Follow the Data: Agentic AI Broke the Security Stack

Your security stack has a structural gap. There’s an entire layer of your agentic ecosystem where AI agents can read and write data with your cloud data stores, SaaS applications, and homegrown systems. Most conventional security stacks aren’t watching it. Almost none can enforce policy in real time.

That’s the execution layer. It's the runtime environment where approved integrations and AI agents do their actual work. It’s where your Salesforce data gets summarized by an AI, routed to a downstream system, and written somewhere new. The place where a vendor-embedded AI reads your HR platform records as part of a product update that required no new OAuth grant and triggered no new SSPM alert.

The tools most organizations rely on today predate this attack surface. The execution layer connects it all, from SaaS apps, integrations, and secrets to shadow AI, embedded agents, and access paths.

The Agentic Ecosystem Security Gap: 2026 CISO Report benchmarks where 500 U.S. CISOs currently stand on this, including where confidence in visibility breaks down and what incidents look like when the execution layer isn't covered.

What is the execution layer, and why does it matter now?

Security teams have spent years thinking in two directions: north-south (user to application, browser to cloud) and east-west (server to server, inside the data center). Both of those models were built around infrastructure.

The execution layer is different. It's not infrastructure. It's the dynamic, machine-speed runtime where AI agents and SaaS integrations act on your data. An AI agent connected to Salesforce via OAuth isn't sitting at a login screen. It's reading customer records, calling an API, routing data to an external endpoint, writing back a result. All of that happens inside an existing, approved connection. From a posture tool's perspective, nothing changed. From a data perspective, a significant amount just moved.

This is what makes the execution layer difficult to instrument with conventional tools. The data isn't leaving through a network perimeter. The identity isn't new. The app is already on your approved list. The activity is the threat, not the access.

Why doesn't your current security stack see this?

The conventional enterprise security stack is genuinely capable. EDR, SASE, IAM, SSPM, SIEM: these tools do what they were designed to do. The problem is coverage. None of them were designed to watch the execution layer.

Endpoint security watches devices and OS processes. Network security watches traffic crossing perimeter boundaries. IAM and non-human identity (NHI) governance tracks what credentials exist and what has access to what. SSPM audits static SaaS configurations and permission states. AI-SPM inventories AI models, pipelines, and training data. SIEM aggregates signals from all of the above.

None of those categories answers the question of what is actually happening in your agentic ecosystem as data moves between applications and AI agents at runtime.

NHI governance comes closest, and it's a useful category. It manages the lifecycle of OAuth tokens, API keys, and service accounts. But NHI tools govern the credential, not the behavior at runtime. A token can be current, scoped correctly, and actively used by an agent that is doing something it was never supposed to do. The credential is clean; the behavior is the threat. Most stacks only govern the first one.

SIEM and SOAR already sit in most enterprise environments, and they're capable of acting on the right signal. Without execution-layer telemetry feeding them, that signal doesn't exist. A world-class detection and response program still misses a compromise at this layer if the event was never generated upstream.

Is shadow AI the real problem, or is something else going on?

The shadow AI conversation has been stuck on the same threat model for two years: an employee opens a browser tab, pastes something sensitive into a public AI tool, and walks away. Governance programs were built for exactly that scenario. That problem is largely addressed.

The harder version looks nothing like it.

Vendors are adding AI capabilities to tools your organization already approved, not as new applications, but as product updates. The Salesforce, ServiceNow, or HR platform integration you reviewed and trusted two years ago may have an AI layer now. It's reading, summarizing, and acting on company data through an existing trusted connection, with no new OAuth grant, no new SSPM alert, and no new app in your inventory. The map looks complete. The risk isn't on it.

According to the Agentic Ecosystem Security Gap: 2026 CISO Report, 71% of security leaders suspect employees are using embedded AI features without proper security review. Suspect, not know. That gap between suspicion and visibility is the actual governance problem. Tools built to detect new connections have nothing to flag here, because the connection is old. The behavior is new.

For more on this specific pattern, Shadow AI Isn't What You Think It Is covers the embedded AI problem in detail.

How to enforce policy on AI agent runtime activity

Securing the agentic ecosystem requires a different instrumentation model. One built not just to observe what agents do, but to stop them when they shouldn't. Detection after the fact is not sufficient when an agent can move sensitive data, overwrite records, or chain actions across a dozen systems in the time it takes a SIEM alert to fire. The stack needs to see in real time and act in real time. Four capabilities make that possible.

