The Risk Wheelhouse
The Risk Wheelhouse is designed to explore how RiskTech is transforming the way companies approach risk management today and into the future. The podcast aims to provide listeners with valuable insights into integrated risk management (IRM) practices and emerging technologies. Each episode will feature a "Deep Dive" into specific topics or research reports developed by Wheelhouse Advisors, helping listeners navigate the complexities of the modern risk landscape.
The Risk Wheelhouse
S4E6: When AI Agents Outnumber Humans
The rapid proliferation of AI agents throughout enterprise environments isn't just another tech trend—it's a fundamental transformation of how organizations operate. When Nikesh Arora, CEO of Palo Alto Networks, warns that "there's going to be more agents than humans running around trying to help manage your enterprise," he's highlighting a seismic shift that demands immediate attention.
These aren't simple chatbots. We're talking about autonomous systems requiring privileged access to your critical infrastructure and sensitive data. The comparison to self-driving cars is particularly illuminating—just as a hijacked autonomous vehicle could cause immediate physical harm, a compromised AI agent with deep system access could wreak instant havoc across your business operations. The threats are existential: ransomware deployment, systemic sabotage, or complete business disruption at machine speed.
Identity management emerges as the critical control plane, but it must exist within a comprehensive Integrated Risk Management (IRM) model connecting technical controls to broader business objectives. Three forces make this urgent: accelerating regulation with the EU AI Act taking effect in 2025, major consulting firms aggressively deploying multi-agent platforms, and cyberattack velocities reaching frightening speeds—from breach to data exfiltration in just 25 minutes.
Organizations must respond with structured governance approaches like Wheelhouse's IRM Navigator™ Model, addressing performance, resilience, assurance, and compliance domains. Practical steps include establishing an AI council, defining your regulatory posture, building an agent registry, piloting ISO standards, and carefully selecting delivery partners whose platforms integrate into your risk framework rather than dictating it.
The question isn't whether AI agents will transform your enterprise, but whether you'll establish the governance frameworks to harness their benefits while mitigating unprecedented risks. Subscribe now to continue exploring the frontiers of enterprise technology and the frameworks that will determine which organizations thrive in the autonomous future.
Visit www.therisktechjournal.com and www.rtj-bridge.com to learn more about the topics discussed in today's episode.
Subscribe at Apple Podcasts, Spotify, or Amazon Music. Contact us directly at info@wheelhouseadvisors.com or visit us at LinkedIn or X.com.
Our YouTube channel also delivers fast, executive-ready insights on Integrated Risk Management. Explore short explainers, IRM Navigator research highlights, RiskTech Journal analysis, and conversations from The Risk Wheelhouse Podcast. We cover the issues that matter most to modern risk leaders. Every video is designed to sharpen decision making and strengthen resilience in a digital-first world. Subscribe at youtube.com/@WheelhouseAdv.
Welcome to the Deep Dive. Today, we're really digging into something that feels like it's jumped straight out of science fiction and into the well, the corporate reality.
Sam Jones:Right AI agents in the enterprise.
Ori Wellington:Exactly what happens when they start to outnumber the humans and maybe more importantly, how do you manage that kind of risk, especially, you know, if one goes rogue?
Sam Jones:That's the million dollar question, isn't it? Or maybe billion dollar, given the stakes?
Ori Wellington:Could be so for this Deep dive. We've got some really sharp insights. We're starting with a, frankly, pretty stark warning from Nikesh Arora, the CEO of Palo Alto Networks.
Sam Jones:Yeah, he doesn't mince words on this topic.
Ori Wellington:No, he doesn't, and we're also going to bring in a broader perspective looking at integrated risk management, or IRM.
Sam Jones:We're drawing an article there by John A Wheeler which is crucial for connecting the dots between the tech risk and the overall business.
Ori Wellington:Precisely Our mission here is to really understand the huge shift these AI agents represent for well for your organization's risk landscape, and why getting a holistic grip on managing them isn't just, you know, a nice to have.
