Malik Haidar is a seasoned veteran in the trenches of corporate cybersecurity, having navigated the complex landscapes of multinational threat environments for years. He brings a unique perspective that bridges the gap between technical security and business strategy, making him a sought-after voice on the integration of emerging technologies. In this discussion, we dive into the shifting paradigm of agentic AI, exploring how organizations are often racing ahead with sophisticated multi-agent systems while tethered to outdated governance models. Haidar breaks down the new OWASP framework designed to help security teams move beyond simple copilots toward a mature, automated defense posture that matches the speed of AI. We explore the six levels of adoption, the risks of “red cell” operations, and how governance can ultimately serve as a catalyst for innovation rather than a bottleneck.
The disparity between deployment and governance is a recurring theme in your work. Why are organizations currently struggling to apply the right oversight to agentic AI, and what are the immediate consequences of this gap?
The reality on the ground is that most organizations are deploying agents much faster than they can actually govern them. It is a classic case of the “hare and the tortoise,” where the development teams are shipping custom and multi-agent systems while the governance teams are still operating at maturity levels designed for basic AI copilots. When you have this mismatch, you create a dangerous blind spot where autonomous systems are performing tasks that the security team doesn’t even know exist. I have seen environments where “Shadow AI” runs rampant, with users self-adopting tools outside of any formal approval process. This lack of alignment means that when a system begins to drift or exhibit anomalous behavior, there is no established baseline to measure it against, leading to a state of constant, reactive firefighting.
The OWASP framework introduces a very specific hierarchy for adoption. Could you explain the transition from “Shadow AI” at Level AT0 to the highly specialized “Custom In-house Agents” at Level AT5?
The adoption axis begins at AT0, which is the “Shadow AI” phase where the organization has zero awareness or approval of the tools being used by employees. From there, we move into AT1 and AT2, where we see vendor-embedded assistants and platform-integrated tools that use organizational data but cannot execute arbitrary code. The complexity spikes at AT3 and AT4, where “Citizen Developers” start configuring low-code flows and agents begin generating and executing code with local or cloud privileges. Finally, we reach AT5, the “Custom In-house Agent,” which represents the pinnacle of control and risk. At this level, you have built the system from scratch, and you are responsible for everything from identity management to the specific boundaries of what that agent is allowed to do within your infrastructure.
When we look at the four levels of governance maturity, from “Unaware” to “Integrated Oversight,” what are the specific markers that indicate a company is finally treating AI as critical infrastructure?
A company reaches true maturity at Level 3 when they treat agentic AI as critical infrastructure, implementing “Governance-as-code” to enforce machine-readable policies across the entire AI lifecycle. At Level 0 or 1, you might see occasional red-teaming or generic policies, but there is a distinct lack of continuous monitoring or defined autonomy limits. By the time an organization reaches Level 2, they have established formal policies that map use cases to regulations like the EU AI Act or GDPR, and they mandate a “human-in-the-loop” for high-impact decisions. However, it is only at Level 3 that we see the introduction of real-time dashboards to track anomalies and “kill switches” that can pause autonomy instantly. This level of maturity ensures that accountability is no longer diffuse but is anchored in automated enforcement and clear ownership by roles like a Chief AI Officer.
Ariel Fogel famously warned teams not to “operate in the red cells” of this framework. Can you describe the specific dangers of a “red cell” scenario and how the framework helps a team pivot back to safety?
Operating in a “red cell” means your deployment of AI has far outpaced your governance capabilities, leaving the organization exposed to risks it cannot see or mitigate. For example, if you are running a Level AT4 code-executing agent but your governance is stuck at Level 0, you have a system generating and running code with cloud privileges while you have no logging, no AI-Software Bill of Materials (SBOM), and no formal incident handling. The framework acts as a practical decision tool; if you find yourself in that red zone, you have two clear paths to take. You either invest immediately in controls designed specifically for agentic systems—like live behavioral baselines—or you must proactively reduce the agent’s permissions and autonomy. It is about balancing the “autonomy ladder” with the “governance ladder” to ensure that every machine action is traceable and limited.
Traditional security measures often feel sluggish when applied to AI. What are the “faster” controls mentioned in the OWASP paper that security teams need to adopt to keep up with agentic workloads?
Since agents operate at machine speed and scale, we cannot rely on manual reviews or periodic audits; we need monitoring infrastructure that matches that velocity. This requires moving toward “identity hygiene” practices, such as the use of ephemeral credentials and cryptographic attestation, so that every single action an agent takes can be verified. We are also looking at joined incident response playbooks where safety and security teams work together to avoid misdiagnosing a live incident. You need real-time containment mechanisms that can trigger a “kill switch” the moment an anomaly is detected in the behavioral baseline. These are not just “stronger” versions of old tools; they are fundamentally different, automated controls that allow us to govern at the speed of the workloads themselves.
There is a common perception that strict governance is the enemy of innovation. How does the “Enterprise Adoption Maturity Model” argue against this, and how can it actually accelerate business goals?
The framework actually reframes governance as an enabler of innovation, because, as John Sotiropoulos pointed out, the act of “hiding” and not doing AI out of fear is a massive vulnerability in itself. By providing a clear, simple decision posture, the framework reduces the “cognitive tax” on busy teams who are overwhelmed by volumes of complex guidance. It allows a business to prioritize its riskiest workloads and apply the necessary guardrails so they can ship products with confidence rather than hesitation. Prudent governance creates a safe environment for experimentation, ensuring that when an organization adopts a multi-agent system, they aren’t just jumping into the void but are moving forward with a structured, risk-tiered approach. Ultimately, knowing where your “kill switches” are and having machine-readable policies in place allows a company to move faster, not slower.
What is your forecast for the evolution of agentic AI security over the next few years?
I expect to see a rapid convergence where AI safety and security are no longer treated as separate silos but are integrated into a single telemetry stream. The same architectural flaws that lead to a safety exposure often create a security vulnerability, and the industry will move toward unified incident playbooks to address these simultaneously. We will likely see the widespread adoption of “Governance-as-code,” where machine-readable policies are automatically enforced across federated systems, reducing the reliance on human intervention for routine monitoring. By the time we reach Infosecurity Europe in 2026 and beyond, the organizations that thrive will be those that have moved away from ad hoc “Shadow AI” and toward a model of continuous, automated oversight. The “Enterprise Adoption Maturity Model” is just the beginning of a shift toward treating AI agents as the sophisticated, autonomous entities they truly are.
