Swapnil Bhartiya: Hi, this is your Swapnil Bhartiya, and we are here at Cisco Live, and today we have with us Amy Chang, head of AI Threat Intelligence and Security Research at Cisco. Amy, it’s great to have you on the show.

Amy Chang: Thank you so much for having me, Swapnil.

Swapnil Bhartiya: And you’re also author of the 2026 State of AI Security Report. Should we start there?

Amy Chang: Absolutely, let’s go. Let’s dig right into it. Yeah.

Swapnil Bhartiya: So let’s talk about some of the findings of the report, some of the key findings. And I’ll caveat this by saying we wrote our report in December and so much has changed in six months. So, you know, I think the main through lines that come through is number one. Prompt injections and jailbreaks still remain a very large issue. I think the news about threat actors being able to compromise meta AI to be able to do account takeovers is one of the most recent examples of how prompt injections can still be effective to compromise AI. Then in addition to that, the supply chain from all the way from the models that you choose to download and develop to deploy all the way through your agentic deployments still remain susceptible at each of those stages. And so there’s lots of other things that we dig into in the report that kind of go into that. So model provenance, agentic risk, supply chain risk. So whatever you want to focus on next, we can dig into a little bit more.

Swapnil Bhartiya: Now, Cisco is in a unique position because you are sitting at the very core center because no traffic has with hotview folks test. And that’s kind of visibility a lot of companies want, but they don’t have it. So talk a bit about the unique vantage point that you have, what kind of visibility you get that other companies want but they don’t get.

Amy Chang: Absolutely, yeah. I think as you said it, you said it better than I could. Cisco sits at like, you know, they have complete visibility into all the networks. And then we are able to kind of capitalize off of that by understanding the deep understanding over the course of the past several decades by which Cisco has existed, all the kind of trends and behaviors that are observed. And from that, what we’re able to do, and specifically from my team’s expertise, is leverage our understanding of AI and how AI can be compromised, as well as our background in security operations and threat intelligence, understanding how adversaries behave. So then how have they traditionally taken advantage of vulnerabilities in networks and devices and things like that, but then translate that into another lens, which is AI, and then being able to see how have they adapted, how have they kind of adopted AI even in their operations to be better able to understand and compromise AI for whatever malicious end goals they have.

Swapnil Bhartiya: You did mention some kind of threats that you’re seeing, but now we have MCP servers are there, the whole agentic AI is there, organizations are AI is not just is it assistant anymore, is it also executing things? So you also have to worry about governance a lot there globally, a lot of AI sovereignty in Europe, they are passing a lot of laws there. So a lot of things are happening where you do need to focus a lot on governance as well. So what kind of work is going on in that space and what kind of challenges posing for sure.

Amy Chang: So before I talk about the agents and then the MCPs and all that kind of stuff, we all know that what powers that is the model, right? So behind everything, you strip everything down, it’s still just the model. And then beyond that, what you need to understand is like, where did that model come from? Where did you download it from? Was it truly what it says it was? You said you downloaded a Metalama model. Is that actually what ended up being deployed? And in addition to that, you also have to account for all the data that goes into the training as well. Where did that come from? Was it open source data sets, proprietary data sets? How then from, you know, as you’re developing it, putting in or instituting guardrails of what should be, you know, exposed or not exposed and then, and then so all of that is to say like, you know, if you deploy an agent or a model or an application or tool or whatever it may be, but you don’t have visibility into the chain of custody of like where the model came from, what it did, what information was fed into it. When something goes wrong, if say like, you know, your customer facing retail application starts spitting out Python code at you, did it happen because it was trained with improper data? Did it not have the proper guardrails in place? So as we move into an era where then people are trying to understand and wrap governance around AI deployments, you also need to start having those building blocks in place as well to provide that transparency and visibility to help alleviate any sort of the downstream remediation, incident response kind of impact.

Swapnil Bhartiya: When we do talk about model provenance, because you can look at open bit models where you do get a lot of, you know, but then you can also use API. But the challenge is that all your data is going through those companies. So sometimes you have to pick and choose that as well. How, how to make that balance?

Amy Chang: I think that is up to, you know, when we think about risk and risk acceptance, it’s very similar to what we, what we deal with now in cybersecurity where you kind of do a threat model where you try to understand where you can have potential risks introduced into your environment. And some of those is if you’re going through an API that is a, that is owned by a third party, that means the data might be going through that way as well. So you know, that’s up to your GRC teams, your governance, risk and compliance teams of whether or not they accept that level of risk or you need to institute or build other types of solutions.

Swapnil Bhartiya: Can we now talk about MCP? Because while MCP, when it comes to of course agents, it does help a lot. Even anthropic, they are offering, even small companies, they have like hundreds of agents nowadays. Right. If you look at agents, MCP while they’re enabling a lot of things, but they’re also opening some attack surfaces as well. Right. So what are those? And from your perspective, what is Cisco doing to protect the customers? So you have the flexibility of what you want to use, but you don’t take those risks.