Sam Jones:It's urgent, absolutely imperative.
Ori Wellington:Right. So the hook is really this what does it mean when AI agents are, as Aurora puts it, running around trying to help you manage your enterprise and there are more of them than people?
Sam Jones:And what happens if they go off script? That's the core fear.
Ori Wellington:Okay, let's unpack this Nikesh Aurora's warning. I think it was on TMBC. It was incredibly direct. He predicted and this is the quote that really jumps out there's going to be more agents than humans running around trying to help you manage your enterprise.
Sam Jones:Wow, just pause on that for a second. More agents than humans.
Ori Wellington:Yeah, and when you really think about it, this isn't just like another software update. It's a fundamental, it's a massive change in the entire risk surface for big companies.
Sam Jones:Absolutely. And what's really critical there is the access they'll need. These agents aren't just, you know, handling simple website chats. They're going to need privileged access, deep access into your critical systems, your infrastructure.
Ori Wellington:Right the crown jewels.
Sam Jones:Exactly, and if you don't have really solid guardrails, proper controls, the threats are immense. We're talking agents getting hijacked for ransomware.
Ori Wellington:Which we already see happening in other contexts.
Sam Jones:For sure. Or you know systemic sabotage across your operations, or just outright business disruption, stopping everything.
Ori Wellington:And Aurora's bottom line on this really hits home. He said the whole new art of securing these agents, this art of securing AI, is going to become the next bastion in cybersecurity.
Sam Jones:It's a whole new battlefield, essentially.
Ori Wellington:Feels like it.
Sam Jones:It really does. And, connecting this up, Aurora really zeroed in on identity as the well, the central point, the control plane for AI risk.
Ori Wellington:Okay, identity, how so?
Sam Jones:Well, think about it. Just like your human employees, these AI agents need unique identities. They need clear sponsors, someone responsible for them, and they need very specific permissions or entitlements, saying exactly what they can access and what they can do.
Ori Wellington:Right, like a job description, but for code.
Sam Jones:Kind of yeah. Without that basic identity framework, you've got no real way to contain an agent that goes off the rails or even just to quickly revoke its access if something looks fishy. It's foundational.
Ori Wellington:And Palo Alto Networks putting billions into buying Cybernuk, an identity company, certainly backs that up.
Sam Jones:Absolutely underscores the point. Big time Identity is becoming central.
Ori Wellington:So we're talking about potentially thousands, millions of digital workers with keys to various parts of the kingdom.
Sam Jones:Yeah.
Ori Wellington:Yeah, that's a bit terrifying. It keeps CISOs awake at night, for sure I bet and Aurora used a really good analogy to make this feel more real he compared these agents to self-driving cars.
Sam Jones:The Waymo example.
Ori Wellington:Exactly he pointed to Waymo as, like a functioning agent out in the real world, it makes decisions in real time speed up, slow down, turn here, stop there. All on its own.
Sam Jones:That analogy is spot on because, think about it If a self-driving car gets hijacked, Disaster Immediate physical disaster. Right Catastrophic. And that directly mirrors the potential impact if one of these enterprise AI agents gets compromised if it's operating autonomously inside your core systems.
Ori Wellington:Making decisions, taking action Without a human in the loop.
Sam Jones:The consequences of a breach could be instant and devastating for the whole business.
Ori Wellington:OK, so identity is step one. Containment policies that's baseline. But you mentioned something else IRM.
Sam Jones:Exactly Integrated risk management. This is the crucial next step Because, while identity and basic controls are essential, they need to live within an IRM model.
Ori Wellington:Why is that so important?
Sam Jones:Because IRM ensures that those agent guardrails aren't just technical rules in a vacuum. They're directly tied to your overall enterprise goals Performance, resilience assurance compliance.
Ori Wellington:It makes the security effective across the whole organization. Got it so it connects the tech security to the business strategy.
Sam Jones:Precisely. We can actually use that car analogy again to see how IRM itself has evolved. Think of risk management in the past.
