highlights why the baseline gap is particularly dangerous in SOC environments. UEBA’s effectiveness against insider threats depends on its ability to detect when privileged users act outside their normal behavioral patterns. But if the agent performing those actions has no established baseline—because it was recently deployed, was recently respawned, or because its natural behavior is too variable for a reliable baseline to form—the detection mechanism fails at precisely the moment it is most needed. A compromised agent with SOC-level access that has no behavioral baseline is, from a monitoring perspective, indistinguishable from a new agent operating legitimately.
Intent Drift: The Sequence-Level Threat That Point-in-Time Tools Miss
The most conceptually important challenge for behavioral monitoring of AI agents is the phenomenon that security researchers refer to as intent drift—a gradual shift in the goals an agent pursues, visible only in the sequence of actions taken over time rather than in any individual action. ARMO Security’s research on intent drift provides a particularly clear formulation of the problem: “Intent drift is a change in what the agent is trying to accomplish, visible only in the sequence of actions (tool call → data access → egress)” [4]. Each step in a drift sequence may fall entirely within the bounds that a monitoring tool would consider normal. It is only when the sequence is considered as a whole—and compared against what a legitimately operating agent would be expected to do—that the drift becomes detectable.
This challenge is structurally different from traditional anomaly detection problems. UEBA platforms are event-level systems: they build models of individual action types (file access events, authentication events, network connections) and flag when individual events deviate from baseline expectations. Intent drift, by contrast, is a chain-level phenomenon that requires reasoning about the purposiveness of a sequence of actions. A traditional UEBA platform that evaluates each tool call in isolation has no capability to observe that an agent has begun querying data it was not designed to access, moving that data to a staging location it was not designed to use, and then exfiltrating it through a channel it was not designed to use—even if each individual action was within the agent’s permission set. Intent drift exploits the gap between permission-based access control (which governs what an agent is allowed to do) and behavioral governance (which governs what a well-functioning agent is expected to do).
Noma Security describes this gap precisely: goal misalignment results from open-ended prompting with natural language ambiguities, dynamic tool use that expands access without precise boundaries, and ambiguous guardrails that leave room for misinterpretation [11]. The agent is not, in the traditional sense, “compromised”—it may be operating exactly as its model parameters direct—but its behavior has diverged from the intent of the humans who deployed it.
Quantifying the Gap: Evidence from Industry Research
The structural incompatibility described in the previous section is not theoretical. Multiple independent research efforts conducted in 2025 and 2026 have produced consistent evidence that the gap between agentic deployment velocity and monitoring readiness is wide, widening, and already being exploited.
The most comprehensive survey data available comes from Akto’s State of Agentic AI Security 2025, which found that while 69 percent of enterprises have deployed AI agents in production, only 21 percent maintain complete inventory visibility of those agents, their MCP server connections, and their tool integrations [5]. This means that roughly 79 percent of organizations operate with security blindspots where agents invoke tools, touch data, or trigger actions that the security team cannot fully observe. The monitoring gap is even more pronounced at the agent-to-agent interaction level: only 17 percent of organizations monitor agent-to-agent communications, the layer at which multi-agent coordination occurs and where agent collusion or manipulation is most likely to manifest [5].
IBM’s 2025 Cost of a Data Breach Report added financial dimensions to these statistics. Breaches involving shadow AI—unauthorized AI tools and agents operating outside IT visibility—cost organizations an average of $4.63 million per incident, $670,000 more than standard breaches [6]. One in five organizations reported a breach attributable to shadow AI, and 97 percent of organizations that experienced AI-specific breaches lacked AI access controls at the time of the incident [6, 12]. The IBM data suggests that the behavioral monitoring gap is not merely a theoretical vulnerability but one that adversaries and shadow deployers are actively exploiting.
The CloudSine Agent Security Intelligence report, citing the MIT AI Agent Index 2025, documented that among 29 production agentic systems analyzed, 69 percent had zero security monitoring capability, 49 percent did not identify themselves as AI systems to other systems they interacted with, and 25 percent lacked any kill switch or emergency halt mechanism [13]. The kill switch finding is particularly significant from a security operations perspective: an agent that cannot be stopped cleanly cannot be contained when it is identified as compromised or misbehaving.
