AI agents in CNAPP: what changes for cloud security teams?

TL;DR: AI agents for CNAPP that investigate alerts, triage findings, and trigger workflows using unified cloud context are described by Orca Security, while Gartner reports a 60% increase in security and risk management spending since 2020 and Omdia found 45% of organisations saw four or more cloud incidents in the last year. The governance lesson is that agentic speed only helps if identity, context, and approval boundaries stay visible.

NHIMG editorial — based on content published by Orca Security: AI agents for CNAPP and cloud-native applications

By the numbers:

• Gartner research shows that there’s been a 60% increase in organizational spending on global security and risk management since 2020.
• Omdia confirms this in The State of Cloud Security: Navigating Security Offerings From Cloud Service Providers and Security Vendors with 45% of organizations having experienced four or more security incidents in their cloud environment in the last 12 months.

Questions worth separating out

Q: How should security teams govern AI agents that can trigger remediation workflows?

A: Security teams should separate advisory output from execution authority, then require explicit approval for any workflow that changes state.

Q: Why do AI agents complicate cloud identity governance?

A: AI agents complicate governance because they turn identity from a static permission holder into an operational decision-maker.

Q: What breaks when cloud security automation lacks unified identity context?

A: Automation breaks when the system cannot reliably connect workload state, identity permissions, and alert evidence to the same asset or actor.

Practitioner guidance

• Separate recommendation rights from execution rights Define which AI agent outputs are advisory only and which can trigger tickets, suppress findings, or start remediation workflows.
• Normalize cloud identity context before automation Require cloud control plane data, IAM records, workload metadata, and telemetry to resolve to the same entity before any agent can make a triage decision.
• Audit the human-in-the-loop boundary Document where human approval is mandatory, what evidence the approver receives, and which actions can be reversed after execution.

What's in the full article

Orca Security's full research covers the operational detail this post intentionally leaves for the source:

• How the Unified Data Model maps cloud control plane, IAM, CI/CD, and telemetry sources into one context layer for agent decisions
• What the AI Assistant, Threat Investigation Agent, and AppSec Triage Agent each do in practice across alerting and remediation
• How Orca routes actions into Jira, SIEM, SOAR, and notification systems when a finding moves from analysis to workflow
• Why the vendor frames transparency, reasoning, and human-in-the-loop review as prerequisites for future autonomy

👉 Read Orca Security's analysis of AI agents for CNAPP and cloud-native apps →

AI agents in CNAPP: what changes for cloud security teams?

Explore further

View Full Forum →  |  NHI Foundation Course →