TL;DR: Agentic AI is expanding the attack surface while reducing attacker breakout time to less than an hour, and organisations still struggle to combine near real-time visibility with practical identity governance, according to Orca Security’s webinar coverage. The key issue is no longer just runtime monitoring but whether cloud security programmes can govern non-human identities, telemetry, and response fast enough to keep pace.
NHIMG editorial — based on content published by Orca Security: Runtime Reinvented, how agentic AI is transforming cloud native protection
By the numbers:
- Only 44% of organisations have implemented any policies to manage their AI agents, despite 92% agreeing that governing AI agents is critical to enterprise security.
- Systems with least-privileged AI access had a 17% incident rate vs 76% for over-privileged systems.
Questions worth separating out
Q: How should security teams handle runtime visibility for non-human identities?
A: Security teams should tie runtime visibility to the identities actually driving workload behaviour, including service accounts, tokens, and AI-driven automation.
Q: Why does agentic AI change runtime security assumptions?
A: Agentic AI changes runtime security because it can accelerate both attack execution and defensive analysis.
Q: What breaks when runtime monitoring has no identity context?
A: Without identity context, runtime monitoring can show that something happened but not who or what was authorised to do it.
Practitioner guidance
- Correlate runtime telemetry with identity metadata Link process, network, and cloud control-plane events back to the workload or service identity that initiated them.
- Set response targets around attacker breakout time Benchmark how long it takes your team to detect, triage, and contain suspicious runtime behaviour, then compare that to the current less-than-an-hour breakout window described in the article.
- Review where agentless coverage is insufficient Identify cloud estates, container clusters, and high-value workloads where sensorless visibility leaves identity-linked activity too thin for reliable response.
What's in the full article
Orca Security's full webinar coverage leaves the operational detail for the source:
- How the speakers distinguish agent-based from sensor-based runtime approaches in production cloud environments
- Where eBPF-style telemetry fits when teams need lower-overhead visibility into workload behaviour
- Why the discussion links AI-driven response with identity management and non-human identity growth
- Which practical trade-offs the speakers raise for organisations trying to modernise runtime protection
👉 Read Orca Security's webinar coverage of runtime security and agentic AI →
Agentic runtime security and NHI control gaps: what changes now?
Explore further
Runtime security is becoming an identity problem, not just a telemetry problem. The article shows that visibility alone is no longer enough when attack speed is compressing and cloud environments are increasingly driven by non-human actors. Runtime protection now depends on knowing which identity initiated the action, what privilege it held, and whether the response path can still act in time. Practitioners should treat runtime and identity control as one operating plane, not two.
A few things that frame the scale:
- Only 44% of organisations have implemented any policies to manage their AI agents, despite 92% agreeing that governing AI agents is critical to enterprise security, according to The 2026 Infrastructure Identity Survey.
- Only 7% of security leaders admit they do not know how often their AI systems are making autonomous changes to infrastructure, which shows how quickly visibility can outrun governance.
A question worth separating out:
Q: Should teams use agentless or agent-based runtime controls?
A: Teams should use the combination that gives enough telemetry fidelity without destabilising production workloads. Agentless coverage is useful for broad visibility, while agent-based or sensor-based tools may be needed where identity-linked runtime detail is critical. The decision should be driven by workload risk, not by a single preferred architecture.
👉 Read our full editorial: Runtime security for agentic AI is collapsing into identity control