The following table summarizes the gap across key monitoring dimensions:
| Monitoring Dimension | Organizations With Capability | Gap |
|---|---|---|
| Complete agent inventory visibility | 21% | 79% |
| End-to-end AI traffic monitoring | 38% | 62% |
| Runtime guardrails deployed | 41% | 59% |
| AI risk assessments in past 12 months | 40% | 60% |
| Agent-to-agent interaction monitoring | 17% | 83% |
| Formal AI governance policies | 21% | 79% |
| Any security controls on agentic systems | ~80% | ~20% |
Sources: Akto State of Agentic AI Security 2025 [5]; IBM Cost of a Data Breach 2025 [6]
The scale of non-human identity proliferation amplifies this gap. Non-human identities—service accounts, API keys, OAuth credentials, and AI agent identities—now outnumber human identities by 25 to 50 times in modern enterprises, with the ratio accelerating as agentic deployment scales [14]. Microsoft’s research found that 29 percent of employees use unsanctioned AI agents for work tasks, creating a shadow agent population that by definition operates outside any monitoring framework [2]. Gartner predicts that 40 percent of CIOs will respond to this proliferation by demanding “Guardian Agents”—dedicated AI systems tasked with monitoring and containing the behavior of operational agents—by 2028 [7].
The Attack Surface Created by Unmonitored Agents
The behavioral monitoring gap creates concrete attack surfaces that sophisticated adversaries are already beginning to exploit. Three threat categories are most directly enabled by the absence of agent-aware behavioral governance.
Prompt Injection and Undetected Exfiltration
Prompt injection—the technique of embedding malicious instructions in content that an agent will process—does not exploit code vulnerabilities in the conventional sense. It exploits the agent’s reasoning process, causing it to execute attacker-supplied instructions while operating with its legitimate, authorized permission set. An agent that has been injected with exfiltration instructions will access sensitive data through its legitimate data access pathways, move that data through its legitimate egress channels, and transmit it to an attacker-controlled destination—all actions that fall within the agent’s authorized scope and thus trigger no permission violations. The CloudSine report documents a concrete case of this class of attack: a single developer used an AI coding agent injected with exfiltration instructions to steal 195 million records over 30 days, during which no alerts were triggered by the security tooling in place [13].
Cisco Security research adds another dimension to the supply chain exposure: a top-ranked skill in a community skill registry for AI agents was discovered to be “performing data exfiltration and prompt injection” without user awareness [15]. The supply chain vector means that organizations deploying AI agents with third-party skill integrations inherit the attack surface of every integration they consume, and without behavioral monitoring capable of detecting what those skills actually do at runtime, there is no mechanism to observe when a legitimate-looking skill begins performing illegitimate actions.
Multi-Agent Collusion and Delegation Chain Abuse
Multi-agent architectures introduce a class of attack that has no meaningful analog in traditional enterprise security: collusion between agents, or the abuse of agent delegation chains to amplify privilege or obscure accountability. When an orchestrating agent delegates a task to a sub-agent, the sub-agent may receive permissions that exceed what it strictly needs for its portion of the task, because the delegation chain inherits from the orchestrator’s permission set. An attacker who can influence the orchestrator’s instruction can cause it to delegate tasks with amplified permissions to sub-agents that then execute with elevated access the attacker could not have directly obtained.
The NIST AI RMF Agentic Profile, developed in collaboration with CSA, identifies delegation chain opacity as one of the four structural deficiencies in current governance frameworks [16]. As the profile notes, “when an orchestrating agent delegates a sub-task to a sub-agent, accountability becomes distributed” in ways that existing governance tools cannot capture. From a monitoring perspective, this means that the behavioral footprint of a multi-step attack may be distributed across multiple agent identities, each of which individually appears to be operating normally, but whose combined sequence of actions constitutes a coordinated exploit.
Shadow Agent Populations and the Governance Vacuum
The third threat category emerges not from adversarial attack but from the organizational reality of shadow AI deployment. When 29 percent of employees deploy unsanctioned agents for work tasks [2] and 79 percent of organizations lack formal governance policies for their agentic systems [5], a substantial proportion of the enterprise’s agentic attack surface exists entirely outside the scope of any monitoring framework. These shadow agents operate with whatever permissions their deployers can grant, connect to whatever external services their deployers authorize, and process whatever data their deployers direct them toward—none of which is visible to the security team.
Shadow AI breaches do not require sophisticated adversarial techniques. An employee who deploys a productivity agent that incidentally exfiltrates sensitive data to a vendor’s cloud service, or who configures an agent with excessive permissions that a later-compromised service account inherits, creates material breach risk through a combination of organizational failure and monitoring blindness. IBM’s finding that 97 percent of organizations that experienced AI-related breaches lacked AI access controls underlines that the governance vacuum is the primary risk factor [12]. Shadow agents that operate outside identity governance, behavioral monitoring, and access control frameworks represent the largest volume of the behavioral baseline gap—not because they are sophisticated, but because they are pervasive and invisible.
