The setup this cycle is abundance. Global AI spending cleared $2.59 trillion in 2026 by Omdia’s count, and unlike almost everything else AI touches, security spend is going up, not down. But underneath the money is a category still arguing with itself. The analysts can’t decide whether “agentic AI security” is a $7 billion market or a $180 billion one. The people deploying agents are mostly stuck in pilots. And the regulators moved the goalposts in two different directions in the same month.

Three threads run through everything below: a market that can’t size itself, a production gap nobody’s closing, and identity quietly becoming the whole ballgame. Let’s get into it.

Market & Capital

Pull five “agentic AI” forecasts and you get five different universes. MarketsandMarkets sizes agentic AI security at $1.65B in 2026, growing to $13.52B by 2032 at a 42% clip. Mordor’s narrower cybersecurity cut lands at $7.84B by 2030. Widen the lens to the whole AI-agents market and Grand View Research projects $182.97B by 2033. Same words on the tin, roughly 23x apart on the number.

Here’s what’s really going on. Each of those houses drew the category boundary wherever their model looked best, then called the result a forecast. None of them are lying. They’re answering different questions and selling the answer as the same thing.

For a defense buyer, the TAM is noise. The signal is the line item your authorizing official will actually fund, and that’s a much shorter list: agent identity, runtime monitoring, and the evidence trail that gets an agent through an ATO. Size that, not the universe.

Consolidation is buying the thing the platforms couldn’t build

The clearest read on where this market is heading isn’t a forecast, it’s an acquisition pattern. Cisco is reported to be in advanced talks to buy Astrix Security for $250 to $350 million. Astrix does non-human identity. That’s not a coincidence, it’s the tell.

Platforms that were late to agent-native security are paying cash to catch up, and the capability they keep reaching for is identity, not the model. When a networking giant decides the fastest path to agent security runs through a non-human identity startup, that’s the market telling you where the control point sits.

In cleared environments this lands early. We already live and die by identity governance for people. The primes that win agent adoption will be the ones who extend joiner-mover-leaver discipline to non-human identities before the first authorization conversation, not after the first incident.

AI is making everything cheaper except security

Across coding, support, design, and content, AI is a cost-deflation story. Security is the exception, and it’s worth understanding why. Every agent you stand up mints new identities and new attack surface, so the technology that cuts costs everywhere else drives spend up here.

The numbers back it. Gartner puts 2026 global information security spend at $244 billion, up 13.3% year over year. Microsoft’s security business alone cleared roughly $37 billion in FY25, larger than the entire global cyber market was a decade ago. One projection has the “AI-amplified security” slice running from $49 billion in 2025 to $160 billion by 2029.

If you’re building here, you’re swimming with the current, and the risk was never demand. The risk is getting bundled into irrelevance by a platform that ships your feature as a checkbox. The defense against that is the same as it’s always been: own a workflow that’s hard to commoditize, ideally one that lives in a regulated, evidence-hungry environment where “good enough” doesn’t pass an assessment.

The Agentic Front

79% have agents. 11% have them in production. That gap is the market.

Strip away the market noise and here’s the number that should anchor every strategy conversation: roughly four in five enterprises report adopting AI agents in some form, while only about one in nine actually run them in production.

That’s a 68-point gap, and it’s the largest deployment backlog enterprise tech has seen since the early cloud migration. It is not a capability gap. The models work. It’s a governance gap, an identity gap, and an evidence gap stacked on top of each other.

When an agent shows up in a client’s environment, I want three answers. What can it reach. What identity does it run as. And is there an audit trail when it acts on its own. The honest answer is usually some version of “we hadn’t thought about that.” That’s the gap. Not intelligence. Accountability.

OWASP names the five threats, and the through-line is autonomy outrunning governance

OWASP’s State of Agentic AI Security and Governance v2 (https://genai.owasp.org/resource/state-of-agentic-ai-security-and-governance/) defines the current threat landscape in five: the autonomy shift, prompt injection as the foundational unsolved problem, the agentic supply chain moving from theory to active exploitation, the governance gap created by vibe coding and shadow AI, and the agent identity gap where non-human identities now outnumber humans while their governance stays immature.

