13 May 2026 · 7 min read
Agentic Ransomware Isn’t New Risk. It’s Faster Risk.
When attackers automate the full chain, the only durable defense is automation-grade control primitives: constrain tools, isolate blast radius, and practice the stop.

I do not find “AI-driven attacks” scary because they are intelligent. I find them scary because they are fast.
Speed changes everything. In a human-led incident, defenders get minutes, sometimes hours, of friction. In an automated incident, the attacker can scan, privilege-hop, stage payloads, and execute in one continuous run. Your organization does not fail because you lack a clever detection rule. You fail because your controls were designed for a world where people had to pause.
In industrial environments, we learned this lesson long ago. We never trusted “smart” behavior without governance primitives you can point to, test, and audit. Constraints create reliability. Recoverability creates confidence. Hope is not a control.
This essay is my operator’s lens on agentic ransomware: treat it as faster automation, then respond with automation-grade controls.
Time compression is the threat model
Most cyber programs still assume a timeline with human seams: an attacker needs to research, craft, and iterate. That assumption leaks into governance. Approvals are slow. Privileges accumulate. Logs are mutable. Backups are “there somewhere.” Incident response is a PDF.
When the attack chain is automated end-to-end, those seams disappear. The attacker’s loop becomes: discover, exploit, propagate, encrypt, extort, all as one machine process. You do not get to “notice it” halfway through if your environment allows lateral movement and privilege escalation at machine speed.
So the first mental shift for boards and operators is simple: measure your exposure in minutes, not in days. If your containment and recovery assumptions need hours, you are planning for a different category of adversary.
Industrial automation got one thing right: constraints beat cleverness
When I spent years in power electronics and industrial automation, we shipped systems that had to keep running in water and wastewater plants, HVAC infrastructure, and production environments. In those worlds, we did not argue about whether a controller was “smart.” We argued about whether it was bounded.
Bounded systems behave predictably under stress. They fail in known ways. They expose clear state. They have isolation boundaries. They give the operator a stop and a path to restart.
Later, when I ran an international business unit in smart-building and connected controls, the same logic applied. Embedded devices, gateways, cloud services, installers, and facility operators formed a messy socio-technical system. Reliability never came from adding more automation. It came from putting fences around automation.
Agentic attackers exploit the opposite: unbounded automation in your own environment. Overprivileged identities. Flat networks. Scripts that can run anywhere. Logs that can be altered by the same admin plane they are supposed to audit.
If you want a timeless principle: make your enterprise safe for automation. That means you design constraints so that any fast actor, malicious or buggy, hits hard limits quickly.
The control primitives that matter (and how to pressure-test them)
I like to reduce “agentic security” to three questions an operator can answer without slides:
- What tools can run?
- Where can they run?
- How do we stop and recover?
1) Define the toolchain: least privilege for automation, not for people
Most organizations do least privilege as an HR exercise. Joiner, mover, leaver. That is necessary, but it misses the modern problem: automation identities.
Your riskiest credentials are often non-human: CI/CD runners, RPA bots, integration keys, device provisioning tokens, service accounts, and “temporary” admin access granted to scripts.
- Inventory automation identities and treat them as production assets.
- Scope their permissions to single jobs. If a build runner can also reach production secrets, you built an attack bridge.
- Rotate and expire credentials by default. Long-lived tokens are slow-motion incidents.
- Require signed execution for privileged scripts and binaries. If it cannot be verified, it cannot run.
This is also where applied AI can help defensively: not by “detecting hackers,” but by continuously reconciling what identities should be doing versus what they are doing. But that only works if the underlying permissions model is clean.
2) Segment systems like you mean it: reduce blast radius to something you can afford
In manufacturing, segmentation is not a best practice. It is how you keep a fault in one cell from stopping the whole plant. Cyber is the same. If your network is flat, your incident is global by design.
- Segment by function and criticality: user endpoints, build systems, business apps, operational systems, backups, logging, and identity infrastructure.