Ori Wellington:Spreadsheets and SharePoint.
Sam Jones:Yeah, the car of yesterday Basic, slow, kind of clunky for managing compliance. Lots of manual work, error prone.
Ori Wellington:Okay.
Sam Jones:Then today we have maybe driver assist IRM. It's smarter, more integrated platforms, but still heavily reliant on humans making the key decisions.
Ori Wellington:Some adaptive cruise control maybe.
Sam Jones:Good analogy, but the key insight for AI agents is the car of tomorrow autonomous IRM. This is where AI agents themselves can actually take risk management actions at scale, at speed.
Ori Wellington:Because they're governed by those IRM guardrails.
Sam Jones:Exactly that's the linchpin your security, your risk management. It starts to look like this almost self-driving system, itself governed by IRM principles. That's the big takeaway here.
Ori Wellington:That makes a lot of sense. It paints a picture of much more robust integrated control. Yeah, but why the urgency? Why is this shift to IRM so critical right now?
Sam Jones:Great question. There are basically three big external forces really pushing this First regulation is accelerating fast.
Ori Wellington:Okay, like what?
Sam Jones:Well, the big one is the EU AI Act. It's already starting to phase in. You've got prohibitions and AI literacy requirements hitting in 2025, full obligations by 2026. This isn't optional.
Ori Wellington:So companies need to get ready now.
Sam Jones:Definitely. Plus, you've got standards emerging like ISO IEC 14001. That sets up an auditable AI management system. Think of it like a blueprint for proving you're governing AI responsibly. And then there's the NIST AI risk management framework, the RMF. That gives you a lifecycle structure how you govern, map, measure and manage AI risk from start to finish. These are becoming the global benchmarks.
Ori Wellington:So regulation is driver number one. What's next?
Sam Jones:Second, the big consulting firms are jumping in feet. First, companies like KPMG, ey, deloitte. They're already launching multi-agent platforms, meaning they're building services that embed these AI agents directly into their clients' operations. So adoption isn't just going to be driven by tech vendors, it's being pushed hard by professional services too. These agents are coming, and probably faster than many realize.
Ori Wellington:Okay, so the deployment is accelerating because the consultants are pushing it.
Sam Jones:Right. And third and this loops back to a rose point, breach velocity Attacks are getting incredibly fast.
Ori Wellington:The 25-minute stat.
Sam Jones:Exactly Attack to data exfiltration in just 25 minutes. That's terrifyingly quick.
Ori Wellington:Yeah, no time for a committee meeting there.
Sam Jones:None, it means security controls absolutely cannot be an afterthought. You can't bolt them on later. They must be integrated from day one. How you build the agent, how you deploy it, how you monitor it, it has to be baked in.
Ori Wellington:So regulation, consulting, pushing adoption and lightning fast attacks, that paints a pretty urgent picture.
Sam Jones:It does, and that's where a model like the IRM Navigator comes in handy. It helps structure how you integrate these agents safely.
Ori Wellington:Okay, the IRM Navigator Break that down for us.
Sam Jones:Sure. It basically looks at integrating agents through four main objectives or risk domains. First is performance, which falls under enterprise risk management or ERM.
Ori Wellington:So business value.
Sam Jones:Right Deciding where autonomy actually creates measurable value, like can an agent speed up supplier onboarding, Can it automate collecting evidence for audits and critically tying that value back to your overall business goals and your appetite for risk.
Ori Wellington:Makes sense. What's second?
Sam Jones:Second is resilience. This is under operational risk management, orm. Think of it as building the fail-safes, defining clear triggers for when things go wrong. What are the escalation paths? What are the degraded modes? How does it operate if partially failing and, crucially, what are the criteria for a human to step in and override?
Ori Wellington:Planning for when things don't go perfectly.
Sam Jones:Exactly. Third is assurance under technology risk management, TRM. This is about treating the agents themselves as managed assets.
Ori Wellington:Like servers or laptops.
