The Browser Was Already a Problem – Now Add a Billion AI Agents

Fresh off RSAC 2026, I sat down with Ramin Farassat, Chief Product Officer at Menlo Security, to work through what agentic AI is actually doing to the enterprise attack surface. Menlo has spent 13 years focused specifically on browser security — the idea that the browser, not the endpoint, not the network perimeter, is where most enterprise work happens and most exposure lives. That was already a hard enough problem. Then you add AI agents into the mix. The framing Ramin kept coming back to is that the next billion users aren't going to be human. That's not a marketing line — it reflects something real about where agent adoption is heading. Think about how passwords and IP addresses scaled. In 2005, you could probably count both on your hands. Now your home router has 110 devices on it, and your iPhone has hundreds of saved passwords. Agents are going to follow the same curve, just faster. The average employee probably doesn't intend to deploy 25 agents. But they'll get there without really noticing. What makes this particularly thorny from a security standpoint is that agents aren't just scaled-up users. They have their own quirks. They'll take the path of least resistance, which sounds fine until your agent starts finding pathways into folders you didn't know were accessible. They can be manipulated in ways a human would immediately recognize as suspicious. And they can talk to other agents — meaning an agent you locked down to read-only can potentially find a workaround through another agent that has write access. Ramin walked through real examples of exactly that happening. We also got into the identity question, which I don't think the industry has a clean answer to yet. If I spin up ten agents to work on my behalf, are they ten separate identities? Does each one get its own credentials? Ramin has a specific take on how Menlo approaches this — and it's different from just handing every agent its own ID — but I'll let him explain it rather than summarize it badly. There's also a policy and accountability angle that I think is underexplored. A lot of organizations are actively pushing employees to adopt AI agents — not just allowing it, but setting productivity targets around it. When you mandate something, and then an agent goes off the rails, the question of who's responsible gets murky in a hurry. We talked through that, and I don't think there are easy answers. What stuck with me most from the conversation was something Ramin heard directly from multiple CISOs at RSAC: they know there are agents running in their environment. They just don't know who built them, where they are, or what applications they're connecting to. Because an agent using someone's credentials looks exactly like that person to the network. There's no easy way to tell the difference. That's the problem set we spent 45 minutes unpacking in this episode of the TechSpective Podcast. If you're thinking about agentic AI in your environment — or you're already dealing with it, whether you planned to or not — this episode is worth your time. Watch or listen to the full episode.