What ties them together is uncomfortable for anyone hoping the model vendor will save them. None of these are model problems. They’re deployment-layer problems, owned by whoever stands the agent up. The good news is the controls are yours to build. The bad news is “the model is safe” was never a security posture, and the bill for treating it like one is coming due.

And prompt injection may not be fully solvable at all. Recent research argues the prevailing defense, separating data from instructions, fails on both ends: it misses real attacks and breaks legitimate flows. If that holds, defense-in-depth is the only honest answer, and any control that can itself be prompt-injected isn’t a control.

Offensive AI capability is doubling faster than Moore’s Law

The capability curve is the part that should reorganize your threat model. The UK’s AI Safety Institute measured the length of cyber tasks frontier models can complete doubling roughly every 4.7 months. Palo Alto Networks reported frontier AI surfacing about 7x more vulnerabilities across its product portfolio in a single month than its normal baseline, the equivalent of a year of pentesting in under three weeks.

For the defense industrial base, the takeaway isn’t panic, it’s tempo. Any strategy built on the assumption that human expertise is the bottleneck is already out of date. The same capability is available to the people testing your systems and the people attacking them, and the window where defenders hold the advantage is measured in months, not years.

The agent identity stack is actually forming

Here’s the encouraging part. A year ago, agent identity was a slide. Now it’s shipping. AAuth, Microsoft’s Entra Agent ID, Google’s agent identity work, and AWS AgentCore are converging on the same idea: agents need first-class, attestable identities with scoped, revocable authority, not borrowed human credentials.

This matters more in regulated environments than anywhere else, because identity is where your audit story lives. If you can attest who an agent is, constrain what it can do, and prove what it did, you’ve solved most of what stands between a pilot and production. The convergence question now is adoption, not feasibility.

GovCon & the Governance Clock

Brussels bought 12 to 18 months. The states didn’t blink.

The regulatory calendar just split. Under the Digital Omnibus, the EU agreed to push its high-risk AI deadlines back, standalone high-risk systems to December 2, 2027 and product-embedded high-risk to August 2, 2028. The original target was August 2026. Meanwhile the U.S. state patchwork held its line. Texas’s Responsible AI Governance Act took effect January 1, 2026, and Colorado’s high-risk law is live this year.

The direction didn’t change, only Europe’s calendar did. For commercial teams that’s breathing room. For defense suppliers the EU was never the anchor anyway. The frameworks your contracts actually name are NIST AI RMF, the emerging NIST agent-standards work, CMMC, and FedRAMP, and none of those slipped.

What this cycle means if your buyer holds a clearance

Tie it together and a specific opening falls out for the cleared market. Agents are arriving fast. Identity is the unsolved control. Evidence is the gate to production. And the federal frameworks for all of it are still being written. That’s a narrow window where a supplier who can prove agent governance, inventory, least-privilege, signed actions, and continuous compliance artifacts, is differentiated instead of commoditized.

The highest-leverage thing a GovCon security shop can own right now is the crosswalk: agentic threats mapped to 800-53 controls and CMMC practices, in language an authorizing official recognizes. Whoever builds that mapping cleanly doesn’t have to win the capability argument. They win the procurement.

Final Thoughts

The capability debate is mostly settled. Agents work, and they’re already inside enterprise and government workflows. What’s unsettled is everything operational: who governs an autonomous identity, who produces the evidence that lets it ship, and who owns the risk when it acts at machine speed between audit cycles.

The market numbers will keep diverging because the category is still being drawn, so don’t anchor on the TAM. Anchor on the gap. Closing the distance between 79% adopted and 11% in production is the actual product, and in regulated environments it gets closed with evidence, not enthusiasm.

A few questions worth sitting with until the next brief. Who owns agent identity in your org, security or nobody? What’s your audit trail when an agent acts on its own authority? And is your agent governance mapped to the framework your contract names, or to a blog post?

Brussels slipped the clock. The threat actors didn’t. Build like the deadline is still this year.