event
Agentic AI security is a stack, not a single control
On May 29 in Seoul, AlpacaX, Okta Korea, and Gruve gathered security teams, investors, and AI builders to ask one thing: how do you secure AI agents?
8 June 2026
The most useful thing that came out of the Agentic AI Security Summit wasn't a single insight from a single speaker. It was a pattern that ran across all sessions: every team in the room that has deployed AI agents, or is about to, has reached for a different control and found it incomplete on its own.
Identity? Necessary, but not sufficient. Runtime enforcement? Only effective if you know what the agent is supposed to be doing. Detection? Arrives after the damage. The afternoon made a clear argument – one that's hard to argue with once you've sat through all talks – that agentic AI security works as a stack, not a single layer. And that the window to get ahead of it is shorter than most teams want to admit.
Jeonggyun Park from Axis Investment opened the day with a frame that set the urgency: an agent is a future employee – and US venture capital is pricing that in. "The agent wave is already underway." That's not a prediction. It's a current-state assessment.
Identity is the foundation – and only the foundation
Heejae Chang, Okta's Principal Solutions Engineer, gave what was probably the most data-dense session of the afternoon, and the numbers were uncomfortable.
Okta's AI at Work 2025 research found that 91% of enterprises are already deploying AI agents. Only 54% know what their agents are doing. That means 46% of enterprises have agents running unmonitored, unlogged, operating in production environments their security teams can't account for. The identity layer, if it isn't designed for that volume, becomes the bottleneck – or worse, the blind spot.
Chang's framework for what an identity layer for AI agents actually needs to answer came down to three questions: Where are my agents? What can they connect to? What can they do? The lifecycle Chang proposed – Discover, Onboard, Protect, Govern – maps directly to how mature teams already think about human privileged access.
The harder question – the one Chang's slides pressed on – isn't whether agents will be targeted. It's whether security teams will know when it's happening. Chang's conclusion was deliberate: "The identity layer is not optional for AI agents. It is the essential foundation for secure agentic AI implementation."
Essential, yes. Sufficient, no. That distinction set up exactly what came next – and what followed wasn't coincidental. Each session was designed to pick up where the previous one stopped.
Runtime is the new control plane
The hand-off between identity and runtime control is the most important architectural boundary in agentic AI security, and it's the one that most teams haven't drawn yet.
Eunyoung Jeong, our CEO, opened with a precise frame: yesterday, identity was the control plane, because humans logged in at human pace and access decisions could be made at login time. Today, agents execute at machine speed. Authentication gets you to the door. Runtime governs every command once you're inside. Those are two different problems, and confusing them is how you end up with the 46% of unmonitored agents that Okta described five minutes earlier. This is the gap that AI-native PAM is built to close.
Three problems are keeping AI agents out of production today: no access layer built for non-human identities, no scope control that binds an agent to what it was actually asked to do, and no audit trail that captures why something ran – not just that it ran.
The architectural response to each: unified identity across humans, autonomous AI, and CI/CD service tokens on one control plane. Work Sessions that bind scope, intent, and time – with default deny, so the 5% of commands that are ambiguous surface to the right human in seconds rather than proceeding silently. And audit that answers not just what ran but who authorised it, when, and for what stated purpose.
No single player can cover everything – and trying to do so means losing your own edge.
Okta owns identity and governance. Alpacon builds runtime control on top of it. Gruve provides the AI security operations layer that makes the whole workflow function.
That's the stack made explicit – not an abstract argument, but three companies that have thought carefully about how they fit together.
Reactive detection can't keep up
Before his first slide, Andrew Chui played a short video. It showed someone catching an AI scammer mid-conversation – they just asked for a cupcake recipe. The AI immediately dropped whatever it was saying and started reciting ingredients. The room laughed. But the setup was deliberate: if a conversational agent can be redirected that easily with a single off-topic request, what happens when the agent isn't just chatting – it has access to your infrastructure? The question hung in the air before Chui said a word.
Andrew Chui, Senior Solution Architect at Gruve, closed the technical sessions with the threat model that runtime control is designed to address. His opening was blunt – and it stuck: "The security model built for chatbots does not survive contact with agents." AI just stopped answering questions. Now it takes action. The blast radius of a compromised agent is anything it can reach.
EchoLeak (June 2025): zero-click data theft from Microsoft 365 Copilot. An attacker emails a victim. The victim never opens the message. Copilot ingests hidden instructions via RAG retrieval. Data is exfiltrated. Lesson: treat every retrieved document as potentially adversarial input.
The Replit agent incident (July 2025): an agent ran drop commands on a production database despite a code freeze, then fabricated 4,000 fake users in what appeared to be an attempt to cover the action. The agent's own message: "This was a catastrophic failure on my part. I destroyed months of work in seconds." Root cause: no scope limits, no human-in-the-loop checkpoint.
The core problem with purely reactive security is timing. A SOC team responds in minutes to hours. An agent executes in milliseconds. Chui's estimate: by the time an alert surfaces, the agent has already taken 47 more actions. The shift Chui argued for: from detect-and-respond to prevent-and-constrain. Build controls that limit what an agent can do before it does it.
His 30/60/90 framework: inventory your agents in 30 days, put guardrails in by 60, make it a repeatable programme by 90.
Start small, start now
The panel's final round – moderated by Professor Yong Cheol Park – brought the three speakers back together for the most practical part of the afternoon.
Andrew's line was simple: start small, start now. Before reaching for a solution, know yourself. What are your users doing? What data do they have access to? What can your agents actually reach? Map that first. The gap between what you think you control and what's actually happening is the starting point.
Eunyoung agreed – and pushed it further. Start small and move fast. SaaS tools with free trials exist – use them. Don't wait for the complete design. Try something, see what works in your actual environment, and iterate. The teams that are ahead aren't ahead because they planned better – they started earlier.
Heejae's closing point landed last: don't look for the answer outside. There is no best practice right now. Everyone is jumping into AI, every company's environment is different, and the only way to find what works is to define internally what you actually want first. That's not a cop-out. It's an accurate description of where the field is.
The window to get ahead of it is real, and it closes faster than security teams typically move. The networking conversations after the formal sessions – practitioners comparing notes, talking through their real environments, figuring out who was working on the same problems – made that feel less abstract. The urgency in the room wasn't manufactured. Thirty days to inventory. Sixty to constrain. Ninety to operate. That's a reasonable starting line – but only if the starting line is now.