The Risk Wheelhouse
The Risk Wheelhouse is designed to explore how RiskTech is transforming the way companies approach risk management today and into the future. The podcast aims to provide listeners with valuable insights into integrated risk management (IRM) practices and emerging technologies. Each episode will feature a "Deep Dive" into specific topics or research reports developed by Wheelhouse Advisors, helping listeners navigate the complexities of the modern risk landscape.
The Risk Wheelhouse
S4E6: When AI Agents Outnumber Humans
Use Left/Right to seek, Home/End to jump to start or end. Hold shift to jump forward or backward.
The rapid proliferation of AI agents throughout enterprise environments isn't just another tech trend—it's a fundamental transformation of how organizations operate. When Nikesh Arora, CEO of Palo Alto Networks, warns that "there's going to be more agents than humans running around trying to help manage your enterprise," he's highlighting a seismic shift that demands immediate attention.
These aren't simple chatbots. We're talking about autonomous systems requiring privileged access to your critical infrastructure and sensitive data. The comparison to self-driving cars is particularly illuminating—just as a hijacked autonomous vehicle could cause immediate physical harm, a compromised AI agent with deep system access could wreak instant havoc across your business operations. The threats are existential: ransomware deployment, systemic sabotage, or complete business disruption at machine speed.
Identity management emerges as the critical control plane, but it must exist within a comprehensive Integrated Risk Management (IRM) model connecting technical controls to broader business objectives. Three forces make this urgent: accelerating regulation with the EU AI Act taking effect in 2025, major consulting firms aggressively deploying multi-agent platforms, and cyberattack velocities reaching frightening speeds—from breach to data exfiltration in just 25 minutes.
Organizations must respond with structured governance approaches like Wheelhouse's IRM Navigator™ Model, addressing performance, resilience, assurance, and compliance domains. Practical steps include establishing an AI council, defining your regulatory posture, building an agent registry, piloting ISO standards, and carefully selecting delivery partners whose platforms integrate into your risk framework rather than dictating it.
The question isn't whether AI agents will transform your enterprise, but whether you'll establish the governance frameworks to harness their benefits while mitigating unprecedented risks. Subscribe now to continue exploring the frontiers of enterprise technology and the frameworks that will determine which organizations thrive in the autonomous future.
Visit www.therisktechjournal.com and www.rtj-bridge.com to learn more about the topics discussed in today's episode.
Subscribe at Apple Podcasts, Spotify, or Amazon Music. Contact us directly at info@wheelhouseadvisors.com or visit us at LinkedIn or X.com.
Our YouTube channel also delivers fast, executive-ready insights on Integrated Risk Management. Explore short explainers, IRM Navigator research highlights, RiskTech Journal analysis, and conversations from The Risk Wheelhouse Podcast. We cover the issues that matter most to modern risk leaders. Every video is designed to sharpen decision making and strengthen resilience in a digital-first world. Subscribe at youtube.com/@WheelhouseAdv.
Welcome to the Deep Dive. Today, we're really digging into something that feels like it's jumped straight out of science fiction and into the well, the corporate reality.
Sam JonesRight AI agents in the enterprise.
Ori WellingtonExactly what happens when they start to outnumber the humans and maybe more importantly, how do you manage that kind of risk, especially, you know, if one goes rogue?
Sam JonesThat's the million dollar question, isn't it? Or maybe billion dollar, given the stakes?
Ori WellingtonCould be so for this Deep dive. We've got some really sharp insights. We're starting with a, frankly, pretty stark warning from Nikesh Arora, the CEO of Palo Alto Networks.
Sam JonesYeah, he doesn't mince words on this topic.
Ori WellingtonNo, he doesn't, and we're also going to bring in a broader perspective looking at integrated risk management, or IRM.
Sam JonesWe're drawing an article there by John A Wheeler which is crucial for connecting the dots between the tech risk and the overall business.
Ori WellingtonPrecisely Our mission here is to really understand the huge shift these AI agents represent for well for your organization's risk landscape, and why getting a holistic grip on managing them isn't just, you know, a nice to have.
