Two years ago, the shadow AI conversation was about employees using consumer-grade ChatGPT at work. Today, the problem has evolved into something far more dangerous: shadow agents.
AI agents that can work autonomously enterprise environments, install packages, access systems, and take actions their operators never intended. The speed at which these agents can be compromised and exploited is, according to Zscaler’s threat research team, exponential.
Deepen Desai is the Chief Security Officer at Zscaler, where he oversees the company’s security strategy and leads the ThreatLabz research team. The team’s latest AI security report, drawing on telemetry from large enterprises using the Zscaler Zero Trust Exchange, shows AI adoption approaching a trillion transactions in 2025, with 80 to 90 percent year-on-year growth.
But adoption is running well ahead of governance: 39 percent of AI-related activity was being blocked due to policy violations or DLP triggers.
Expert Insights spoke to Deepen Desai at RSAC 2026 to discuss why zero trust must extend to AI agents, the real-world shadow agent incidents Zscaler is tracking, and the three-bucket framework he recommends for organizations trying to keep up with the pace of AI adoption.
Q. What are the main themes for Zscaler at RSA this year?
Last year was all generative AI. There were speculations that a lot of this was experimentation, people playing around with chatbots, and that the agentic piece was not that prevalent and would go away. But based on what we saw when we looked at the telemetry for all of 2025, it’s definitely growing and thriving and being adopted widely. That’s what we’re seeing on the floor at RSA as well. It’s AI and agents. That’s the two things.
When it comes to Zscaler, we’re still pretty consistent on three investment themes. One is the whole zero trust everywhere strategy, our Zero Trust Exchange. Second is enabling organizations to adopt AI securely, our AI security offering. And third is our agentic SOC platform, where we want to help organizations operationalize all of their first-party telemetry along with critical third-party tooling. So, zero trust exchange, AI security, and agentic SOC.
Q. What’s the feeling among the CISO community about the pace of AI adoption? Is it adding stress?
CISOs definitely have this as one of their topmost priorities from a risk reduction perspective, because every organization has either a CEO mandate or a board-level mandate to adopt AI. CISOs are not in a place to stop that. But they are in a place to become that business enabler. How do I help my organization securely adopt it?
One comment I heard from a CXO was: “I’m not willing to send all of this sensitive data to a three-month-old company or a six-month-old company. They may not be around a year or two later. I would want to invest in a partnership with one of my critical partners to help me solve these use cases.” Having said that, there will always be a role for startups, which is why we’re seeing so many companies out there.
The way we are suggesting organizations approach it is three buckets. First, AI asset management: observability for what AI apps exist in your environment, how many shadow AI apps are out there that you’re not aware of. Second, guardrails around what goes in and comes out: the ability to inspect the intent of a question being asked and the response, applying your data loss prevention engine. And third, continuous red teaming, using AI to target AI infrastructure to find gaps before something goes into production, or even after. AI asset management, guardrails, continuous red teaming. When you have those three in place, you have a strong governance framework underneath.
Q. One of the things I’ve been hearing is that humans can’t realistically manage hundreds or thousands of AI agents operating at scale. For the agent piece, if you’re dealing with prompt injection, it’s got to be another AI trying to figure that out.
Yes, exactly. That’s where our Zero Trust Exchange comes into the picture. We started with users, then we extended to workloads and public cloud. Now we’re working on an agentic exchange where the same zero trust principles apply to agents as well. Otherwise, if one of those agents is compromised and your users can’t talk to each other, but all of these agents are on a flat network communication channel where they can poison each other and attack each other, you’re essentially creating a huge attack surface. Same zero trust principle needs to be applied to agents.
Q. The shadow agent problem has evolved beyond just shadow AI. Users might not even realize there are three or four agents coming off a single interaction. What does that look like in practice?
A perfect example is the OpenClaw framework. There were several organizations that had that shadow agent sitting in their environment. One conversation I had with a very senior person at a company, their developer had OpenClaw installed for experimentation on his dev box. A week later there was an incident where the OpenClaw bot was running on their CI/CD pipeline. They were clueless on how it jumped from one to the other. Nobody did anything. But it’s the agent’s ability to do that next-level thing based on whatever you’re asking it to do. Whether it’s lateral propagation, whether it’s moving around accessing things you didn’t want it to, if it has access, it will access. The attack surface is very different.
