The explosive enterprise rush to deploy autonomous AI agents has triggered an identity and governance crisis, rendering traditional corporate defence models "completely insufficient" to handle machine-to-machine risk, according to Mark Palmer, board director for the Cloud Security Alliance (CSA) South Africa Chapter and security go-to-market lead for Microsoft SA.
Speaking to delegates at the ITWeb Security Summit 2026, Palmer delivered an urgent wake-up call to local tech executives.
He warned that businesses are aggressively deploying autonomous systems without building the foundational security plumbing required to govern them. "Intelligence without trust is reckless, and trust without intelligence is slow," said Palmer.
A core driver of this crisis is the staggering scale of AI adoption, Palmer said, with global projections estimating that the enterprise ecosystem will be flooded with 1.3 billion autonomous agents by 2028.
He compared this looming agent wave to the disruptive smartphone consumerisation era of the late 2000s, warning that these are not merely phones but autonomous systems accessing data and making decisions at scale.
Citing the newly released Microsoft Data Security Index, Palmer said this rapid shift is directly invading local corporate networks. The data shows that only 47% of organisations are using generative AI security controls, leaving 53% exposed, while shadow AI agents quietly bypass corporate policies.
According to Palmer, this governance gap has prompted an aggressive regulatory pivot in SA. Analysing a formal communication issued by the South African Reserve Bank (SARB) Prudential Authority in April 2026 to all supervised financial institutions, he said the regulator signalled a sharp supervisory shift from baseline awareness to active execution.
Palmer explained that the Prudential Authority warned that advanced models demonstrating autonomous vulnerability discovery and live exploit generation have caused the window between vulnerability and exploitation to collapse to near zero. He noted that the regulator's communication outlined five key expectations, including a mandate that human intervention speeds are no longer sufficient.
Consequently, Palmer said, companies must implement machine-speed responses and establish clear, board-level accountability rather than improvising during an active cyber incident.
*This article has been updated to reflect that Mark Palmer was speaking on behalf of the Cloud Security Alliance, rather than Microsoft.
Share
