As enterprises rush to deploy autonomous AI agents, they are creating novel risks by applying static security playbooks to dynamic, unpredictable systems.
Rock Lambros, CEO of RockCyber and a contributor to a new OWASP report on AI security, argues that leaders must shift from preventing all failures to building systems resilient enough to withstand them.
He warns of catastrophic cascading failures in critical infrastructure and outlined a new class of controls, including continuous red teaming and step-level policy enforcement, to manage AI “inside the loop.”
A dangerous gap is widening between ambition and understanding when deploying autonomous AI agents at enterprise scale. Many leaders are applying static and traditional security playbooks in a way that is incongruent with dynamic adaptive systems. The core challenge is no longer just preventing known threats, but building systems resilient enough to handle failures that cannot be foreseen. The mismatch introduces novel and unpredictable risks, and is the subject of the recent State of Agentic AI Security and Governance report. The landmark paper from the Open Worldwide Application Security Project (OWASP) charts a course through this uncharted territory. The report underscores a critical question facing every organization: How do you design for the unknown unknowns?
We spoke with Rock Lambros, CEO and Founder of RockCyber, and a key contributor to the OWASP report. Drawing on three decades at the intersection of cybersecurity and emerging technology, Lambros is a voice from the front lines of AI governance. He argued that the industry’s current approach is insufficient for the agentic era, requiring a fundamental shift in how we think about risk, control, and responsibility.
For Lambros, navigating this new landscape requires a radical acceptance of unpredictability. The new mandate for leaders, he argued, is not to prevent every failure, but to build systems that can withstand them.
Designing for the unknown: “I would say we have to start designing for the ‘unknowable unknowns’,” Lambros said. “Practices like modularity and.separating our innovation sandboxes from the production execution environments have been best practice for years. But we can all be doing a better job at sticking to those in the age of AI.”
While the principles of cybersecurity remain familiar, their application in an AI-driven world is profoundly different. Leaders may recognize the what of security—concepts like least privilege and segmentation—but are struggling with the how. This gap between theory and practice is where the most significant risks emerge.
The what vs. the how: “People are starting to wrap their heads around LLM security and generative AI security. But now we’re moving from creating things to actually taking action,” Lambros explained. “While AI risks are unique, a lot of the fundamentals of traditional cybersecurity also apply, like least privilege: making sure that the agent has the least permission necessary for it to accomplish its job. But how you implement a lot of these controls certainly differs.”
This new reality introduces risks that extend far beyond data breaches. When agents can act autonomously, the potential for harm multiplies. A single error can propagate through a chain of agents, creating widespread and unpredictable consequences. This is especially true when AI interacts with operational technology in the physical world.
Cascading failures and catastrophic risk: “One agent at one point in the chain hallucinates, and then that hallucination is propagated through the rest of the agent chain. You just end up with one really big case of the telephone game by the end of it,” Lambros warned. The stakes are highest in critical infrastructure, Lambros said, from SCADA systems running an oil and gas plant, to health and imaging systems at a hospital where a digital failure can have life-threatening physical ramifications. To manage this, he urged leaders to focus on the outcome, not the tool: “Approach the risks the same as you would have traditionally… treat that risk the same whether it’s AI driving the technology or not.”
Surviving this environment requires a new set of practical guardrails built for dynamism. The old model of securing data at ingress and egress is no longer enough. Controls must operate “inside the loop” to monitor agent behavior mid-task, supported by continuous testing and clear metrics.
A new class of controls: “Continuous red teaming is key. Continuous monitoring as well,” Lambros said. This includes things like “step-level policy enforcement, context sanitization where you strip or flag unsafe instructions and sensitive data, and memory governance to expire or redact memory entries.” It also means defining metrics to “track how often guardrails trigger, how often humans have to override, the time to detection and containment, and how to share that data with leadership to continuously improve the controls.”
Ultimately, these technical frameworks are only as strong as the culture that supports them. Lambros argued that the old model of security awareness through ineffective annual videos and quizzes is obsolete. In the age of AI, security must be a top-down mandate, with role-specific training that reflects the unique risks different employees face.
A top-down cultural mandate: “Our traditional, you know, ‘hey, let’s take these like little security videos or quizzes once a year’… absolutely doesn’t work,” he stated. “A lot of that is through adapting messaging for the audience and having the direction come down from leadership from the CEO on down. It’s not a grassroots effort. The C-suite and leadership need to drive it, saying, ‘This is what we will use AI for. This is what we won’t use AI for. Here are the guardrails. This is the type of data you can put into the AI, and this is the type of data you cannot.'”
The conversation circled back to the most fundamental and intractable challenge: data bias. Lambros stressed that all human-created data is inherently biased, and pretending otherwise is a critical error. The challenge is not to eliminate bias, which is impossible, but to actively manage it. This requires confronting the difficult question of “whose ethics” and “whose biases” are embedded in the models we deploy.
The impossibility of neutrality: “All data is biased. The corpus of data in human history is biased,” Lambros said. “So recognize that. Put guardrails around it to identify it. You’re going to have to put requirements in place for bias drift in your models and all that kind of stuff.”
He concluded with a direct and pragmatic warning to leaders. Acknowledging and planning for these deep-seated issues from the outset is not an ethical nice-to-have; it is a business and operational imperative.
Plan now or pay later: “Recognize that those harms exist. Recognize that regulations are going to make you address them. Recognize that a lot of those harms stem from data bias, and recognize that all data is biased. The corpus of data in human history is biased. So recognize that, and plan for it, because it is going to be extremely difficult and expensive for you to bolt that on after.” Essentially, designing for unknown unknowns is not a backup plan. It is just the plan.