The problem becomes even bigger when you’re dealing with supply chain attacks. There is one in the news right now: Trivy, the vulnerability scanner typically used in GitLab pipelines, was compromised by a supply chain attack. The downstream impact was that using the compromised Trivy, attackers could compromise packages. LiteLLM was one example. There may be several others that we’ll discover over the next few days.
Now think about a shadow agent sitting in your environment that you’re not even aware of, and it’s trying to install some of these compromised packages. You didn’t even know the agent exists, and now you don’t even know these packages have been downloaded and installed in your CI/CD pipeline. The speed at which some of these attacks are going to happen, the speed at which these compromises will happen, are going to be exponential in the age of shadow agents.
Q. How are threat actors using AI, and how is Zscaler helping organizations defend against AI-powered attacks?
We’ve seen several instances across the attack chain where threat actors are using AI. There were leaks last year from some of the very prevalent and successful crime gangs. There was strong evidence of them using AI for malware, for phishing, for exploitation across the board. More recent evidence is where they will even use AI to classify the data that they’re exfiltrating from the victim environment and then figure out where the sensitive stuff is, to go after the victim even harder. They’re definitely using it to target organizations.
To defend against it, organizations need a platform leveraging AI to fight at that same speed. The way I like to look at it is there are security outcomes you can achieve with AI. There’s traditional ML for detecting payloads and phishing attempts. Then there’s generative AI with agents: a triage agent working in tandem with a context agent and a detection agent, helping get through the noise so your Tier 2 and Tier 3 analysts can focus on actual incidents versus getting buried under alert noise. And then the third piece is AI-driven policy: continuously assessing your posture and, based on the threat landscape, making suggestions on what you should do to reduce your risk. Security outcomes, agentic SOC operations, and smart policy.
Q. What are the key takeaways from the ThreatLabz AI security report?
People were speculating that AI adoption might slow down. The report makes it very clear. There was 80 to 90 percent growth in overall transactions. It actually approached close to a trillion transactions that we saw from large enterprises hitting one or many of those AI applications. Another staggering stat: almost 39 percent of that activity was getting blocked, either by URL category-based policy or by DLP violations.
The team also looked at LLM adoption. OpenAI had a lot of activity from the years before, which means many apps embedded OpenAI models in their workflows. OpenAI was at the top. Anthropic and Gemini have been picking up significantly over the last three to six months. In terms of industry verticals, financial services, insurance, technology, and manufacturing were among the top three to adopt AI.
An interesting example of the speed: with the Iran conflict, almost 8,000 domains were registered over a period of 72 hours. Not every one was active, but they can be activated at any time. They were trying to take advantage of the news cycle to target victims in impacted countries. There were scams, attempts against government agencies using decoy images showing missile attacks and the aftermath. And interestingly, everyone was expecting a lot of activity from Iranian APT groups, but we saw more from China. Every nation-state adversary will try to take advantage of a notable news event.
Q. If a CISO came to you and said we’re adopting agentic AI, what would your advice be?
Three buckets again. Number one, prioritize zero trust. This is going to help you not just with your own AI adoption but also to protect yourself against AI-driven attacks. Zero trust is even more critical now than it ever was before. Number two, to enable your organization to securely adopt AI, you need a blueprint: AI asset management for observability, guardrails around what goes in and comes out, and continuous red teaming. More often than not, people think they have a dozen AI apps, but they end up having thousands running. And the underlying governance layer happens because you have these three pieces in place.
Third, leverage AI to fight AI. Continuous red teaming is one aspect, but also fighting against AI-driven attacks. That’s where agentic SOC operations come in: letting agents do the triage, detection, and investigation work. It’s still not at a place where it can replace humans. But it can definitely make humans more efficient and more effective, and have them focus on things that actually matter versus getting lost in the noise.
