Agentic AI—the kind that doesn’t just recommend actions but takes them—is moving from lab experiments to enterprise workflows. And with it comes a security headache the size of a data center. To tackle the problem, Token Security and Descope, alongside CISOs and security experts from companies like Vercel, Verily, Live Oak Bank, AppLovin, and Xcel Energy, have released the AI Security Guide: A Maturity Model for Secure Agentic AI Adoption.
The guide offers a four-phase roadmap for adopting AI that can launch code, trigger workflows, and create new identities—without creating a new category of breaches in the process.
Why This Matters
As Token Security CEO Itamar Apelblat points out, agentic AI will lead to a future where non-human identities (NHIs) outnumber human ones by 100 to 1. These “invisible workers” will have the power to modify systems, access data, and interact with critical infrastructure—making them prime targets for attackers.
The security pivot, according to Apelblat, is to treat AI agents like first-class actors in identity and access management (IAM)—not just background tools. That means secure authentication, granular authorization, and policy-based governance baked in from day one.
Inside the Maturity Model
The framework lays out four adoption phases:
-
Ad-hoc AI Adoption and Deployment – unstructured experimentation without controls.
-
Structured AI Enablement and Integration – policies start forming around AI use.
-
Operationalizing AI Infrastructure and Governance – formal IAM, compliance, and monitoring.
-
Autonomous AI Action and Operational Control – secure, fully governed AI operating at scale.
The emphasis throughout: continuous governance, identity protection for NHIs, and extending policy-based controls to both internal and third-party AI tools.
A Timely Playbook
Descope co-founder Rishi Bhargava says the guide responds to a common CISO question: How do we stop our AI or MCP servers from breaking things—or worse? His answer: build in security “as if the AI were another employee with full permissions,” then control and audit it accordingly.
Shaun Marion, VP and CISO at Xcel Energy, put it bluntly:
With enterprises racing to operationalize agentic AI, the guide could become the de facto baseline for secure adoption—before the risks scale as fast as the technology itself.
Join thousands of HR leaders who rely on HRTechEdge for the latest in workforce technology, AI-driven HR solutions, and strategic insights