1. Visibility into machine-to-machine API traffic between SaaS applications. This means the actual data calls happening between integrated systems, including calls to model endpoints that weren't in the original scope of an approved integration. Gartner's guidance on securing SaaS-to-SaaS and machine-to-machine connections notes that traditional tools are largely “blind to runtime API behavior and token misuse,” and predicts that “by 2027, over 50% of major SaaS-related breaches will exploit overprivileged OAuth tokens used in M2M integrations.”¹
2. Behavioral baselining tied to data classification. Raw API call volume is not a signal. What matters is whether a call accessed PII fields, followed a pattern outside established baselines, and routed data somewhere new. Connecting behavioral telemetry to data sensitivity to identity context is what separates noise from an alert worth acting on. The OWASP LLM Top 10 (2025) identifies supply chain vulnerabilities and privilege escalation as top-tier risks specifically because reconstructing how those attacks propagate through an agentic chain after the fact is so difficult without a prior behavioral baseline.
3. A forensic record of agent activity. When something goes wrong, security teams need to answer specific questions: what was the agent trying to accomplish, what data did it access, where did that data go, and what's the blast radius? Most current stacks can confirm that a credential was used and an API was called. That's not enough.
4. Enforcement at the protocol level. Visibility and forensics cover the before and after. But neither one stops an agent mid-action. In April 2026, an AI coding agent deleted an entire production database, along with all backups, in nine seconds, despite explicit safety rules configured at the model layer. The model violated its own constraints. Monitoring would have told you what happened. Only enforcement at the protocol level stops the action before it completes.

This is where Vorlon fits into the stack. Vorlon is the Agentic Ecosystem Security Platform built to cover the execution layer with both observability and real-time enforcement.

Vorlon's patented DataMatrix technology builds a live behavioral model of of every agent, identity, app, and data flow across 1,000+ connected services. The AI Agent Flight Recorder creates a timestamped, reconstructable audit trail of agent actions and the data they touched. And Vorlon Guardian, the platform's real-time enforcement layer, sits between agents and the enterprise systems they interact with, inspecting every action and applying the right control before it executes.

Guardian operates at the protocol level. It can block a policy-violating action outright, mask sensitive data in transit before it reaches an unauthorized destination, or impose read-only constraints so an agent simply cannot write regardless of what the model decides to do.

Together, they give the execution layer what every other layer in the stack has already had for years: dedicated instrumentation.

What does the complete stack look like now?

Vorlon isn't a replacement for what organizations already have. It's the layer that makes the rest of the stack coherent for an environment where agents and integrations are moving data continuously and where the cost of missing something is measured in seconds.

A complete stack in 2026 needs to cover five things.

1. Identity foundation. NHI governance to manage machine credentials, tokens, and API keys throughout their lifecycle. If you don't know what credentials exist and what permissions they carry, you can't know what's acting on them.
2. Posture layer. SSPM and AI-SPM to audit app configurations, permission states, and AI asset inventory. Valuable for governance and compliance baselines, but not built for runtime detection.
3. Execution layer observability. Real-time monitoring of data flows, agent behaviors, and machine-to-machine API traffic, with behavioral anomaly detection tied to data classification. This is the gap in most current stacks, and the one the other layers cannot compensate for.
4. Detection and response. SIEM and SOAR, fed with execution-layer telemetry. The tools exist in most enterprises already. What changes is the completeness of the signal going in.
5. Forensics. The ability to reconstruct agent activity post-incident: what acted, on what data, in what sequence, with what downstream effect. The CSA's Agentic AI profile within the NIST AI Risk Management Framework identifies traceable, auditable agent action as a core governance requirement, not a nice-to-have.

Without execution-layer observability and enforcement, your SIEM runs on an incomplete data set and your incident response team is always working backward. Each layer depends on the others. Right now, most stacks have a structural hole in the middle.

What can security teams do about this now?

Addressing the structural gap in your security stack is the best approach to securing AI and agents in your enterprise environment.

The execution layer is a new problem. The entire category of AI agents and embedded integrations acting on company data at runtime simply didn't exist when most security tools were designed.

Three things you can do that don't require a new tool to start.

1. Ask your top ten SaaS vendors directly what AI capabilities they have enabled in the last 12 months, and what data each accesses. Most will answer if you ask. They don't proactively disclose it.
2. Review your vendor change notification process. Does it require explicit disclosure of new AI capabilities, not just new integrations? Most standard vendor agreements don't cover this yet.
3. Pull API endpoint traffic logs from your most data-rich SaaS applications. Look for external destinations that weren't present six months ago. Embedded AI frequently calls out to model endpoints that were never in the original integration scope, and that traffic is usually visible in logs if you know to look for it.

The 500 CISOs we surveyed believed they had a complete data flow map. Most discovered they were wrong. The fact is, your map looks accurate right up until an incident. Close the gap with visibility into where the data goes, and enforcement over whether it should.

[1] Gartner Mitigate Risks in SaaS-to-SaaS and Machine-to-Machine Connections, 4 December 2025. GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved.