The Next Billion Users Won’t Be Human: Securing the Agentic Enterprise

For decades, the “user” at the heart of enterprise security has been a person.

We built MFA to verify their identity and training modules to sharpen their skepticism. But as we move through 2026, the math of the modern workforce has fundamentally shifted. The fastest-growing segment of the enterprise workforce isn’t being hired — it’s being deployed.

The “next billion users” on the web won’t be humans browsing from laptops; they will be autonomous AI agents.

At the RSA Conference, I sat down with Ramin Farassat, CPO at Menlo Security, to discuss the evolving security landscape. He noted during our conversation that the order of magnitude explosion of agents is not some kind of future theory — it’s a current reality.

“We’re actually seeing a lot of traffic now within our own network that is generated by AI,” Farassat said. “I could potentially start with one agent and overnight turn into 10,000 agents.”

The recent launch of Menlo Security’s Browser Security Platform marks a pivotal moment in this transition, addressing the “Agentic Paradox”: the reality that, while AI agents offer massive productivity gains, they operate at speeds and scales that traditional security guardrails cannot match.

Accelerating AI deployment by solving the ‘Trust Gap’

For many CIOs, the biggest bottleneck to AI ROI is the “Trust Gap.” Promising AI agents are often held back from production because security teams can’t guarantee they won’t go rogue when encountering a malicious prompt.

Traditional security tools are reactive, whereas AI agents are uniquely vulnerable to “invisible” threats such as prompt injection. Farassat describes these agents as inherently “gullible,” lacking the human intuition that allows a person to spot a scam.

“Something that could potentially not fool you and me could easily fool an agent,” he explained. “A very simple prompt poison, something like a text that’s the same color as the background, could potentially fool an agent to perform a task and potentially leak data out.”

To accelerate deployment, Menlo is introducing what it calls the Guardian Runtime. By moving the security control point directly into the browser session, the platform serves as a protective layer, ensuring agents don’t mistake a malicious command for a legitimate instruction. This shifts security from a “No” department into a business accelerator.

“Let’s work with the developers,” Farassat urged. “Let’s help them build agents that from the get-go are built in a secure way.”

What this means for the security industry: Intent over identity

The security industry is witnessing a fundamental architectural shift. For years, we focused on the endpoint or the network. But in an agentic world, the action happens in the session.

AI agents frequently leverage “headless browsers” to interact with SaaS applications because many enterprise tools lack high-performance APIs. Because these agents operate at machine speed — clicking on 1,000 sites in the time it takes a human to click on one — the industry must move toward Instruction-Data Separation.

This means the security platform must be able to distinguish between an authorized task and a malicious one hidden within a PDF or a web-scraped page. Menlo’s approach involves real-time sanitization, stripping away malicious components before they ever reach the agent. This moves the industry toward a future where we don’t just manage who is on the network, but what they intend to do.

The practitioner’s perspective: Managing the ‘digital insider’

For the security practitioner, the rise of AI agents changes the job description. We are no longer just managing users; we are managing a “digital workforce” of insiders with varying levels of privilege.

Farassat highlighted three key takeaways for practitioners heading back to the office after RSA:

1. Identity separation: Practitioners must separate human identity from agent identity. “While the agent can still get data from the application, the agent itself can never connect to the application directly,” Farassat noted. This physical separation prevents a compromised agent from gaining full access to a user’s credentials.
2. The end of traditional VDI: The browser is becoming the new “operating system” for both legacy and SaaS apps. By using browser-based security, practitioners can provide remote access without the “bane of existence” that is traditional VDI.
3. Adaptive DLP: Data Loss Prevention (DLP) has historically been too hard to manage. Farassat suggests that the next generation of security must use AI to protect against AI — automatically masking sensitive data in real time without exhaustive manual configuration.

Bottom line: Be a business accelerator

The arrival of a dedicated browser security platform for AI agents signals that the “agentic enterprise” is here. For security professionals, the goal is no longer to block progress but to facilitate it safely.

Farassat’s parting advice to practitioners was simple: Don’t get in the way. “The first thing to do for all of us is not to try to block the way of the developers… and learn as much as we can. This stuff is moving extremely fast, so you’ve got to stay ahead of it.”

By centering security in the browser — the place where identity, intent, and action converge — organizations can finally unlock the scale of AI. The next billion users are coming; it’s time to make sure we’re ready to govern them.

Also read: New research shows AI agents are creating identity and monitoring blind spots because many enterprises still treat them like tools instead of privileged actors.