Amy Chang: When MCP was first introduced at the end of, was the end of 2024, within six months we were like, okay, this is actually going to be a thing. We need to kind of develop something to kind of guard against that. I think no solution out there in the entire ecosystem really covered that as a threat surface. So what we did was develop an MCP scanner and then we open sourced it and then have improved upon, I think we’re on version four point something now. So it’s just like constantly taking in how the landscape is changing and making sure that our scanner is able to kind of understand how those threats have evolved and make sure that we have coverage for those. And so you’re absolutely right. I think like there is the connection to the servers themselves being susceptible, but then also like having another prompt surface, having the tools and resources that they can go then invoke, making sure that those are kind of within bounds and within reason. One particular aspect of it that is unique to the MCP scanner is that we also do behavioral code scanning which is to make sure that when you are invoking a specific tool, we look at the code of the tool as well as in matching it to the description to see that yes, truly this is something that helps you send email, but doesn’t have any additional lines of text that say, I’m actually going to also send your blind carbon copy of the email to an attacker controlled database. So we kind of also make sure that not only are the implementations of MCP secure, but like the actual engagements also secure.

Swapnil Bhartiya: Which also makes me think these days, agents, there are no more assistants, they are executing a lot of things on your behalf as well. And they can do things that once again, you did not intend to do. From your perspective, what kind of look, there are certain things and you said don’t send the mail, just draft it, but it will send the mail. You know, don’t you know this is private key, don’t share with someone else. So these are very, very general. But from security perspective, when agents are becoming more and more autonomous, they are executing things, they’re taking actions on there. What kind of security risks that you are either seeing or you are that this will become a security problem at some point.

Amy Chang: I think there’s also a consideration of like, you know, let’s leave identity out of that for now, but let’s just focus on the behavior of the agents themselves. Making sure that the behavior is aligned to what the user as well as the actual building of the agent is in is, stays within the context of what it is intended to do. And so you know, for some people you could say like delete this entire directory and that’s totally okay. But then if it’s a different person or a different use case, you wouldn’t really want that to happen. Right. And so making sure you understand kind of like what those baseline expectations of what expected behavior as well as allowed behavior is. And then when it starts to deviate from that having some sort of detection or protection in place to flag or stop an unauthorized action from actually manifesting.

Swapnil Bhartiya: But sometime by the time you realize that deviation happened, the damage has been done. You know, that is one part second is that we are also talking about agent to agent communication. That’s also a lot of factor because you can influence an agent that hey, you do this and that. So I mean this is a can of worms that if we start opening it’s like onion keep peeling. So it’s a very challenging space. It’s going to be. So talk about how are you looking at it and are you using AI also in a way to understand the pattern of AI?

Amy Chang: Oh, of course we’re. Yes, of course we’re using AI. In addition, I think in addition to all the things that you mentioned, it is kind, it’s like, you know, as I mentioned, I think in if it wasn’t in our preparatory conversation, but it was in earlier in our conversation that the models power those agents. Right. And so if you understand how those models behave and how they fail, then you can also build the guardrails and protections in place such that you can prevent a kind of cascading effect or like institute additional protections in place to prevent from, you know, a wide scale kind of impact from one misconfiguration or one misaligned output.

Swapnil Bhartiya: When you say that, understand how are you talking about the actual model weight or you’re talking. Because models, new models keep coming in and new models being totally. You have to reiterate.

Amy Chang: Yeah, it would be like basically what their failure points are. So we have another tool that is publicly accessible called the LLM security leaderboard. You can find it at leaderboard.aidefense.cisco.com and what it does is show you. We have about 100 models on there where we have done adversarial testing against it and shown what types of attacks they’re susceptible to. And then drilling down into specific areas of sub techniques and procedures of like, oh, these are, you know, context manipulation is a higher risk category for these types of models versus those types of models. And then from there you’re able to understand like, okay, there are some subject areas as well as manipulation techniques that these models are susceptible to. So if I’m taking and downloading and developing and deploying this type of model, I need to ensure these specific types of guardrails are in place to prevent the manifestation of that.

Swapnil Bhartiya: What I feel good about, I think if you look at 10 years, because we used to hear a lot of security stories, those went away. We do hear about things, but they are more like misconfiguration, human error or something like that. A bug which was patched, but the patch was not applied. So we have come far, you know, when it comes to. But with AI, things are going to change. And also now we are deploying AI at edge also. And those cases can also. They’re all connected. What contributed to this improvement in security? Was it more about tools and technology or the whole emergence of DevSecOps and the CISOs processes? And because processes can eat your strategy any given day. What can we learn from that and bring that into this era of AI driven, where AI is driving, whether it’s network or my compute or my communication, so that we can borrow, so we can build those best practices or culture within organizations.

