We are shifting from “AI assistants that answer” to AI agents that act. Agentic applications plan, call tools, invoke workflows, collaborate with other agents, and often execute code. For enterprises, this expanded capability is also an expanded attack surface, and trust becomes a core business and engineering property. 

Cisco is actively contributing to the AI security ecosystem through open source tools, security frameworks, and collaborative engagement with the Coalition for Secure AI (CoSAI), OWASP, and other industry organizations. As organizations move from experimentation to enterprise-scale adoption, the path forward requires both understanding the risks and establishing practical, repeatable security guidelines. 

This discussion explores not only the vulnerabilities that threaten agentic applications, but also the concrete frameworks and best practices enterprises can use to build secure, trustworthy AI agent ecosystems at scale. 

AI Threats in the Age of Autonomy 

Traditional AI applications mainly produce content. Agentic applications take action. That difference changes everything for enterprises. If an agent can access data stores, modify a production configuration, approve a workflow step, create a pull request, or trigger CI/CD, then your security model covers execution integrity and accountability. Risk management must extend beyond simply model accuracy. 

In agent ecosystems, trust becomes a property of the entire system: identity, permissions, tool interfaces, agent memory, runtime containment, inter-agent protocols, monitoring, and incident response. These technical decisions define enterprise risk posture. 

The “AI agent ecosystem” spans many architectures, including: 

• Single-agent workflow systems that orchestrate enterprise tools
• Coding agents that influence software quality, security, and delivery speed
• Multi-agent systems (MAS) that coordinate specialized capabilities
• Interoperable ecosystems spanning vendors, platforms, and partners

As these systems become more distributed and interconnected, the enterprise trust boundary expands accordingly. 

Secure AI Coding as an Enterprise Discipline with Project CodeGuard 

Cisco announced Project CodeGuard as an open source, model-agnostic framework designed to help organizations embed security into AI-assisted software development. Rather than relying on individual developer judgment, CodeGuard enables enterprises to institutionalize security expectations across AI coding workflows—before, during, and after code generation. 

Project CodeGuard addresses concerns such as cryptography, authentication and authorization, dependency risk, cloud and infrastructure-as-code hardening, and data protection. 

For organizations scaling AI-assisted development, CodeGuard offers a way to make “secure code by default” a predictable outcome rather than an aspiration. Cisco is also applying Project CodeGuard internally to identify and remediate vulnerabilities across systems and products, demonstrating how these practices can be operationalized at scale. 

Model Context Protocol (MCP) Security and Enterprise Risk 

MCP connects AI applications and AI agents to enterprise tools and resources. Supply chain security, identity, access control, integrity verification, isolation failures, and lifecycle governance in MCP deployments is top of mind for most chief security information officers (CISOs).   

Cisco’s MCP Scanner is an open source tool designed to help organizations gain visibility into MCP integrations and reduce risk as AI agents interact with external tools and services. By analyzing and validating MCP connections, MCP Scanner helps enterprises ensure that AI agents do not inadvertently expose sensitive data or introduce security vulnerabilities. 

Industry collaboration is also critical. CoSAI has published guidance to help organizations address identity, access control, integrity verification, and isolation risks in MCP deployments. OWASP has complemented this work with a cheat sheet focused on securely using third-party MCP servers and governing discovery and verification. 

Establishing Trust Controls for Agent Connectivity 

Actionable MCP trust controls include: 

• Authenticating and authorizing MCP servers and clients with tightly scoped permissions
• Treating tool outputs as untrusted and enforcing validation before they influence decisions
• Applying secure discovery, provenance checks, and approval workflows
• Isolating high-risk tools and operations
• Building auditability into every tool interaction

These controls help enterprises move from ad hoc experimentation to governed, auditable AI agent operations. 

The MCP community has also included recommendations for secure authorization using OAuth 2.1, reinforcing the importance of standards-based identity and access control as AI agents interact with sensitive enterprise resources. 

OWASP Top 10 for Agentic Applications as a Governance Baseline 

The OWASP Top 10 for Agentic Applications provides a practical baseline for organizational security planning. It frames trust around least-agency, auditable behavior, and strong controls at the identity and tool boundary—principles that align closely with enterprise governance models. 

A simple way for leadership teams to apply this list is to treat each category as a governance requirement. If the organization cannot clearly explain how it prevents, detects, and recovers from these risks, the agent ecosystem is not yet enterprise-ready. 

AGNTCY: Enabling Trust at the Ecosystem Level 

To support enterprise-ready AI agent ecosystems, organizations need secure discovery, connectivity, and interoperability. AGNTCY is an open framework, originally created by Cisco, designed to provide infrastructure-level support for agent ecosystems, including discovery, connectivity, and interoperable collaboration. 

Key trust questions enterprises should ask of any agent ecosystem layer include: 

• How are agents discovered and verified?
• How is agent identity cryptographicallyestablished?
• Are interactions authenticated, policy-enforced, and replay-resistant?
• Can actions be traced end-to-end across agents and partners?

As multi-agent systems expand across organizational and vendor boundaries, these questions become central to enterprise trust and accountability. 

MAESTRO: Making Trust Measurable at Enterprise Scale   

The OWASP Multi-Agentic System Threat Modelling Guide introduces MAESTRO (Multi-Agent Environment, Security, Threat, Risk, and Outcome) as a way to analyze agent ecosystems across architectural layers and identify systemic risk. 

Applied at the enterprise level, MAESTRO helps organizations: 

• Model agent ecosystems across runtime, memory, tools, infrastructure, identity, and observability
• Understand how failures can cascade across layers
• Prioritize controls based on business impact and blast radius
• Validatetrust assumptions through realistic, multi-agent scenarios 

Creating AI agent ecosystems enterprises can trust  

Trust in AI agent ecosystems is earned through intentional design and verified through ongoing operations. The organizations that succeed in the emerging “internet of agents” will be those that can confidently answer: which agent acted, with which permissions, through which systems, under which policies—and how to prove it. 

By embracing these principles and leveraging the tools and frameworks discussed here, enterprises can build AI agent ecosystems that are not only powerful, but worthy of long-term trust. 

At the Cisco AI summit, customers and partners will dive into how building secure, resilient, and trustworthy AI systems designed for enterprise scale.

Join us virtually on February 3 to learn how organizations are preparing their infrastructure and security foundations for responsible AI.