Key Takeaways
We’re not at the point where we’re letting the robots take the wheel yet, according to a recent survey. It turns out that most cybersecurity experts want AI tools in their setups — but not without some serious guardrails.
After surveying more than 100 cybersecurity professionals at RSAC 2026, 77% said they want AI-driven security tools that still involve human oversight. But only 32% said they already have clear rules for how those tools should actually be used.
So, if everybody wants AI security, what’s the problem? The reality is that “rules” is just a word. What really encompasses a proper playbook are a million little decisions, all of which have to be tailored to industry-specific laws.
Security Teams Want AI Oversight — But Rules Are Lagging
Cyware’s RSAC 2026 survey found a wide gap between demand for human oversight and formal AI usage policies.
Anyone can say “Don’t let AI make major security decisions without a human.” Great, but what counts as a “major” decision? Can AI block a perceived malicious IP address on its own? What if it accidentally blocks the wrong one? Accidentally suspends a customer’s account?
The good news is that most organizations seem to know AI oversight cannot be a secondary thought: Cyware found that 88% of respondents said they are already building or planning AI guardrails. (Which is good news when we’re now looking at 11.5 Tbps attacks.)
The operational side is improving too, but it’s starting from a low point. Automation between threat intelligence and security operations doubled, rising from 13% to 26%. They’re good jumps, but they also show just how early in the game most people are.
Agentic AI Is a Different Beast
Whoever thought generative AI was a pain in the neck had no idea what was over the horizon. Agentic AI is not just another dashboard or chatbot, but one on steroids that reads inputs and can take action based on what it’s learned — from triaging alerts, blocking activity, even recommending remediation steps.
This is exactly what security AI is for until an attacker learns how to take advantage of this vulnerability.
Where Prompt Injection Can Hide in Hosting Environments
Agentic AI tools can act on everyday inputs, turning routine customer and system workflows into possible risk points.
| Hosting Input | How Bad Instructions Could Hide | Possible AI Agent Risk |
|---|---|---|
| Support tickets | Hidden instructions inside customer-submitted ticket text | Agent mis-triages an issue, escalates incorrectly, or follows attacker-controlled instructions |
| Contact forms | Prompt injection planted in form fields or inquiry text | Agent treats malicious content as a command during automated review or routing |
| Plugin updates | Manipulated release notes, changelogs, or update metadata | Agent recommends or approves unsafe remediation steps |
| Emails | Instructions hidden in normal-looking email content | Agent leaks context, changes workflow decisions, or routes messages incorrectly |
| File uploads | Instructions embedded in uploaded documents, logs, or attachments | Agent summarizes, stores, or acts on poisoned content |
| Support chats | Malicious prompts embedded in live chat or chatbot transcripts | Agent opens tickets, recommends actions, or escalates based on poisoned input |
| Third-party web content | Hidden instructions planted on websites or external pages read by an AI agent | Agent follows untrusted webpage instructions as if they are legitimate commands |
Which they definitely already have: Within the past two months, Google‘s threat intelligence teams had been monitoring indirect prompt injection patterns across the public web. Palo Alto Networks‘ Unit 42 also reported web-based indirect prompt injection attacks “in the wild.” From tickets, forms, plugin updates, emails, support chats, and third-party content, hosting environments are like playgrounds.
Meanwhile, lawmakers are trying to get ahead of how they also can use AI for security from the policy side, with a handful of federal bills floating through Congress, including HR 7294 and HR 3919. So public officials and private companies are looking at the issue from different angles with the same concern: Everyone’s aware of the damage agentic AI could do.
But the takeaway isn’t all doom and gloom. Cyware’s findings say the opposite — security teams are not rejecting agentic AI. It’s a point that security experts keep emphasizing: AI can help teams respond to threats faster, but it still needs supervision before it can be trusted with higher-stake decisions.