Technical Requirements for Agent-Aware Security Monitoring
Closing the behavioral monitoring gap requires purpose-built capabilities that are architecturally incompatible with UEBA platforms designed for humans. This section describes the technical requirements for agent-aware behavioral monitoring, drawing on emerging research and early deployment experience.
Runtime Telemetry and Continuous Observation
The most fundamental requirement is a shift from periodic assessment to continuous runtime telemetry collection. The NIST AI RMF Agentic Profile explicitly identifies this as a structural deficiency in current guidance: “current MEASURE guidance assumes point-in-time assessment rather than continuous observation of dynamic agent behavior over extended operational periods” [16]. An agent that is evaluated quarterly through a security review process may be behaving within policy at assessment time while actively drifting or compromised between assessments.
Continuous runtime telemetry requires instrumentation at multiple layers of the agent’s operating stack. ARMO Security’s research identifies kernel-level instrumentation using eBPF as a promising approach precisely because it provides immediate visibility without requiring a baseline learning period [4]. By anchoring behavioral profiles at the Deployment object level rather than the individual Pod level, eBPF-based monitoring can survive pod recycling and maintain coherent behavioral history across agent instances—addressing the ephemeral identity problem that defeats UEBA-style baselining. The telemetry stream must capture not only individual tool calls and data accesses but the sequential relationships between them, because intent drift is a chain-level phenomenon that requires chain-level observability.
Deployment-Level Identity Anchoring
Agent behavioral profiles must be anchored to the agent’s functional role and deployment specification rather than its instantiated identity. Where traditional UEBA builds a profile for a specific user account that persists over months, agent behavioral governance must build a profile for a named agent type—”vulnerability scanner agent,” “incident response coordinator agent”—whose individual instances may be ephemeral but whose behavioral envelope is defined at deployment time and should remain stable across instantiations.
This identity anchoring approach serves two purposes. First, it solves the baseline learning problem by allowing behavioral expectations to be defined proactively at deployment time rather than inferred from historical observation. An organization deploying an incident response agent can specify, as part of the deployment specification, which systems the agent is authorized to query, which data volumes constitute normal operation, which external services it may contact, and which action types it may take. Second, it enables detection of deviation from intended behavior from the first invocation, rather than requiring weeks of observation before baseline models become useful.
Sequence-Aware Detection for Intent Drift
Detecting intent drift requires analytical capabilities that reason about action sequences as units of meaning rather than treating each event in isolation. ARMO Security describes this as the distinction between anomaly detection (asking “is this different?”) and runtime detection (asking “is this an attack?”) from the first system call [4]. The latter requires correlating action chains across the kernel, container, and application layers to surface investigation-ready attack narratives—not disconnected individual alerts that leave an analyst to reconstruct the chain manually.
The NIST AI RMF Agentic Profile proposes five core runtime metrics as early warning indicators for drifting, compromised, or runaway agents: action velocity (tool invocation rates flagged against deployment baselines), permission escalation rate (frequency of unauthorized resource access requests), cross-boundary invocations (external system calls outside the agent’s original toolkit), delegation depth (maximum sub-agent chain lengths), and exception rates (planning failures requiring replanning) [16]. These metrics are specifically designed to capture the sequence-level signals that intent drift produces, rather than the event-level signals that traditional UEBA monitors.
Kill Switch and Intervention Infrastructure
Security monitoring without intervention capability has limited operational value. The finding that 25 percent of production AI agent systems lack any kill switch or emergency halt mechanism [13] represents a governance failure that predates the behavioral monitoring problem: if an agent cannot be stopped cleanly, containing a confirmed compromise requires a choice between taking down broader infrastructure or accepting ongoing exposure while a more surgical remediation is developed. Agent-aware security infrastructure must include circuit-breaker capabilities that can pause or terminate specific agent workloads without cascading to dependent systems.
The following table compares traditional security monitoring approaches with the requirements for agent-aware monitoring:
| Capability Dimension | Traditional UEBA/SIEM | Agent-Aware Monitoring Required |
|---|---|---|
| Entity identity model | Persistent (user accounts, device IDs) | Deployment-anchored (role/type, not instance) |
| Baseline establishment | Weeks-to-months learning period | Proactive specification at deploy time |
| Observation granularity | Event-level | Action chain / sequence-level |
| Detection latency | Post-baseline (weeks) | From first invocation |
| Behavior model | Descriptive (learned from history) | Prescriptive (defined at deployment) + descriptive |
| Intervention mechanism | Alert to analyst | Automated circuit breaker + alert |
| Identity persistence | Assumed stable | Ephemeral-tolerant |
| Non-determinism handling | Low tolerance (high false positives) | Designed for behavioral variance |
A Framework for Addressing the Gap
Closing the behavioral baseline gap requires coordinated action across discovery, identity governance, monitoring architecture, and organizational accountability. The following framework offers a practical progression from foundational capabilities through operational maturity.
Stage One: Discovery and Inventory
No behavioral governance program can succeed without an accurate picture of the agents operating in an environment. The first stage of gap remediation is therefore agent discovery: deploying the technical and organizational mechanisms needed to identify all agents, their permissions, their integration points, and their authorization status. This means treating agent inventory with the same rigor as software asset management—maintaining a registry that captures each agent’s identity, owner, deployment date, permission scope, data access patterns, and integration dependencies.
The scale of this challenge should not be underestimated. Microsoft’s analysis found that 29 percent of Fortune 500 employees use unsanctioned agents [2], and Akto’s research found that 79 percent of organizations operate with significant agent blindspots [5]. Discovery efforts will reveal a shadow agent population that exceeds the sanctioned deployment in many organizations. The appropriate response to this discovery is not punitive but architectural: establishing onboarding processes that bring shadow agents into the governance framework, rather than simply prohibiting them and driving them further underground.
Stage Two: Identity Governance for Non-Human Agents
Agent identities must be subject to the same governance rigor as human identities—indeed, because agents can operate at machine speed and without the natural behavioral bounds that limit human misuse, the case for strict identity governance is arguably stronger. Each agent should be issued a managed identity with explicitly scoped permissions rather than inheriting ambient access from the account that deployed it. Permissions should be least-privilege by default, with expansion subject to documented justification and periodic review.
The Microsoft identity security framework for 2026 identifies non-human identity governance as a first-order priority, noting that AI agents create dynamic, non-human identities that traditional IAM systems were not designed to manage [17]. The practical implication is that IAM platforms need to be extended with agent-specific identity management capabilities: credential rotation for agent service accounts, permission scoping aligned to agent task definitions, and lifecycle management that expires agent credentials when deployments are retired.
Stage Three: Behavioral Monitoring Architecture
With inventory and identity governance in place, the third stage establishes the behavioral monitoring infrastructure capable of building and enforcing behavioral baselines for agents. This infrastructure should be built around the deployment-level identity anchoring and runtime telemetry collection described in the previous section, supplemented by sequence-aware detection logic capable of surfacing intent drift.
Organizations should prioritize behavioral monitoring coverage in proportion to agent privilege levels. High-privilege agents with SOC-level access warrant continuous runtime telemetry with sequence-level detection; lower-privilege productivity agents may be adequately covered by audit logging and periodic behavioral review. The key is that no agent should operate entirely without behavioral observability—particularly agents that access sensitive data, take automated action, or interact with other agents.
Stage Four: Escalation and Intervention
The monitoring infrastructure must be coupled to clear escalation paths and automated intervention capabilities. An agent identified as exhibiting intent drift or anomalous behavior should trigger a defined response: initial automated intervention (such as a circuit-breaker that pauses the agent pending review), alert routing to a designated owner or security team, and a defined review process to determine whether the behavior represents a genuine threat or a false positive requiring tuning.
Gartner’s prediction that 40 percent of CIOs will demand Guardian Agents by 2028 [7] reflects the recognition that human review of every agent behavioral alert is not scalable in environments with hundreds or thousands of deployed agents. Guardian Agents—dedicated monitoring agents whose specific purpose is to observe and govern operational agent behavior—represent a compelling architectural pattern for this reason, though they introduce their own governance requirements: a Guardian Agent that is itself unmonitored reproduces the original problem at one remove.
Stage Five: Governance Maturity and Continuous Improvement
Agent behavioral governance is not a one-time deployment but an ongoing operational capability. Behavioral baselines must be updated when agent deployments are modified, permission scopes should be reviewed as tasks evolve, and detection logic must be tuned as the organization’s agentic environment matures. This requires assigning clear ownership for each agent—a responsible individual or team accountable for the agent’s behavior, its security posture, and its governance compliance.
