VERIK
Editorial · Agentic AI Governance
VERIK / V040 / 24 JUN 2026
Five CategoriesGovernance

The Survey That Mapped the Defender Side

On June 22, 2026, a six-author team spanning multiple institutions published a survey titled "Rising From the Ashes: How Agentic AI is Unblocking Challenges in Cybersecurity". The authors are Gabriela F. Ciocarlie, Kathrin Grosse, Somesh Jha, Daryna Oliynyk, Andrew Paverd, and Christian Wressnegger. The paper appears the same day as the Five Eyes joint declaration on AI cyber risk, and one day before the companion piece on the attack surface of agentic offensive-security tools. The timing is not planned, but the symmetry is structural.

The central argument is direct: agentic AI can unblock security problems that the field has historically treated as too expensive to solve or effectively unsolvable. The bottleneck is labor. A large class of defensive security work requires sustained attention across natural language artifacts, code repositories, dependency graphs, and log data at a scale and speed that human analysts cannot sustain. Agentic systems that can ingest and reason over those artifacts directly, without requiring structured interfaces, change the cost equation.

The survey maps that claim against 16 case studies. Supply chain analysis appears explicitly. The case study selection covers the full defensive lifecycle: discovery, triage, response, and investigation. The paper does not assert that agentic AI has solved these problems. It asserts that agentic AI changes which problems are tractable. That is a structural claim, not a capability claim.

What the 16 cases map

The mapping exercise in the June 22 preprint is taxonomy work. The authors are not reporting benchmark results from a single system. They are asking a structural question: given the emergent capabilities of agentic AI systems as a class - the ability to reason across heterogeneous inputs, to plan multi-step tasks, to operate tool chains without human hand-holding at each step - which of the open problems in defensive security are now within reach?

Supply chain analysis is the named anchor case. It is a useful anchor because supply chain security is one of the clearest examples of a problem that scales faster than analyst capacity. The dependency graph for a modern software product can contain thousands of transitive dependencies. Each dependency is a potential insertion point. Assessing each one for license risk, known vulnerability exposure, provenance integrity, and behavioral signal requires exactly the kind of multi-source, multi-format reasoning that agentic systems are designed to perform.

The 16 cases are documented across two tables in the submission. The tables are the structural artifact of the paper: they translate the abstract capability argument into a concrete work decomposition. For each case, the relevant question is not "can an agent do this" but rather "which properties of the agentic architecture make this case newly tractable." The labor-bottleneck framing answers that question: the case becomes tractable when the agent can sustain the reasoning load across the artifact surface that no human team can sustain at the required scale.

The paper does not claim the cases are solved. The framing is deliberate: the survey maps potential. The gap between potential and deployed capability is where governance lives.

Governance reading

Most published technical work on agentic AI in security treats the agent as the attacker. The Anthropic Frontier Red Team report from June 2025, which mapped AI-assisted capability uplift to MITRE ATT&CK categories (G31 in the Verik arc), established the dominant frame: the agent is the threat actor, and the question is how far it can get. The NCSC NZ assume-compromise guidance published June 18 shifted the defensive posture to account for AI-accelerated exploitation. The Five Eyes joint declaration of June 22 moved the frame further: AI is now a substrate-level cyber risk, and the window between vulnerability discovery and exploitation is no longer measured in weeks.

The June 22 survey is the symmetric piece. If the attacker surface is widening because agentic AI can reduce the time and cost of offensive operations, then the defender surface is widening for the same reason. The defender can now, in principle, deploy an agent to perform supply chain analysis, fuzzing, triage, and response at a scale that was not economically feasible for most organizations twelve months ago. The capability gap that has historically favored well-resourced attackers over under-resourced defenders does not close automatically because agentic AI became available to both sides. But the survey argues that the bottleneck function has changed.

The governance reading is not that agentic defenders are sufficient. The governance reading is that the substrate to govern agentic defenders has not been built. The CISA Five Categories framework provides a structural vocabulary for the risks agentic systems introduce: privilege escalation, tool misuse, context poisoning, behavioral unpredictability, and accountability gaps. Those categories apply to agentic defenders as directly as they apply to agentic attackers. A defender deploying an agentic supply chain analysis tool inherits every privilege and tool-access risk the agentic architecture carries. The capability is new. The risk categories are the same.

The asymmetry is temporal. The attacker does not need governance to deploy the capability. The defender, deploying agentic tooling inside a regulated or compliance-bound environment, does. The gap between "tractable" and "deployable under governance" is the operative constraint the survey identifies without naming.

What composes with this

The June 22 survey arrives at a moment when the governance instruments for agentic AI in security are accumulating but not yet closing. The NCSC NZ assume-compromise guidance told defenders to reduce internet exposure, manage supply chain risk through SBOMs, and invest in the people who can operate under compromise. The Five Eyes joint declaration named five board-level governance instructions. Neither addresses the question of how an organization deploys an agentic defender in an environment where the agentic defender is itself an attack surface.

The Anthropic FRT MITRE mapping (G31) documented what an agentic attacker can do across MITRE ATT&CK. The June 22 survey documents what an agentic defender can do across the defensive lifecycle. The structural gap between those two documents is the substrate question: the agent that does supply chain analysis has tool access, credential scope, and behavioral latitude that the CISA Five Categories (C1-C5) are designed to constrain. Whether the Five Categories framework, as currently specified, is adequate to govern an agentic defender operating at the scale the June 22 survey describes is an open architectural question.

The CISA Five Categories name accountability as one of the five. Accountability for an agentic defender requires that the agent's actions across the supply chain analysis workflow be interrogable after the fact. That requirement is not yet operationalized at the level of a deployed agentic security tool. The June 22 paper maps the cases. The interrogability requirement maps to a substrate that does not yet exist in specified form.

A symmetric piece on the security of agentic offensive tools appeared the next day, on June 23. That paper documents the kill chain by which an adversary can compromise an agent built to attack. The defender capability the June 22 survey maps and the attack surface the June 23 paper documents are not separate problems. An organization deploying an agentic supply chain analysis tool is deploying an agent with tool access, credential scope, and natural-language reasoning capacity that an adversary can target using exactly the mechanisms the June 23 analysis describes.

What remains on the table

The loop closed around an oversight function that was never instrumented.