Quick ask: What should I create next?
I’m creating practical AI resources tailored to your specific challenges. This month, I’m offering to build one of seven options listed on this Google Form (from AI security audits to board presentation templates).
Two minutes are all you need to vote: https://bit.ly/MonthlyContentRequest
TL;DR: The Bottom Line Up Front
Three stories broke this week that reveal a dangerous pattern… We’re deploying agents faster than we can secure them.
OWASP just published emergency security guidance admitting “traditional AppSec can’t handle” agentic AI risks. Researchers demonstrated how agents can automate sophisticated cyberattacks in minutes. And Delaware is creating regulatory sandboxes because officials admit “we have way more questions than any kind of answer.”
The uncomfortable reality: We’re witnessing the classic Silicon Valley pattern of “move fast and break things,” except this time, the things breaking are cybersecurity and corporate governance.
This Week’s Security Wake-Up Calls
1. OWASP’s Emergency Security Guidance: The Open World Wide Application Security Project
Just published comprehensive guidance for securing agentic AI, admitting that “as AI systems evolve toward more autonomous, tool-using, and multi-agent architectures, new security challenges emerge that traditional AppSec can’t handle alone.”
This wasn’t planned guidance. It was emergency guidance published in response to “surging use of AI agents in organizations” without proper security frameworks.
Key insight: When the world’s leading application security project publishes emergency guidance, you know the industry moved too fast.
2. The Automation of Cyberattacks CultureAI
Researchers demonstrated how agents can automate attacks that previously required significant human effort. Using OpenAI’s Operator, they showed agents can complete reconnaissance on LinkedIn in minutes and automate credential stuffing attacks with simple text prompts.
“The automation of attacks significantly lowers the barrier to entry for threat actors, enabling even low-skilled individuals to launch high-impact campaigns.”
Key insight: We’ve just democratized cybercrime. Any novice can now launch enterprise-grade attacks with a simple prompt…
3. Regulators Scrambling to Catch Up Delaware’s AI Commission
Approved creating an “agentic AI sandbox” because officials admit they’re unprepared for the implications. The state’s Secretary of State posed questions that should terrify any enterprise: Should agents be allowed to incorporate LLCs or “raise money, or buy companies” autonomously?
As one official put it, “We’ve realized that we have way more questions than any kind of answer.”
Key insight: If regulators don’t understand the implications, how can enterprises possibly manage the risks?
The Pattern Nobody Wants to Acknowledge
These stories reveal the same dangerous dynamic:
- The Security Gap: Traditional cybersecurity can’t handle autonomous agents that browse the internet, execute code, and interact with multiple systems simultaneously.
- The Regulatory Void: Government officials admit they have “way more questions than answers” about agents making autonomous financial decisions.
- The Attack Surface Explosion: Every agent deployment creates new vulnerabilities that attackers are already exploiting.
We’re running a massive, uncontrolled experiment with enterprise security and regulatory compliance.
The Five Agent Security Blindspots
Based on OWASP’s guidance and attack research:
1. Architecture Security: Traditional security assumes human oversight at decision points. Agents make autonomous decisions faster than humans can monitor.
2. Authentication Bypass: Agents can be instructed to bypass security measures, and current systems don’t distinguish between legitimate automation and malicious instructions.
3. Supply Chain Contamination: Third-party AI tools can be compromised, turning your agents into attack vectors.
4. Operational Connectivity Risks: Agents interact with systems in ways that create novel attack paths that traditional security doesn’t monitor.
5. Runtime Behavioral Drift: Agents can change behavior over time, making traditional security baselines obsolete.
The Delaware Questions Every Enterprise Must Answer
Before deploying any autonomous agent:
- Can our agent make financial decisions without human approval? (If yes, you have regulatory risk)
- Can our agent access sensitive data? (If yes, you have breach risk)
- Can our agent be instructed to bypass security? (If yes, you have an insider threat risk)
- Do we have visibility into every agent decision? (If no, you have audit risk)
- Can we stop our agent immediately? (If no, you have operational risk)
Most companies can’t confidently answer “yes” to the safety questions or “no” to the risk questions.
Three Survival Strategies
For CISOs: Stop treating agents like traditional applications. Start with OWASP’s guidance and assume your current security stack is inadequate.
For CTOs: Every agent deployment needs a security-first design review. Retrofitting security costs 10x more than building it in.
For CEOs: The regulatory landscape changes faster than your deployment timeline. Build compliance checkpoints into every agent project.
Worth Your Time
- “Securing Agentic Applications Guide v1.0” (OWASP, July 2025)
- “Agentic AI: the rising threat” (TechRadar Pro, July 2025)
- “Delaware AI Commission Approves Creating Agentic AI Sandbox” (GovTech, July 2025)
- “Experts Debate AI Strategy and Global Leadership” (Broadband Breakfast, July 2025)
Final Thought
The AI industry is optimizing for deployment speed. Security teams are optimizing for threat prevention. Regulators are optimizing for societal safety.
These three priorities are fundamentally misaligned, and the collision is happening now.
The question isn’t “How fast can we deploy agents?” It’s “How safely can we deploy agents while still moving fast enough to compete?”
The companies that answer that question correctly will own the regulated, secure future of agentic AI.
At Valere, we help enterprises build AI strategies that balance innovation speed with security and compliance requirements. We’ve guided companies through similar technology transitions and can help you avoid the costly mistakes others are making.
