The Yes Machine Gets a Live Demo

Last week I published V2-12 — “The Yes Machine” — about how AI agents are fundamentally compliant by design. Trained to be helpful, to follow instructions, to complete tasks without friction. The argument was behavioral: this makes them perfect social engineering targets, because the thing that makes them useful is also what makes them easy to manipulate.

Then at RSAC 2026, Zenity’s CTO walked on stage and demonstrated it from the attacker’s side.

The demo showed enterprise AI agents being compromised with zero user interaction — no clicks, no phishing links, nothing a user had to do wrong. The agents were just running, being helpful, following instructions — and that was enough. Alongside it came a wave of new agent security products from Cisco, CrowdStrike, Palo Alto, and Astrix, all announced at the same conference, all solving the same problem they’d each apparently just noticed.

Here’s what I keep coming back to: the security industry’s response is to layer products on top of agents that were built gullible in the first place. That’s treating compliance as a weather event rather than a design choice.

The actual fix is building agents that know how to say no — explicit permission models, human-in-the-loop gates for actions with real consequences, approval workflows before anything sensitive gets touched.

Permission before action is the architecture you start with, not a layer you bolt on later.

Source: The Register