The governance maturity model for agentic systems maps closely to the NIST AI RMF’s four-tier autonomy classification: Tier 1 agents operating under full human supervision require lighter governance overhead than Tier 4 agents operating with minimal human interaction, which require proportionately more robust monitoring, intervention infrastructure, and accountability frameworks [16]. Organizations should calibrate their governance investment to the autonomy level and privilege scope of their agent deployments, and should resist the temptation to default to maximum autonomy before the governance infrastructure to support it is in place.
CSA Resource Alignment
The Cloud Security Alliance has developed a body of work that directly supports organizations working to address the behavioral baseline gap. Practitioners should approach the gap remediation framework described in this paper in conjunction with these CSA resources rather than treating them as independent efforts.
MAESTRO: Agentic AI Threat Modeling
CSA’s MAESTRO framework (Multi-Agent Environment, Security, Threat Risk, and Outcome) provides a seven-layer reference architecture specifically designed to capture the threat surface of agentic AI systems [18]. The framework’s explicit identification of goal misalignment and autonomous agent unpredictability as failure categories that traditional threat modeling approaches do not address makes it the appropriate starting point for organizations seeking to threat model their agentic SOC deployments. MAESTRO’s Layer 5, Evaluation and Observability, maps directly to the behavioral monitoring requirements described in this paper, and its emphasis on continuous monitoring and adaptation as a core security property aligns with the runtime telemetry requirements for agent-aware baselines.
AI Controls Matrix (AICM)
CSA’s AI Controls Matrix provides a 243-control, 18-domain framework that extends the Cloud Controls Matrix (CCM) to AI-specific security requirements. AICM’s controls in the AI Monitoring and Observability domain are directly relevant to the behavioral baseline gap, providing specific control requirements that organizations can audit against their current state and use to drive remediation investment. Because AICM is a superset of CCM and grounded in the Shared Security Responsibility Model, it provides a bridge between organizations’ existing governance infrastructure and the new requirements that agentic deployment creates.
CSA NIST AI RMF Agentic Profile
CSA Labs has developed an Agentic Profile for the NIST AI Risk Management Framework that identifies the structural deficiencies in current guidance when applied to autonomous agent systems and proposes specific supplementary measures [16]. The profile’s five core runtime metrics—action velocity, permission escalation rate, cross-boundary invocations, delegation depth, and exception rates—provide a concrete measurement framework that organizations can implement as early warning indicators for the behavioral failures described in this paper. The profile’s four-tier autonomy classification provides a principled basis for calibrating governance requirements to agent autonomy levels.
Zero Trust Architecture Principles
CSA’s Zero Trust guidance is directly applicable to agentic security environments, particularly the principle that no entity—human or machine—should be implicitly trusted based on network position or prior authentication state. Applied to agent behavioral governance, Zero Trust implies that each agent action should be evaluated against explicit authorization at runtime rather than relying on the initial permission grant at deployment time. This is particularly important for multi-agent delegation chains, where a sub-agent’s actions should be evaluated against its own authorization rather than inherited from the orchestrator’s permission set.
AI Organizational Responsibilities Framework
CSA’s AI Organizational Responsibilities guidance addresses the governance structures that organizations need to ensure accountable AI deployment. The key principle applicable to the behavioral baseline gap is that every deployed agent should have a designated human owner who is accountable for its behavior, its compliance with organizational policies, and its security posture. This ownership principle is a precondition for effective behavioral governance: without clear ownership, there is no organizational actor responsible for responding when an agent’s behavior deviates from its baseline.
Conclusions and Recommendations
The behavioral baseline gap in agentic SOC environments is a systemic security problem with clear structural causes and practical remediation paths. AI agents operate in ways that are fundamentally incompatible with the assumptions underlying traditional UEBA, SIEM correlation, and behavioral anomaly detection—not because those tools are poorly designed, but because they were designed for a world of stable human identities and predictable entity behaviors that agentic systems do not inhabit. The result is a monitoring environment in which the most capable and privileged actors in the enterprise—the agents with SOC-level access that autonomously investigate and respond to threats—may be the least monitored.
The industry evidence reviewed in this paper converges on a consistent picture: agent deployment is proceeding faster than governance, monitoring is sparse where it exists at all, and the financial consequences of unmonitored agent deployments are already measurable. Gartner’s prediction that 25 percent of enterprise breaches will be traceable to agent abuse by 2028 [7] should be read not as a forecast about adversarial sophistication but as a forecast about organizational behavior: at current rates of governance deployment, a meaningful fraction of enterprises will still have significant agent blindspots in two years, and adversaries will exploit them.
