In April 2026, within twenty-four hours, OpenAI, Google, and Anthropic each launched an enterprise AI agent platform. The procurement inbound at your CISO's desk is no longer theoretical. The audit question your board was going to ask next quarter just arrived this morning.
Bessemer wrote that week that securing AI agents is the defining cybersecurity challenge of 2026. The frame they offered is the one I think most CISOs are about to adopt — even the ones who would not yet phrase it this way: every AI agent is an identity. It authenticates. It is granted permissions. It accumulates entitlements over time. It calls tools, signs requests, moves data. The only thing it does not do — yet — is sit inside the identity provider, the audit trail, or the access review your auditor opens in August.
If that sentence felt obvious to read, hold onto the feeling. It is not yet operational at most organizations. The thread on r/AI_Agents that captured the moment put it bluntly: 'This is no longer about models — it's about platforms.' I would go one step further. It is no longer about platforms either. It is about subjects. The agent is now a subject in your access model, and the rest of the security stack has to catch up.
The three questions that fall out of the frame
When you treat an agent as an identity, you inherit three questions that every CISO already answers for human and service identities — and the order matters.
Step 01
What is running in my environment, and what is it doing? Discovery before everything else. You cannot govern an entitlement set you have not enumerated.
Step 02
Am I blocking threats in real time? Enforcement at the boundary, not after the fact. Audit logs that say 'an attack happened' are not the same as a control plane that says 'the attack did not finish.'
Step 03
Can I prove my systems behave as intended? Evidence that survives an auditor's question. A signed log. A risk classification. A mapping to the article of the regulation that applies.
These are not new questions. They are the same three questions we already answer for human users, for service accounts, for non-person identities in workforce IAM. The novelty is that the subject is now an agent — and the subject has its own dependencies, its own tools, its own attack surface, and a much faster rate of permission accumulation than a human ever managed.
Three answers. One platform. Why we structured Hikma this way.
When my co-founders and I designed Hikma, we wrote those three questions on a whiteboard before we wrote any code. The platform is structured to answer each of them as a distinct layer — Observe, Control, Govern — that composes into one boundary at the network edge.
Observe — what is running
An agent population inventory across the four agent types we see in production: API agents, web-automation agents, MCP agents, and skill agents. Shadow AI discovery, LLM observability, and a structured audit log designed to land in a SIEM. The first thing a CISO needs is the list, and the list cannot come from a spreadsheet maintained by the AI engineering team.
Control — blocking in real time
Prompt injection detection, data leakage prevention, and MCP blast-radius containment. PII filtering across eleven languages. Sub-thirty-millisecond gateway latency, because a security boundary that adds a second to every tool call is one your engineering team will route around within a quarter. We did not want to ship a system that wins on the slide deck and loses in production.
Govern — proving behaviour
A per-agent policy engine in CEL, agent identity with trust decay, cryptographic attestations, and HikmaScore™ as a quantitative trust benchmark continuously tested against more than fifty attack vectors. This is the layer that exists so that when your auditor asks the question, you have an answer that does not require a human to remember.
Why this matters before August 2
August 2, 2026 is the enforceable deadline for Annex III high-risk AI systems under the EU AI Act. Articles 8 through 15 begin to apply, and the penalty surface tops out at thirty-five million euros or seven percent of worldwide annual turnover — whichever is greater. If your organization deploys an AI agent that touches a credit decision, a hiring funnel, a benefits eligibility check, or a clinical workflow in the EU, that is your calendar.
Article 12 is the one I keep coming back to in customer conversations. It requires automatic recording of events over the lifecycle of the system, in a way that allows traceability of operation and post-market monitoring. Read that sentence again with an agent in your head. An agent that calls a tool, retrieves a document, signs a request, and returns a result is a sequence of events. Article 12 is asking whether you can replay that sequence on demand. A handful of model providers' default logs will not get you there.
A third-party voice on X put the operational version of this even more sharply: 'Auditors need answers within four hours.' That is not Hikma's promise; it is the buyer's expectation. Our job is to make sure the evidence exists, signed, exportable, and mapped to the article the auditor is asking about, so that the four-hour answer is a search, not a forensic exercise.
Where the bank question lands
On May 9, somebody asked the following on r/cybersecurity. I am quoting verbatim because it is exactly the question I now hear in every regulated-industry pitch:
“How do I protect confidential data from unrestricted AI usage as a bank — what are good tools out there?”
The honest answer is that the ban on AI usage that most banks tried for the first eighteen months of this story did not work. People used the model anyway, through whatever channel was easiest, and the security team learned about it from the audit log of whichever SaaS vendor ended up logging it. The ban is a false sense of security. The right answer — for banks, hospitals, insurers, public-sector organizations — is the same shape as the right answer for everyone else: discover, enforce, prove. The compliance overlay is heavier, the documentation requirements are stricter, but the architecture is the same.
What I think happens next
Between now and the end of the year, I think three things land in the security calendar of every organization that has shipped an agent.
Step 01
The first internal audit will surface that the agent inventory the security team has is incomplete. Shadow agents will outnumber registered ones by a factor that surprises people.
Step 02
The first incident will reveal that the audit log was not signed, was not exportable, or did not include the tool-call sequence that mattered.
Step 03
The first auditor inquiry will be answered in days instead of hours, and the answer will require a person with tribal knowledge to write a narrative. That person becomes the bottleneck. That bottleneck becomes the procurement decision.
None of these are predictions. They are stories I have heard, more than once, in the last sixty days. They are what the buyer language tells me is about to land at scale.
The shape of the conversation we want to have
If you are reading this and the three questions feel familiar — what is running, am I blocking, can I prove it — I would rather you start there than start with a product demo. We built Hikma to answer those questions as a single platform precisely because the alternative is three vendors with three dashboards and a manual reconciliation in the middle. But the questions are the work. The platform is the answer.
Every AI agent is an identity. Your audit scope expanded the moment you shipped one. The good news is that the security disciplines you already practice — identity, enforcement, evidence — are the right ones. They just have a new subject. Treat the agent like one.
Written by
Mauro Medda
Co-Founder & CTO, HikmaAI
