AWS re:Invent 2025 - Security & Compliance in the Agentic AI era w/ Kyndryl, Air Canada & AWS-AIM350

Securing Agentic AI: Insights from Kyndryl, Air Canada, and AWS

The Challenge of Agentic AI Security

• Businesses are rapidly adopting Agentic AI, but CISOs are concerned about the new security risks it introduces
• Agentic AI systems can autonomously make decisions and take actions, blurring the lines of accountability
• Key concerns include:
  • Identifying and managing large numbers of AI agents
  • Ensuring agents are secure and behaving as intended
  • Preventing data breaches and unauthorized actions by rogue agents
  • Maintaining visibility and control as agents become more autonomous

A Three-Pronged Approach to Agentic AI Security

1. Strengthen Foundations:

   • Update policies, control frameworks, and risk management processes to support Agentic AI
   • Implement robust testing and human oversight mechanisms for AI agents
   • Establish clear accountability and escalation paths for agent actions

2. Build it Smart:

   • Develop reusable security components that can be easily integrated into Agentic AI systems
   • Leverage shared frameworks and tools to accelerate secure deployment

3. Run it Securely:

   • Implement comprehensive monitoring and auditing of agent behavior
   • Establish control policies to enforce organizational rules and regulations
   • Use digital twins to test and validate agent behavior before production deployment

The AWS-Kyndryl "AI Agentic AI Digital Trust" Framework

• Four key components:
  1. Discover and Register Agents: Maintain a comprehensive inventory of all AI agents
  2. Certify and Test Agents: Ensure agents are secure and behaving as intended
  3. Monitor Agent Behavior: Provide visibility into agent actions and decision-making
  4. Enforce Policy Compliance: Implement controls to align agent behavior with organizational policies

Governance and Compliance Considerations

• New regulations like the EU AI Act are driving the need for robust Agentic AI governance
• Key governance principles include:
  • Transparency: Comprehensive audit trails and documentation of agent capabilities and limitations
  • Accountability: Clear escalation paths and monitoring for anomalous agent behavior
  • Human Oversight: Maintain human control and the ability to intervene in critical agent decisions

Managing Third-Party AI Supply Chain Risks

• Third-party AI applications introduce new security risks that must be actively managed
• Recommended steps:
  • Shift from a purely contractual approach to continuous technical monitoring and testing
  • Require vendors to be more transparent about the AI components in their solutions
  • Implement rigorous data governance and access controls for agent systems

Preparing for the Future of Agentic AI

• Expect increased scrutiny and regulation around Agentic AI security and responsible use
• Anticipate more sophisticated attacks targeting AI systems, requiring advanced security controls
• Focus on building a culture of shared understanding and collaboration across the organization to address Agentic AI challenges

Key Takeaways

• Agentic AI introduces new security risks that must be proactively addressed through a combination of technical and organizational measures
• Establishing robust governance, transparency, and human oversight are critical to building trust and ensuring responsible Agentic AI deployment
• Collaboration between cloud providers, partners, and customers is essential to developing secure and scalable Agentic AI solutions