Kayne McGladrey, an IEEE senior member who advises enterprises on identity risk, described the same dynamic independently in an interview with VentureBeat. Enterprises are cloning human permission sets onto agentic systems, McGladrey said. The agent does whatever it needs to do to get its job done, and sometimes that means using far more permissions than a human would.

Kayne McGladrey, an IEEE senior member, told VentureBeat that organizations are defaulting to cloning human user profiles for agents, and permission sprawl starts on day one. Carter Rees, VP of AI at Reputation, identified the structural reason. "A significant vulnerability in enterprise AI is broken access control, where the flat authorization plane of an LLM fails to respect user permissions," Rees told VentureBeat.

McGladrey's practitioner experience confirms the gap. The Cloud Security Alliance published an NIST AI RMF Agentic Profile in April 2026, proposing autonomy-tier classification and runtime behavioral metrics. But SOC 2, ISO 27001, and PCI DSS have not operationalized agent identities. The compliance frameworks McGladrey works with inside enterprises were written for humans. Agent identities do not appear in any control catalog he has encountered. The gap is a lagging indicator; the risk is not.

The list of possible impact scenarios is extensive. Instead of trying to identify them all, McGladrey advises identifying the most likely and most representative types of incidents and then focusing on how such incidents could impact the business. From there, leaders must determine what impacts would be intolerable based on the organization’s risk tolerance.

"This is something that can be done because we don't have a federal privacy act in the United States, whereas in other countries, this would be completely unacceptable as well as considered to be culturally unacceptable," McGladrey said.

So it was Tom Cruise waving his hands around to use a computer, but it showed a world where people got arrested for crimes they hadn't committed yet based on data that could be flawed or biased. And it turns out that movie was a warning.

Kayne McGladrey raises another concern: the transfer of risk. AI vendors may provide the tools, but providers often carry the legal and financial consequences when things go wrong. In already stretched rural systems, that imbalance could have serious implications. There is also the issue of data. Many AI models are trained on urban populations, which may not reflect the realities of rural patients. That increases the risk of misdiagnosis or ineffective recommendations, particularly in communities with different health profiles.

Kayne McGladrey, an IEEE Senior Member who advises enterprises on identity risk, made the same diagnosis in an exclusive interview with VentureBeat. "It uses far more permissions than it should have, more than a human would, because of the speed of scale and intent."

DORA compliance requires both proper documentation and comprehensive data generation. The gap between policy and practice can be bridged by rigorous, automated evidence collection alongside documented ICT risk management frameworks. But as agentic AI continues to redefine modern operations, the definition of sufficient evidence must similarly modernize. Organizations that adopt JIT access, unified logging, and agent-specific telemetry today will not only survive the next NCA audit, but will also achieve longstanding operational resilience.

"You can reduce risk," said cybersecurity expert Kayne McGladrey. "But nobody out there can be perfect. It's an unattainable goal." McGladrey said he tends to think of cybersecurity in terms of risk; sometimes the risk is increased, and some things decrease risk.

This guide is for compliance officers, technical leads, CISOs, and their legal advisors preparing for increased regulatory scrutiny. Organizations must prepare for potential reviews of their risk management systems, data governance, and cybersecurity measures. Failure to provide adequate documentation may result in significant administrative fines, making the preparation of sufficient evidence a top priority for legal and technical teams alike.

McGladrey cut to the governance failure. “If crime was a technology problem, we would have solved crime a fairly long time ago,” he told VentureBeat. “Cybersecurity risk as a standalone category is a complete fiction.”

We move past the buzzwords to discuss the gritty reality of ripping out legacy "flat" networks and replacing them with Zero Trust architectures that actually improve performance while reducing liability. Kayne breaks down why the private sector continues to struggle with risk and how the rise of Agentic AI is changing the identity landscape in 2026.

In this episode of MY GRC POV, Monica sits down with Kayne McGladrey to challenge a common leadership trap. Teams talk cyber. Executives hear noise. Budgets stall. Decisions slow. Kayne breaks down how to translate security and compliance risk into business outcomes leaders act on. Revenue impact. Cost exposure. Operational uptime. Customer trust.

Integrating AI into production environments expands the scope of SOC 2 to cover models, training data, and automated decision-making systems. This shift affects every Trust Services Criterion. It also expands “evidentiary requirements,” requiring auditable records for production execution in addition to the AI decisions and automation workflows that triggered those executions.

In this episode of Root to CISO Byte Size, Kayne McGladrey shares practical insights on how cybersecurity professionals can align technical skills with business priorities to strengthen their impact. From conducting meaningful skills gap analyses to communicating security in revenue-focused terms, Kayne explains how CISOs can protect budget, support growth, and position security as a strategic enabler. He also offers grounded advice for early-career professionals on building the right skills, engaging with the community, and making informed career decisions in today’s evolving market.

“If this was easy, Microsoft would have written this,” says IEEE’s McGladrey. “But there aren’t a lot of options out there. I think that’s the real thing we’re working against here.”

#1 Kayne McGladrey, CISSP

"As organizations push return-to-office (RTO) mandates and chase efficiency, many security teams are quietly accumulating debt they don’t know how to unwind. In this episode, we are joined by Lea Cure Thorpe and Kayne McGladrey to unpack the less-discussed consequences of recent security decisions: RTO exposure, endpoint blind spots, tooling overload, analyst burnout, and the slow erosion of junior talent (thanks AI)."

One problem is that agentic AI reads all the text that it encounters and retains the data it absorbs, McGladrey adds. Embedded text, contained in website code but not visible to the human user, can trick agents into purchasing unwanted products while clones of legitimate retail websites can extract customer payment credentials.