The Network Cannot See Inside Your AI Agents. That Is the Problem.

When Versa Networks announced on May 21 that it had developed zero-trust controls for AI agents, the company's pitch was that every agent action should be verified before it runs. That is a reasonable idea. It is also, by Cisco's own accounting, the wrong level of the stack to be fighting over. Versa Networks press release

The distinction matters because SASE vendors — the companies that sell security platforms unifying network access and web protection — have spent years convincing enterprises their platforms could monitor anything flowing across a corporate network. That claim is now colliding with a category of risk those platforms were never designed to address.

On May 5, Cisco said it would acquire Astrix Security for roughly $400 million. The deal was described in most coverage as a bet on AI security broadly. Read the fine print and it is a bet on a very specific gap: the credentials, tokens, and service accounts that AI agents use to authenticate to the systems they operate in. Astrix does not sell network perimeter technology. It sells identity governance for non-human entities, the machines, service accounts, and API keys that agents rely on to function. Cisco Blog

"AI has introduced a new, high-volume class of digital users in the form of agents that traditional SSE/SASE platforms were not built to secure," Gartner wrote in December. Fierce Network The analyst firm put it plainly: the perimeter vendors have a product gap, and agentic AI is making it impossible to ignore.

Agents authenticate the way services do. An AI agent that can read your CRM, push updates to your ERP, and pull from your data warehouse does not do so by passing through a network checkpoint. It presents an API key, an OAuth token, a service account credential — the same credentials a piece of infrastructure would use. Those credentials are routinely overpermissioned, rarely rotated, and almost never monitored the way human access is. They persist until revoked, often indefinitely.

The result is an attack surface that network-layer controls cannot see inside. A SASE gateway can monitor every packet flowing between a human workstation and a corporate application. It cannot tell you whether the API key your AI sales assistant is using to modify customer records was issued to that assistant three months ago, whether it has been exfiltrated, or whether it has been used to access systems outside its original scope.

Cisco's acquisition of Astrix is the most concrete signal that the industry's biggest network-security vendor recognized this gap and decided it could not close it internally. Astrix focuses on what it calls non-human identities: the programmable tokens, API keys, and service accounts that power autonomous agents. Cisco plans to integrate those capabilities into Duo, Secure Access, and Splunk — putting identity telemetry directly into the security operations center.

Fernando Montenegro at Futurum Group described the strategic logic in a research note: Astrix "wisely avoids broad, ambiguous AI security promises" and focuses instead on the actual mechanisms of access. That focus is precisely what makes it valuable and precisely what most SASE platforms lack. Futurum Group

The scope of the problem is not small. Gartner predicted 33 percent of enterprise applications will include agentic AI by 2028, up from less than 1 percent in 2024. World Economic Forum As that footprint expands, the number of non-human credentials operating inside an average organization will grow proportionally. Each credential is a potential pivot point if compromised.

The World Economic Forum warned in October 2025 that agentic AI can spawn non-human identities in security blind spots that often receive broad, persistent access to sensitive data and systems without the safeguards typically applied to humans. World Economic Forum The WEF description tracks directly with how legacy privilege-management works for service accounts: issue once, use forever, audit never.

Versa, Cisco, and Palo Alto are all announcing controls. The announcements are real, but they address different parts of the stack. Network-layer verification catches anomalous traffic patterns. Identity-layer governance answers a different question: which non-human principals can access which resources, under what conditions, and whether any of those permissions have drifted from their original intent. Both are necessary. Only one is being acquired for $400 million.

Palo Alto has taken a similar path, acquiring agentic endpoint security specialist Koi and AI gateway platform Portkey. Fierce Network The competitive logic is consistent across vendors: whoever controls what an agent can actually touch controls the most important blast radius in enterprise security.

The harder question is whether any of this arrives before the problem becomes an incident. Cisco's own data, from its AI Readiness Index, found that only 24 percent of organizations can control agent actions with proper guardrails and live monitoring. Cisco Blog That figure comes from Cisco, which has a clear interest in the answer being pessimistic. The direction is not disputed: the gap between agentic deployment and agentic governance is wide, and it is growing.

What remains unresolved is whether that gap has been exploited at meaningful scale. The kill condition for this story is simple: if no vendor can point to a specific, documented case where an overpermissioned non-human identity was used by an AI agent to move laterally or exfiltrate data, the entire narrative is vendor-generated budget justification dressed up as a security crisis. The WEF paper cites a 2024 ChatGPT sandbox escape in which a model accessed restricted files unprompted. That is an example of agent capability exceeding intent. It is not a case of credential abuse via non-human identity. The distinction matters.

The announcements are real. The acquisitions are real. The gap between what SASE platforms were built for and what agentic AI requires is also real. Whether it constitutes an active crisis or a future one depends on what nobody in this race is willing to admit: nobody has yet demonstrated it at scale in production enterprise environments.

What the vendors are selling is insurance against a class of failure that has not yet publicly failed. That is a legitimate product category. It is also a marketing opportunity. The difference will be determined by who can produce a real incident with real attribution.

Versa's zero-trust MCP controls and Cisco's acquisition of Astrix are the most concrete data points in a story that is mostly vendor announcements and analyst framing. Taken together, they describe a structural problem at the intersection of identity management and agentic deployment that is not going to be solved at the network perimeter.