Systems that were once content to predict, recommend, and autocomplete are now acting, deciding, and moving. Artificial intelligence, long confined to the mind, has grown hands and feet. And like a toddler finding its legs, it is tottering toward every exposed socket in the digital house.
The phrase belongs to Palo Alto Networks chief executive Nikesh Arora, whose lieutenant, Tom Scully, extends the metaphor with the weary knowingness of a cybersecurity veteran. “Agentic AI is giving hands and feet to our AI,” Scully says. “Once she started walking, it was like the whole world got way more riskier.” That mix of wonder and dread captures the essential tension of this moment: humanity’s compulsion to accelerate into autonomy before it understands the risks of letting go of the handlebar.
The toddler problem
What happens when code learns to act? In Scully’s view, companies are rushing to find out. “Everyone is moving to adopt AI technologies because of that value it’s going to deliver,” he says. “The focus is on speed.” Yet, as he adds dryly, “more haste, less speed.” In their zeal to outpace rivals, firms are trading visibility for velocity—betting their survivability on systems they barely comprehend. “You’re basically betting… risk of survivability versus risk of taking on security outcomes at the same time.”
The result is a strategic dilemma. In the race to deploy AI, organisations have opened their gates to tools that are not just powerful but porous. At the protocol level, the connective tissue of the new agentic internet—the Model Context Protocol, or MCP—is built for interoperability, not integrity. “There’s no foundational security underneath that,” Scully notes. “No ability to know exactly what data you’re passing.” Convenience has once again outpaced control.
Hands, feet—and open doors
Palo Alto, the $90bn cybersecurity whisperer of Silicon Valley, has tried to retrofit discipline into the chaos. Its engineers recently released a secure MCP server, designed to lock down those open channels while preserving the flow of collaboration. One of the first adopters was a university research network struggling to share data safely across borders. By installing Palo Alto’s secure gateway and attaching clear usage policies, Scully says, the institution could “continue to get the value and continue to do the research,” while keeping its intellectual property on the right side of the firewall.
It is an instructive case study. Even in the rarefied world of research, the impulse to move faster than the rules allows remains irresistible. Every sector now faces the same trade-off: the affinity between innovation and exposure. The faster organisations connect systems, the faster they can lose control of them.
Governance voids and invisible agents
Scully’s toddler analogy is more than cute. It is an operational warning. Once granted autonomy, AI agents will act across networks that humans cannot fully observe or audit. “We have no ability to watch what they’re doing,” he says. Unlike a child, whose movements can be tracked across a room, digital agents operate at a scale and speed that make intervention impossible.
This absence of oversight exposes a deeper void. “We’ve got a void of governance,” Scully says. “And we’ve got a void in terms of the standards of how to implement the best practices.” Autonomous cars have safety certifications. Agentic AI has none. The result is a growing population of self-acting systems wandering through enterprises without rules, supervision, or insurance.
The consequences are already measurable. Palo Alto’s Unit 42 threat team reports that the average time for data exfiltration—cyber speak for “stealing your crown jewels”—has collapsed from nine days in 2021 to two in 2025. In one in five cases, the breach is complete within an hour. AI is accelerating both attack and defence cycles, compressing the window between compromise and catastrophe.
Speed kills
That compression is changing the economics of cybersecurity. In the old world, defenders could afford to deliberate; attackers needed persistence. Now, both sides operate at machine speed. “Attackers are taking AI and leveraging it,” Scully says. “We need to start fighting AI with AI.” Palo Alto’s response is to automate not just detection but decision-making through what it calls its Agentics platform—infusing AI across the “OODA loop” of observe, orient, decide, act. It is a military term born in the dogfights of Vietnam: whoever cycles through the loop faster wins.
Yet even the best defences cannot save companies from their own structural negligence. Scully’s message to corporate boards is blunt: without zero trust, you have zero chance. The principle is simple—never assume, always verify—but its implementation remains glacial. “If they haven’t got zero trust… how can you start the journey of what AI model they should be touching?” he asks.