Sam JonesIt's urgent, absolutely imperative.
Ori WellingtonRight. So the hook is really this what does it mean when AI agents are, as Aurora puts it, running around trying to help you manage your enterprise and there are more of them than people?
Sam JonesAnd what happens if they go off script? That's the core fear.
Nikesh Arora's Warning on AI Agents
Ori WellingtonOkay, let's unpack this Nikesh Aurora's warning. I think it was on TMBC. It was incredibly direct. He predicted and this is the quote that really jumps out there's going to be more agents than humans running around trying to help you manage your enterprise.
Sam JonesWow, just pause on that for a second. More agents than humans.
Ori WellingtonYeah, and when you really think about it, this isn't just like another software update. It's a fundamental, it's a massive change in the entire risk surface for big companies.
Sam JonesAbsolutely. And what's really critical there is the access they'll need. These agents aren't just, you know, handling simple website chats. They're going to need privileged access, deep access into your critical systems, your infrastructure.
Ori WellingtonRight the crown jewels.
Sam JonesExactly, and if you don't have really solid guardrails, proper controls, the threats are immense. We're talking agents getting hijacked for ransomware.
Ori WellingtonWhich we already see happening in other contexts.
Sam JonesFor sure. Or you know systemic sabotage across your operations, or just outright business disruption, stopping everything.
Ori WellingtonAnd Aurora's bottom line on this really hits home. He said the whole new art of securing these agents, this art of securing AI, is going to become the next bastion in cybersecurity.
Sam JonesIt's a whole new battlefield, essentially.
Ori WellingtonFeels like it.
Identity as the Control Plane
Sam JonesIt really does. And, connecting this up, Aurora really zeroed in on identity as the well, the central point, the control plane for AI risk.
Ori WellingtonOkay, identity, how so?
Sam JonesWell, think about it. Just like your human employees, these AI agents need unique identities. They need clear sponsors, someone responsible for them, and they need very specific permissions or entitlements, saying exactly what they can access and what they can do.
Ori WellingtonRight, like a job description, but for code.
Sam JonesKind of yeah. Without that basic identity framework, you've got no real way to contain an agent that goes off the rails or even just to quickly revoke its access if something looks fishy. It's foundational.
Ori WellingtonAnd Palo Alto Networks putting billions into buying Cybernuk, an identity company, certainly backs that up.
Sam JonesAbsolutely underscores the point. Big time Identity is becoming central.
Ori WellingtonSo we're talking about potentially thousands, millions of digital workers with keys to various parts of the kingdom.
Sam JonesYeah.
Ori WellingtonYeah, that's a bit terrifying. It keeps CISOs awake at night, for sure I bet and Aurora used a really good analogy to make this feel more real he compared these agents to self-driving cars.
Sam JonesThe Waymo example.
Ori WellingtonExactly he pointed to Waymo as, like a functioning agent out in the real world, it makes decisions in real time speed up, slow down, turn here, stop there. All on its own.
Integrated Risk Management for AI
Sam JonesThat analogy is spot on because, think about it If a self-driving car gets hijacked, Disaster Immediate physical disaster. Right Catastrophic. And that directly mirrors the potential impact if one of these enterprise AI agents gets compromised if it's operating autonomously inside your core systems.
Ori WellingtonMaking decisions, taking action Without a human in the loop.
Sam JonesThe consequences of a breach could be instant and devastating for the whole business.
Ori WellingtonOK, so identity is step one. Containment policies that's baseline. But you mentioned something else IRM.
Sam JonesExactly Integrated risk management. This is the crucial next step Because, while identity and basic controls are essential, they need to live within an IRM model.
Ori WellingtonWhy is that so important?
Three Drivers of Urgent AI Adoption
Sam JonesBecause IRM ensures that those agent guardrails aren't just technical rules in a vacuum. They're directly tied to your overall enterprise goals Performance, resilience assurance compliance.
Ori WellingtonIt makes the security effective across the whole organization. Got it so it connects the tech security to the business strategy.
