A precise talk about the runtime layer. On June 25, 2026, Google Cloud and ISC2 ran From Prompts to Permissions: Securing AI That Thinks and Acts, presented by Anil Kumar Sirikande, a Cloud & AI Security Architect at Google Cloud. It is one of the clearest public walkthroughs of agent runtime security available right now. The framing is a three-part agent anatomy — the Brain (the LLM, or large language model, that reasons and plans), the Hands (tool-calling and execution), and the Memory (context and state) — mapped to three matching threat surfaces: prompt injection at the Brain, context poisoning at the Memory, and permission abuse at the Hands. The mitigations are concrete and correct: input sanitization and model guardrails, RAG (retrieval-augmented generation) source verification with cryptographic hashing, unique cryptographic agent identities in place of shared service accounts, least-privilege tool scopes, ephemeral sandboxed runtimes, drift monitoring against a golden evaluation set, and human-in-the-loop circuit breakers that fail closed. The speaker’s own close names the shift exactly: the security professional is no longer the auditor of content but the architect of agent policy.
I asked the speaker which artifact the auditor will want. The answer is worth sitting with. In the Q&A I put the question directly: in a regulated industry, what artifacts and controls should a team start collecting now, so that when auditors arrive — politely this year, far less politely next year — the file folder is ready? The answer reached for the traditional security lens: handle the sensitive data, know where it resides and who can access it, enforce the cryptographic boundaries on what enters and leaves the agent, and prove the agent performs against its golden-set evaluations under constant monitoring. Treat the agent as a black box — prove what goes in and what comes out meets the standard, then prove the inside does too. Every word of that is correct, and the moderator’s reply was apt: starting with the data is a great place to start. But notice where the answer lands. It describes the control plane — data handling, identity, encryption, evaluations. It does not name the artifact a board signs, the AUP (Acceptable Use Policy) an auditor reads, the risk assessment an examiner requests, or the third-party-verifiable record an underwriter files at renewal. That is not a criticism of the talk. It is the seam. A runtime architect’s instinct is to reach for controls and monitoring — and the governance artifact begins exactly where that instinct stops.
Identity is where the two layers actually meet. The most revealing exchange came on identity and scale. One CISO in the audience relayed a McKinsey projection of fifty agents per employee and asked, plainly, how much of that he is now obligated to log. The speaker’s framing was the right one — treat each agent as an untrusted insider, give it a unique identity, scope it to least privilege, and log in proportion to its autonomy and sensitivity. This is the same problem the industry is racing to solve under the banner of NHI (non-human identity) management: Google’s SPIFFE / Managed Workload Identity, Wiz’s AI-SPM (AI Security Posture Management) inventory, and Cisco AI Defense with Duo Agentic Identity. All of it issues, scopes, and rotates the ephemeral credentials an agent holds at runtime — platform work, and necessary. But the question an underwriter now puts in writing is governance work: enumerate every non-human identity, name its owner, document its scope, prove a rotation and review cadence. NHI Sprawl — the unmanaged explosion of API keys, OAuth tokens, service accounts, and agent credentials that bypass human MFA (multi-factor authentication) — is a primary reason 82% of CrowdStrike’s 2025 intrusions were malware-free, up from 51% in 2020, and it now appears as a named line item on renewal questionnaires. Issuing the identity is a runtime control. Producing the documented inventory, scope, and review evidence that proves you govern those identities is an artifact.
What to do. Treat the webinar’s architecture as the layer it is — necessary, complementary, and downstream of governance. A mature 2026 program runs three layers, not one: a platform layer (Google’s Agent Platform, operating agents at runtime), an operations layer (AI-SPM tools like Wiz, finding and remediating exploitable issues), and an artifact layer above both that produces the regulation-anchored AUP, the Executive Risk Report, and the Board Memo the first two cannot generate. SanctumShield occupies that artifact layer for the mid-market — the 50-to-2,000-employee organizations that carry the same agent sprawl as the enterprise but have no platform-engineering team to stand up the gateway, the identity plane, or the telemetry — and it does not replace runtime defense. If Wiz, Palo Alto, or Cisco AI Defense already covers the running agent, keep it. The sequence is the whole point, and it is the same one the talk arrives at: build the governance framework first, then open the gates. Next step: see what an Agent Governance audit produces before you spend a dollar — the free Shadow AI Risk Calculator at /calculator, twelve questions, sixty seconds, no account required.
So here is the observation. Sit through the best agent-security session of the year. Stand up Google’s Agent Platform, Wiz’s agents, Cisco AI Defense. Issue every agent a cryptographic identity, sandbox every runtime, monitor every tool call. Do all of it, and do it well. At the end of the day you will still need the AI governance artifacts your auditor reviews and your board signs — the regulation-anchored AUP, the risk assessment, the agent inventory, the verifiable record — and not one of the tools you are running today produces them. They secure the agent. They do not satisfy the regulation, and they do not, on their own, demonstrate the due care and due diligence the standard of care now requires. That gap is not a tooling problem you can buy your way out of at the runtime layer. It is a governance artifact you have to produce — and being able to produce it, on demand, is what separates a defensible position from a merely well-secured one.
Source: ISC2 Security Briefings — From Prompts to Permissions: Securing AI That Thinks and Acts (Anil Kumar Sirikande, Google Cloud; moderated by Brandon Dunlap; June 25, 2026), available on demand. Browse more ISC2 Talks.