Sam Jones:Sort of yeah, they need to be instrumented for continuous monitoring. You need to be able to revoke their access quickly and their telemetry, their operational data, needs to feed into your security tools.
Ori Wellington:Like your XDR and your SOC workflows.
Sam Jones:Precisely, so your security teams can actually see what these agents are doing, and OK, performance resilience assurance.
Ori Wellington:What's the fourth?
Sam Jones:The fourth is compliance. This falls under Governance, risk and Compliance GRC. This is about translating those standards we talked about ISO 42001, nist, ai, rmf into actual enforceable policies.
Ori Wellington:And proof.
Sam Jones:And auditable evidence that you're following them. It also means systematically mapping your systems to the EU AI Act obligations based on their risk class. It's about proving you're doing the right thing according to the rules.
Ori Wellington:So, putting it all together, this IRM navigator framework, it really takes Aurora's idea of guardrails and builds it out into a comprehensive management model. It's not just stopping bad stuff.
Sam Jones:No, it's about proactively integrating AI to achieve business goals, but doing it within a structure that systematically manages the inherent risks Performance, resilience, assurance, compliance, all connected.
Ori Wellington:Okay, I think I'm getting the picture. It's moving from just security to integrated risk management.
Sam Jones:You got it. That's the core shift. So for the leaders listening right now, maybe feeling a bit overwhelmed what are some practical things, some actionable steps they should be thinking about, say in the next 90 days, Okay, yeah, let's get practical. Based on everything we've discussed, here are a few concrete steps.
Ori Wellington:First, stand up an AI council.
Sam Jones:Okay, Put it under your existing enterprise risk management program. This council's job is to set your organization's tolerance for autonomy. How much automated decision-making are you comfortable with? They approve specific use cases for AI agents and they define the metrics the board will use to track performance and risk.
Ori Wellington:So a central steering committee for AI.
Sam Jones:Essentially yes. Second, define your EU AI Act posture. Start classifying your AI systems and even your suppliers. Now Figure out what obligations you'll face between 2025 and 2027. Don't wait.
Ori Wellington:Get ahead of the regulation Makes sense.
Sam Jones:Third, build an agent registry. Seriously document every agent. Who is its human sponsor, what are its exact entitlements, what can it access, what can it do? And, critically, does it have a readily accessible kill switch?
Ori Wellington:An off. Button.
Sam Jones:An immediate off button just in case. Fourth, pilot ISO IE 72001. Don't try to boil the ocean. Pick two or three specific AI use cases and scope the ISO standard for them. Learn from those pilots, then expand.
Ori Wellington:Start small, learn fast.
Sam Jones:Exactly. And finally, number five, choose your delivery partners very carefully If you're bringing in consulting firms with their own multi-agent platforms.
Ori Wellington:Which you said is happening fast, right.
Sam Jones:Make absolutely sure their platforms integrate into your IRM model, not the other way around. Your risk framework needs to govern their tools, not be dictated by them.
Ori Wellington:Maintain control of your own risk posture.
Sam Jones:Precisely.
Ori Wellington:Okay, so wrapping this up, Nikesh Rohr's vision seems spot on. Securing AI agents really does feel like the next big frontier in cybersecurity. It's a huge challenge.
Sam Jones:It is, and hopefully what we've unpacked in this deep dive shows how integrated risk management that IRM piece provides the essential enterprise-wide view. It's what makes those security guardrails actually work effectively at scale.
Ori Wellington:So it connects the security tech to the whole business.
Sam Jones:Yeah, the future of AI agent security isn't just about buying the right security tools. It's fundamentally an integrated management challenge for the whole organization. Irm helps align everything performance, resilience, assurance and compliance.
Ori Wellington:So, as we finish up, here's something for you, our listeners, to think about as these AI agents multiply and weave themselves deeper into your daily operations. What's the single most critical question you need to ask about your organization's readiness to manage this emerging autonomous workforce?
Sam Jones:That's the key question to take away.
Ori Wellington:Think about that and we'll see you next time on the Deep Dive.