Three years after the concept became boardroom orthodoxy, many firms are still stuck in audit purgatory, paralysed by what Scully calls “organisational inertia.” The technology exists; the problem is cultural. Every legacy access rule must be unpacked, justified, and rewritten—an exercise that exposes decades of bureaucratic sediment. “You have to go in now to organisations and say, why is this security rule in place?” he says. “And most people go, I don’t know—that was written 20 years ago.”
The new perimeter
To bypass this paralysis, Palo Alto and rivals such as Netskope are moving the front line to where most work actually happens—the browser. Scully calls these enterprise browsers, and they could soon become the gatekeepers of AI adoption. Built on Chromium, Palo Alto’s Prisma Access Browser acts as both portal and police. Employees can use approved AI tools only through the enterprise browser, which authenticates identity, enforces policy, and blocks prohibited data in real time.
“If they go and copy and paste a piece of PII… it’ll block it straight away,” he says. In effect, the browser becomes a digital customs officer—inspecting every packet leaving the enterprise before it hits the cloud. It is a practical fix for a chaotic world, and a glimpse of the coming struggle for control between the open web and its corporate counterpart. Chrome may still dominate consumer life, but its enterprise twin will soon govern the workplace.
The illusion of control
Despite these advances, the illusion of control persists. Many boards still believe cybersecurity is a function to be audited rather than an operating condition to be lived. Scully’s view is more Darwinian: the weak will not survive the new tempo of attack. “It’s about risk of survivability,” he says. “You’re betting with risk to your company.” The phrase lands like a diagnosis of collective denial.
Even the data reflects this unease. The mean time to respond to incidents—the defender’s OODA loop—is shrinking, but not fast enough to match the adversary’s. Both sides are automating, both are learning. The difference is that bad actors face no compliance committees, no regulatory lag, no shareholder memos. They just move.
In this environment, governance frameworks matter less than the reflexes of your systems. A misconfigured agent can expose terabytes in seconds. A sluggish human approval chain can cost millions. The strategic question for CEOs is no longer whether they will be attacked, but whether they can act faster than their attacker’s code.
Data sovereignty and the new compulsion
The geopolitical implications are equally stark. As agentic AI crosses borders, so too does the data it consumes and generates. Enterprises that once fretted about where their cloud servers sat now face a harder question: where do their decisions happen? Each AI model represents a potential sovereignty breach, a whisperer of policies and priorities from another jurisdiction.
The compulsion to accelerate—to train faster, respond faster, profit faster—will collide with national imperatives to regulate. The result will be a world where data sovereignty extends beyond databases to algorithms themselves. Who owns an agent’s judgment? Who audits its reasoning? These questions will echo through boardrooms long after the hype cycles fade.
A pragmatic path
Scully is no alarmist. His prescription is pragmatic: start with visibility. “Who are your users? What models are they accessing? What data are they putting in?” he asks. Palo Alto’s systems now track and block unapproved AI models automatically, giving executives the forensic trail regulators increasingly demand. “If a new model turns on tomorrow,” he explains, “users will get blocked straight away.”
It is governance by circuit breaker—a mechanical restraint for an age that keeps confusing innovation with control. Yet the deeper fix remains cultural: balancing curiosity with caution, autonomy with assurance. Agentic AI may well accelerate productivity and innovation, but without trust architecture, it will also accelerate chaos.
The invisible hand (and foot)
The irony is that AI’s growing autonomy is a mirror of our own. Corporations have long behaved like algorithms—optimising for speed, scale, and shareholder value. Now their machines are learning the same habits. They act with similar logic, and similar blind spots. In that sense, the hands and feet of AI are merely extensions of ours—restless, ingenious, and occasionally reckless.
For Scully, the task is not to restrain curiosity but to make it survivable. “We can’t stop this,” he says, “but we can do it in a way that balances risk and reward.” The challenge is to ensure that, when AI stands up, humanity is still watching.