Security in the Age of AI Agents

Office Hours with Jonathan Jaffe, CISO at Lemonade, and Tomasz Tunguz, General Partner at Theory Ventures. Exploring how security teams must evolve into engineering teams that architect automated policies governing agentic systems.

📅 Published: 2026-05-28 🏢 Publisher: Theory Ventures 👤 Author: Tomasz Tunguz

Core Concepts

🛡️
AI Security
The application of artificial intelligence to both offensive and defensive cybersecurity operations.
🆔
Agent Identity
Every AI agent must have a unique, governable identity for policy enforcement at the point of action.
🔧
Security Engineering
Security teams transforming from manual operators into engineers who build automated security systems.
📡
Threat Intelligence
Collection and analysis of information about emerging threats to inform defensive strategies.
📜
Policy Governance
Framework of rules and controls applied to AI agents at the point of action.
⏱️
Window of Exploitability
Period during which a vulnerability can be exploited before it is patched or mitigated.
⚙️
Automation at Scale
Use of automated systems to handle security operations at volumes impossible for human teams.

Key Article Sections

AI
AI for Defenders and Attackers
ID
Every Agent Needs an Identity
Eng
Security Teams as Engineering Teams
The Narrowing Window of Exploitability

Frequently Asked Questions

1
The main theme is the transformation of security operations in the age of AI agents, focusing on how security teams must evolve into engineering teams that architect automated policies governing agentic systems.
2
AI empowers defenders by enabling them to harden systems everywhere simultaneously. Every vendor in the technology stack is racing to ship AI-driven improvements, which means defensive capabilities improve across the entire ecosystem, not just within a single organization.
3
It means the mission changes from managing people to architecting automated policies. At Lemonade, every security person is an engineer who builds systems, including an internal AI platform with specialized agents on top of it.
4
Because on a single endpoint there could be running 200 to 10,000 agents, and each one needs to be numbered and governed by policy at the point of action. Identity is the foundation for policy enforcement in agentic systems.
5
The window of exploitability is the period during which a vulnerability can be exploited before it is patched. AI is narrowing this window because AI-written code gets reviewed, pen-tested, and patched faster than traditional human pipelines.
6
AI-written code gets reviewed, pen-tested, and patched faster than any human pipeline. As the velocity of resolving bugs increases, the total number of bugs within a particular piece of software becomes finite and manageable, making software far more resilient.
7
Automation is the only way to deal with the scale of modern threats. Human teams cannot manually process the volume of data, threats, and systems requiring protection, so automated agents and policies are essential.
8
On a single endpoint, an organization could be running anywhere from 200 to 10,000 agents. Each of these agents needs a unique identity and policy governance at the point of action.
9
Policy governance in the context of AI agents means establishing rules and controls that are enforced at the point of action for every agent. This requires a much more complex approach than current identity and access management systems provide.
10
At Lemonade, one agent reads threat intelligence continuously. This allows the security team to stay current on emerging threats without manual monitoring, and the intelligence feeds directly into automated defensive actions.
11
Jonathan Jaffe's approach is unique because at Lemonade every security person is an engineer. They built their own internal AI platform with specialized agents, including one that reads threat intel and another that checks whether vulnerable methods are actually called in production code.
12
The future is bright for security professionals. Modern agentic security engineering is rapidly transforming, and we should expect to see significantly hardened systems as a result. Security professionals who embrace engineering and automation will be at the forefront of this transformation.

Glossary of AI Security Concepts

Agent Identity

The unique, governable identity assigned to every AI agent operating within a system, enabling policy enforcement at the point of action.

Agentic Security

Security paradigms built around autonomous AI agents that perform defensive and monitoring tasks without constant human oversight.

Threat Intelligence

Information about emerging threats and attack patterns collected and analyzed to inform defensive security strategies.

Window of Exploitability

The period between when a vulnerability is discovered and when it is patched, during which attackers can exploit it.

Policy Governance

The framework of rules, controls, and enforcement mechanisms applied to AI agents at the point of action.

Security Engineering

The discipline of building automated systems and architectures to defend against threats, rather than relying solely on manual processes and human operators.

AI Defender

An artificial intelligence system or agent used to detect, prevent, or respond to security threats and vulnerabilities.

AI Attacker

An artificial intelligence system or agent used by malicious actors to discover and exploit vulnerabilities in target systems.

Automation

The use of technology to perform security tasks with minimal human intervention, essential for handling modern threat volumes.

Endpoint Security

The protection of individual devices and endpoints from threats, increasingly complicated by the presence of thousands of AI agents per device.

How to Build an Agentic Security Operations Model

Build an Internal AI Security Platform

Construct an internal AI platform that serves as the foundation for deploying specialized security agents. This platform should integrate with existing infrastructure and provide APIs for agent orchestration.

Deploy Threat Intelligence Reading Agents

Deploy agents that continuously ingest and analyze threat intelligence feeds. These agents should automatically correlate threats with your technology stack and alert on relevant risks.

Create Production Code Vulnerability Checkers

Build agents that analyze production code to determine whether vulnerable methods are actually called in runtime. This reduces false positives and prioritizes real risks.

Implement Agent Identity Numbering

Establish a unique identity system for every agent. Each agent must be numbered and registered so that policy can be enforced at the point of action, regardless of scale.

Establish Policy Governance at Point of Action

Design policy controls that are enforced when agents take action. This requires a more complex approach than traditional identity and access management, with real-time decision making.

Measure and Track Automation Coverage

Implement metrics to track which security processes are automated and which still require manual intervention. Aim for increasing automation coverage over time.

Iterate on Agent Capabilities Continuously

Security threats evolve rapidly. Continuously iterate on agent capabilities, adding new detection methods, response playbooks, and integration points as the threat landscape changes.

Knowledge Graph Explorer
Class
Property
Instance

SPARQL Workbench



SELECT queries use text/x-html+tr format. DESCRIBE and CONSTRUCT queries use text/x-html-nice-turtle format.