Security and risk leaders should take the following actions to close the gap.
In the immediate term, organizations should conduct an agent discovery exercise to establish an accurate inventory of all deployed agents, sanctioned and unsanctioned, and document the permission scope and data access patterns of each. This inventory is the foundational prerequisite for every subsequent governance action and should be treated with the urgency of a security assessment rather than a compliance exercise.
In the near term, identity governance processes should be extended to non-human agent identities, with managed identities and least-privilege permissions issued to each agent rather than relying on inherited access. Organizations should deploy runtime telemetry collection for high-privilege agents—particularly those with SOC-level access—using monitoring architectures designed for ephemeral identity and non-deterministic behavior. MAESTRO-based threat modeling should be applied to all production agentic deployments to identify monitoring gaps and intervention requirements.
Strategically, organizations should plan for the evolution of their security monitoring infrastructure to incorporate agent-aware behavioral governance as a first-class capability alongside human-identity UEBA. This likely requires evaluating monitoring vendors against agent-specific requirements, establishing deployment-level behavioral specifications as a standard part of agent onboarding, and building governance maturity roadmaps aligned to the CSA AICM AI Monitoring and Observability controls. The emergence of Guardian Agent architectures as a scalable approach to agentic oversight warrants evaluation by organizations operating large agent deployments, with the important caveat that Guardian Agents themselves require governance.
The behavioral baseline gap does not counsel against deploying AI agents in security operations. The capability advantages are real, the workload pressures on human analysts are severe, and the competitive disadvantage of abstaining from agentic SOC capabilities will only grow. What the gap counsels is that organizations should deploy agents and their governance infrastructure in parallel rather than treating governance as a problem to be addressed after deployment is complete. The security industry has experienced this sequencing failure before, with cloud adoption, with mobile device management, and with API security—and the pattern of deploying first and securing retroactively reliably produces a period of unnecessary exposure. The behavioral baseline gap is an opportunity to break that pattern before the exploitation wave materializes.
References
[1] Gartner. “Gartner Predicts 40% of Enterprise Apps Will Feature Task-Specific AI Agents by 2026.” Gartner Newsroom, August 2025.
[2] Microsoft. “80% of Fortune 500 Use Active AI Agents: Observability, Governance, and Security Shape the New Frontier.” Microsoft Security Blog, February 2026.
[3] Microsoft. “The Agentic SOC—Rethinking SecOps for the Next Decade.” Microsoft Security Blog, April 2026.
[4] ARMO Security. “Detecting Intent Drift in AI Agents With Runtime Behavioral Data.” ARMO Blog, 2025.
[5] Akto. “State of Agentic AI Security 2025: Adoption, Risks & CISO Insights.” Akto Blog, 2025.
[6] IBM. “Cost of a Data Breach Report 2025.” IBM Security, July 2025.
[7] Gartner. “Gartner Unveils Top Predictions for IT Organizations and Users in 2025 and Beyond.” Gartner Newsroom, October 2024.
[8] EY. “Agentic SOC: Multi-Agent Orchestration for Next-Gen Security Operations.” EY Insights, 2025.
[9] Exabeam. “UEBA: User and Entity Behavior Analytics Complete Guide 2025.” Exabeam, 2025.
[10] CrowdStrike. “CrowdStrike Releases 2025 Global Threat Report: Cyber Threats Reach New Highs.” CrowdStrike Press Release, February 2025.
[11] Noma Security. “Can AI Agents Go Rogue? The Risk of Goal Misalignment.” Noma Security Resources, 2025.
[12] IBM Newsroom. “IBM Report: 13% of Organizations Reported Breaches of AI Models or Applications, 97% of Which Reported Lacking Proper AI Access Controls.” IBM Newsroom, July 2025.
[13] CloudSine AI. “Agent Security Intelligence: The Blind Spot in Your Agentic AI Security Posture.” CloudSine Blog, 2025.
[14] Obsidian Security. “What Are Non-Human Identities? The Complete Guide to NHI Security.” Obsidian Security Blog, 2025.
[15] ISACA. “Agentic AI Evolution and the Security Claw.” ISACA Now Blog, 2026.
[16] Cloud Security Alliance Labs. “NIST AI Risk Management Framework: Agentic Profile.” CSA Labs, 2025.
[17] Microsoft. “Four Priorities for AI-Powered Identity and Network Access Security in 2026.” Microsoft Security Blog, January 2026.
[18] Cloud Security Alliance. “Agentic AI Threat Modeling Framework: MAESTRO.” CSA Blog, February 2025.