Sam JonesPrecisely. We can actually use that car analogy again to see how IRM itself has evolved. Think of risk management in the past.
Ori WellingtonSpreadsheets and SharePoint.
Sam JonesYeah, the car of yesterday Basic, slow, kind of clunky for managing compliance. Lots of manual work, error prone.
Ori WellingtonOkay.
Sam JonesThen today we have maybe driver assist IRM. It's smarter, more integrated platforms, but still heavily reliant on humans making the key decisions.
Ori WellingtonSome adaptive cruise control maybe.
Sam JonesGood analogy, but the key insight for AI agents is the car of tomorrow autonomous IRM. This is where AI agents themselves can actually take risk management actions at scale, at speed.
Ori WellingtonBecause they're governed by those IRM guardrails.
Sam JonesExactly that's the linchpin your security, your risk management. It starts to look like this almost self-driving system, itself governed by IRM principles. That's the big takeaway here.
Ori WellingtonThat makes a lot of sense. It paints a picture of much more robust integrated control. Yeah, but why the urgency? Why is this shift to IRM so critical right now?
Sam JonesGreat question. There are basically three big external forces really pushing this First regulation is accelerating fast.
Ori WellingtonOkay, like what?
Sam JonesWell, the big one is the EU AI Act. It's already starting to phase in. You've got prohibitions and AI literacy requirements hitting in 2025, full obligations by 2026. This isn't optional.
Ori WellingtonSo companies need to get ready now.
Sam JonesDefinitely. Plus, you've got standards emerging like ISO IEC 14001. That sets up an auditable AI management system. Think of it like a blueprint for proving you're governing AI responsibly. And then there's the NIST AI risk management framework, the RMF. That gives you a lifecycle structure how you govern, map, measure and manage AI risk from start to finish. These are becoming the global benchmarks.
Ori WellingtonSo regulation is driver number one. What's next?
Sam JonesSecond, the big consulting firms are jumping in feet. First, companies like KPMG, ey, deloitte. They're already launching multi-agent platforms, meaning they're building services that embed these AI agents directly into their clients' operations. So adoption isn't just going to be driven by tech vendors, it's being pushed hard by professional services too. These agents are coming, and probably faster than many realize.
Ori WellingtonOkay, so the deployment is accelerating because the consultants are pushing it.
Sam JonesRight. And third and this loops back to a rose point, breach velocity Attacks are getting incredibly fast.
Ori WellingtonThe 25-minute stat.
Sam JonesExactly Attack to data exfiltration in just 25 minutes. That's terrifyingly quick.
Ori WellingtonYeah, no time for a committee meeting there.
Sam JonesNone, it means security controls absolutely cannot be an afterthought. You can't bolt them on later. They must be integrated from day one. How you build the agent, how you deploy it, how you monitor it, it has to be baked in.
Ori WellingtonSo regulation, consulting, pushing adoption and lightning fast attacks, that paints a pretty urgent picture.
Sam JonesIt does, and that's where a model like the IRM Navigator comes in handy. It helps structure how you integrate these agents safely.
Ori WellingtonOkay, the IRM Navigator Break that down for us.
Sam JonesSure. It basically looks at integrating agents through four main objectives or risk domains. First is performance, which falls under enterprise risk management or ERM.
Ori WellingtonSo business value.
Sam JonesRight Deciding where autonomy actually creates measurable value, like can an agent speed up supplier onboarding, Can it automate collecting evidence for audits and critically tying that value back to your overall business goals and your appetite for risk.
Ori WellingtonMakes sense. What's second?
Sam JonesSecond is resilience. This is under operational risk management, orm. Think of it as building the fail-safes, defining clear triggers for when things go wrong. What are the escalation paths? What are the degraded modes? How does it operate if partially failing and, crucially, what are the criteria for a human to step in and override?
Ori WellingtonPlanning for when things don't go perfectly.
Sam JonesExactly. Third is assurance under technology risk management, TRM. This is about treating the agents themselves as managed assets.
Ori WellingtonLike servers or laptops.