- Default-deny east-west movement. Allow only the specific flows you can explain on one page.
- Separate your “keys to the kingdom”: identity provider admin, backup admin, logging admin, and production admin should not be the same plane.
- Design for containment: assume one segment will be owned. Your job is to keep it from becoming two.
If you are in IoT or smart-building, remember that connectivity choices become trust choices. The moment you treat connectivity as “just data,” you ignore the control plane you are exposing. I wrote about this mindset in eSIM as a trust anchor, because the commercial model often forgets to budget for the security model.
3) Make logs and backups adversary-resistant: immutable, off-path, audited
Automated attackers do not only encrypt data. They go after your ability to understand what happened and your ability to recover. That is why “we have backups” is not a sentence. It is a system.
- Write logs to an immutable store that production admins cannot alter.
- Keep backups off the primary identity plane. If the same SSO compromise grants backup deletion, you have no backups.
- Test restores on a schedule. Restore time is a KPI, not a comforting assumption.
- Track your recovery point objective like a financial exposure. How much data can you afford to lose?
This is the difference between being hacked and being out of business.
Rehearse the kill switch like an emergency shutdown
In industrial operations, we drill emergency stops because the moment you need them is the worst moment to discover ambiguity. The same should be true for cyber incidents driven by automation.
I am not talking about a war room. I am talking about a practical kill-switch playbook:
- One-page decision rights: who can isolate networks, disable SSO, freeze deployments, and shut down integrations.
- Predefined isolation actions: quarantine a segment, disable non-human tokens, stop build runners, revoke privileged sessions.
- Practiced communications: internal, customers, and suppliers. Silence creates chaos.
- Clean-room recovery: a known-good environment and procedure to rebuild critical services without trusting the compromised plane.
When I build and operate my own ventures like Shopeno and IBHQ, I treat “stop and recover” as a product requirement, not as an IT task. Small teams do not survive by being lucky. They survive by being recoverable. The same discipline scales upward: the bigger the organization, the more you need rehearsal, because coordination becomes the bottleneck.
If you want a deeper version of this operator framing, I laid out the broader point in AI value and the stop button. The control is the value.
A board-level lens: controls that keep working when the attacker is faster than you
If you sit on a board or run a business unit, you do not need to become a security architect. You need to insist on the right evidence.
Here are the questions I would ask in a quarterly review, and I would not accept vague answers:
- Blast radius: If one endpoint is compromised, what is the maximum damage before we can contain it?
- Automation identities: How many non-human credentials exist, where are they stored, and which of them can touch production?
- Segmentation proof: Show me the top ten allowed east-west flows, and who approved them.
- Immutability: Which logs and backups are truly immutable, and who can delete them?
- Restore drills: When was the last successful restore test of a critical system, and how long did it take end-to-end?
- Kill-switch drill: When was the last time we practiced disabling SSO or isolating a segment, and what broke?
This is operational governance. It is the same muscle you use to manage quality, safety, and uptime. In fact, if you liked the manufacturing framing, you might also recognize the pattern in ruggedization as a reliability contract. Security is also a contract. You pay for it, and you enforce it.
My opinion: treat autonomy as a privilege you earn
Agentic ransomware is a forcing function. It does not require a new philosophy. It requires operational seriousness.
Autonomy, whether in your own AI agents or in an attacker’s automation, is only safe when bounded by hard controls: least-privilege toolchains, real segmentation, immutable evidence, and rehearsed stops. The organizations that win will not be the ones with the prettiest dashboards. They will be the ones that can contain fast, decide fast, and recover fast.
That is the same lesson I learned from factory-adjacent systems, embedded devices, and multi-country operations: constraints create reliability, and recoverability creates speed. Everything else is theater.
Newsletter
Operator notes, straight to your inbox.
Occasional, no-noise notes on leadership, execution, and applied AI — from the field, not the sidelines.