Amy Chang: I think you nailed it on the head in the sense that we have learned a lot from the cyber era and now we are coming in to the AI era with a general understanding of like, hey, there are security risks that are involved. If you’re connecting these things and they’re connected to other things, you can have, you know, a cascading set of failures. But I think, and G2 said this too, I can’t remember which event he said it at. But like, you cannot deploy AI without also thinking about security. And that’s why you’ve seen a lot of the announcements over the course of the past several months are rooted in security. So we understand that when we’re thinking about the upside of what AI brings from a productivity sense, from innovation stance, we are also grounded by the fact that these are extremely capable tools that can be misaligned, misused and misappropriated. And then what kind of knowing, with our understanding of how AI and generative AI functions as well as how agents behave, what kind of protective measures can we institute today so that we can enable secure deployments? And that’s what we try to do on my team.

Swapnil Bhartiya: Excellent, thank you. Now, I also want to talk a bit about. We have been talking about, you know, the bad actors, but what are things that can happen at user end? Also, if you look at Money model, sometime we upload an image for analysis. We upload PDF files. In general, we, most of the time, hey, in general, we do that as a consumer or else as a business user, what kind of risks you see, remember the email age was that don’t click on that attachment, let’s reverse that. Don’t upload this file.

Amy Chang: That’s right. I think there’s definitely the way to kind of directly induce kind of a prompt injection via an upload. But if we think we put our agent hats on and you think about computer use agents specifically say they’re helping you book a flight or helping you make a reservation at a restaurant, they have to navigate to that website, right? They have to go to someplace, they have to search and find, oh, what’s the best restaurant that I should go to in my time here in Vegas? And then on that website you could have an advertisement, you could have other types of hidden text that you can’t see by the naked eye. But the model like takes these screenshots or takes information from that website to help achieve that task. And then within that, what you’re able to do, if you’re a malicious actor, you can embed a prompt injection or a jailbreak within there that we don’t see, but the model at the embedding layer is able to then see, and then it takes that information and acts upon it. You could take another example of like, you know, people who have stood in front of Waymo’s, the autonomous vehicle with a stop sign on their shirt. And because it sees the stop sign and trained to see, when it sees a stop sign to stop, then the car stops moving. Right? And so when we’re starting to look at other types of modalities of inputs as we enable AI to enable our lives, you also have to take into consideration how those also then become attack vectors or vectors of compromise as well.

Swapnil Bhartiya: What work is being done right now in this kind of. Or you’re like, it’s very early stage to just understand where we are.

Amy Chang: There is, it’s, I would say it’s a mix of both. Where we have really great experts that are helping us kind of understand what the threat looks like, how we can manifest it in different areas, which is like, you know, like whether it’s a website or maybe in a car or things like that. But in addition to that, I think we’re also able to understand from our experience with threat intelligence how threat actors behave. Right. They’re not going to go and find the most creative way that’s really resource intensive. They’re going to find what works, right. And the easy things. And so what we’re trying to do, exactly what we’re trying to do is like, how can you most easily achieve this attack and then, you know, especially scale it and then what kind of protective measures can you put in place? And so that’s where we want to focus because we want to make sure that we meet the threat actor that are also innovating where they’re at.

Swapnil Bhartiya: Last question before we wrap this up. You also track global, you know, the policy regarding AI, whether it’s US, Europe, China, other regions also talk a bit about what kind of consensus you are seeing is being built or we are looking at a fragmented security landscape where now companies like CRA is a very good example, right. In Europe, are you aware of CRA Cyber Resilience Act? Yeah, so now it is creating. Because it doesn’t matter what you are, if you’re selling into Europe, you have to be compliant with that. So when it comes to AI, what can we learn from that? So that, I mean it will be tricky to have a global consensus around that, especially in this geopolitical situation. But what are you seeing from the perspective AI, security policies globally?

Amy Chang: I think that there is a general consensus that security matters and I think that they’re still trying to fine tune of like how can we be forward looking to ensure that we don’t become too onerous of a regulatory kind of environment while also balancing with the ability and recognition of the need for security. So I think like having these kind of open conversations, whether they’re through regulatory vehicles or even just conversations that you and I have, we start to educate the broader populace of like understanding how security is fundamentally one part of an implementation of a technology that I think that we’re going to start to advance of like understanding and finding that happy middle ground where we’re able to like continue to pursue this rapid innovation that we see and experience day to day, but also be able to balance that with the appropriate level of security regulation.

Swapnil Bhartiya: Amit, thank you so much for joining me. And this is not only very insightful discussion but also very important discussion that we need to have to be ready to learn. Thank you for insights and I would love to chat you again.

Amy Chang: Thank you.