Sam JonesSort of yeah, they need to be instrumented for continuous monitoring. You need to be able to revoke their access quickly and their telemetry, their operational data, needs to feed into your security tools.
Ori WellingtonLike your XDR and your SOC workflows.
Five Practical Steps for Leaders
Sam JonesPrecisely, so your security teams can actually see what these agents are doing, and OK, performance resilience assurance.
Ori WellingtonWhat's the fourth?
Sam JonesThe fourth is compliance. This falls under Governance, risk and Compliance GRC. This is about translating those standards we talked about ISO 42001, nist, ai, rmf into actual enforceable policies.
Ori WellingtonAnd proof.
Sam JonesAnd auditable evidence that you're following them. It also means systematically mapping your systems to the EU AI Act obligations based on their risk class. It's about proving you're doing the right thing according to the rules.
Ori WellingtonSo, putting it all together, this IRM navigator framework, it really takes Aurora's idea of guardrails and builds it out into a comprehensive management model. It's not just stopping bad stuff.
Sam JonesNo, it's about proactively integrating AI to achieve business goals, but doing it within a structure that systematically manages the inherent risks Performance, resilience, assurance, compliance, all connected.
Ori WellingtonOkay, I think I'm getting the picture. It's moving from just security to integrated risk management.
Sam JonesYou got it. That's the core shift. So for the leaders listening right now, maybe feeling a bit overwhelmed what are some practical things, some actionable steps they should be thinking about, say in the next 90 days, Okay, yeah, let's get practical. Based on everything we've discussed, here are a few concrete steps.
Ori WellingtonFirst, stand up an AI council.
Sam JonesOkay, Put it under your existing enterprise risk management program. This council's job is to set your organization's tolerance for autonomy. How much automated decision-making are you comfortable with? They approve specific use cases for AI agents and they define the metrics the board will use to track performance and risk.
Ori WellingtonSo a central steering committee for AI.
Key Takeaways and Closing Thoughts
Sam JonesEssentially yes. Second, define your EU AI Act posture. Start classifying your AI systems and even your suppliers. Now Figure out what obligations you'll face between 2025 and 2027. Don't wait.
Ori WellingtonGet ahead of the regulation Makes sense.
Sam JonesThird, build an agent registry. Seriously document every agent. Who is its human sponsor, what are its exact entitlements, what can it access, what can it do? And, critically, does it have a readily accessible kill switch?
Ori WellingtonAn off. Button.
Sam JonesAn immediate off button just in case. Fourth, pilot ISO IE 72001. Don't try to boil the ocean. Pick two or three specific AI use cases and scope the ISO standard for them. Learn from those pilots, then expand.
Ori WellingtonStart small, learn fast.
Sam JonesExactly. And finally, number five, choose your delivery partners very carefully If you're bringing in consulting firms with their own multi-agent platforms.
Ori WellingtonWhich you said is happening fast, right.
Sam JonesMake absolutely sure their platforms integrate into your IRM model, not the other way around. Your risk framework needs to govern their tools, not be dictated by them.
Ori WellingtonMaintain control of your own risk posture.
Sam JonesPrecisely.
Ori WellingtonOkay, so wrapping this up, Nikesh Rohr's vision seems spot on. Securing AI agents really does feel like the next big frontier in cybersecurity. It's a huge challenge.
Sam JonesIt is, and hopefully what we've unpacked in this deep dive shows how integrated risk management that IRM piece provides the essential enterprise-wide view. It's what makes those security guardrails actually work effectively at scale.
Ori WellingtonSo it connects the security tech to the whole business.
Sam JonesYeah, the future of AI agent security isn't just about buying the right security tools. It's fundamentally an integrated management challenge for the whole organization. Irm helps align everything performance, resilience, assurance and compliance.
Ori WellingtonSo, as we finish up, here's something for you, our listeners, to think about as these AI agents multiply and weave themselves deeper into your daily operations. What's the single most critical question you need to ask about your organization's readiness to manage this emerging autonomous workforce?
Sam JonesThat's the key question to take away.
Ori WellingtonThink about that and we'll see you next time on the Deep Dive.