Security in the Age of AI Agents: Office Hours with Jonathan Jaffe

2026-05-27 · Source: Tomasz Tunguz · Field: Technology & Digital — Artificial Intelligence & Machine Learning, Cybersecurity & Data Privacy, Robotics & Autonomous Systems · Depth: Intermediate, long

Summary

Jonathan Jaffe, CISO at Lemonade, highlights the transformation of security in the age of AI agents, where practitioners evolve into engineers focused on automated policy architecture. He asserts that AI empowers defenders as much as attackers, leading to a narrowing window of exploitability due to AI-accelerated code review, pen-testing, and patching. Lemonade's security team, composed entirely of engineers, developed an AI platform with agents for threat intelligence and vulnerability detection. Jaffe emphasizes the necessity for every agent to have a distinct identity and be governed by advanced policy enforcement, moving beyond current identity and access management systems. Automation is presented as the sole method to manage the scale of emerging threats, with AI SOC tools now offering deep, rapid analysis and proactive incident response, fundamentally re-architecting the security stack.

Key takeaway

For Directors of AI/ML evaluating security posture, recognize that AI agents necessitate a fundamental shift from traditional human-centric security to engineering automated policy. You should prioritize investing in AI-driven security platforms and tools that enforce unique identities and granular access controls for every agent. This approach enables your team to manage the increasing scale of threats, accelerate vulnerability resolution, and build more resilient systems, rather than relying on reactive human intervention.

Key insights

AI agents transform security from human management to automated policy architecture, accelerating defense.

Principles

• AI empowers defenders to harden systems faster than attackers exploit.
• Software's exploitability window shrinks with AI-driven development and patching.
• Automation is essential for managing the scale of modern security threats.

Method

Lemonade's security team built an AI platform with agents to read threat intel, check repositories for vulnerable methods, and automate security testing throughout the development pipeline.

In practice

• Implement AI-driven code review and pen-testing.
• Host private package repositories with delayed installation policies.
• Enforce unique identities and granular policies for all AI agents.

Topics

• AI Agents
• Security Engineering
• Automated Policy
• Identity and Access Management
• Software Supply Chain Security
• AI SOC Tools

Best for: CTO, VP of Engineering/Data, AI Architect, AI Security Engineer, MLOps Engineer, Director of AI/ML

Related on AIssential

• Trump administration to ask US AI firms to voluntarily submit models for cybersecurity tests — The U.S. government seeks voluntary AI model cybersecurity testing from firms like OpenAI and Google via CAISI.
• Anthropic scales Project Glasswing to 150 partners across 15 countries to hunt critical software flaws — AI models like Claude Mythos can rapidly identify critical software vulnerabilities, posing both defensive and offensive capabilities.
• Your JWT Is Lying to You - The Authorization Problem Nobody Solves Correctly — JWTs alone are insufficient for dynamic, fine-grained authorization; external policy engines are essential for scalable security.
• Hackers hijacked high-profile Instagram accounts by simply asking Meta's AI chatbot to change the email — Meta's AI support chatbot was exploited via prompt injection to hijack Instagram accounts, bypassing 2FA and automated identity checks.
• Chrome stops hackers from stealing your browser cookies now - how its new security feature works — Device Bound Session Credentials (DBSC) cryptographically ties browser cookies to a device's security chip, preventing their use if stolen.
• Reference your own AWS Secrets Manager secrets in Amazon Bedrock AgentCore Identity — Amazon Bedrock AgentCore Identity now allows referencing existing AWS Secrets Manager secrets for enhanced credential governance.

Open in AIssential →

Editorial summary, takeaway, and curation by AIssential. Original article published by Tomasz Tunguz.