At a life safety company where seconds can mean the difference between life and death, trust is everything. So when he thinks about AI agents, ADT CISO Tim Rains isn’t just thinking about efficiency gains. He’s thinking about what it really means to hand over access—and control—to something that doesn't think the way humans do.
For Rains, AI security comes down to data protection: what data goes in, what the system is doing with it, and what data comes out. "Observability is a big issue,” he says. “And then trust—what's really happening inside the system? How are these agents interacting with each other?"
Traditional software is predictable: The same input should lead to the same output. Agentic AI doesn't work that way. "The non-deterministic nature of this technology is a curveball," Rains says.
That uncertainty doesn’t mean organizations should slow down AI adoption, but it does mean security teams need enough visibility and control to trust what agents are doing before they’re connected to sensitive systems or allowed to take meaningful action.
To navigate this shift, Rains emphasizes three things that CISOs need to get right:
Know who (and what) is accessing your data: As agents interact with apps, data, internal systems, and other agents, identity becomes central to establishing trust—especially for high-value transactions. "The higher the value of the transaction, the more assurance you need that they are who they say they are."
Build observability and detection into agentic systems: Security teams can’t govern what they can’t see. If an agent reads data, calls a tool, changes a setting, or triggers a workflow, there should be an audit trail—including logs, data flow visibility, and alerts when behavior falls outside policy. "Detecting problems as early in the cycle as possible is critical because if you can stop an attack early, that prevents attackers from getting deep in your environment ... and reduces the cost of containment and recovery," says Rains.
Rethink least privilege for the AI era: Applying 30 years of access control frameworks to autonomous agents is no simple task. "How are we going to figure out what privileges these agents need if they're non-deterministic?" says Rains. “Can you predict what they need?” CISOs need ways to grant just-in-time access, require human approval for higher-risk actions, and quickly revoke access or disable an agent if something looks off.
Ultimately, Rains argues that while innovation is moving fast, security has to keep up. “We have to innovate around cybersecurity the same way that the development folks are innovating around AI.”
Watch the full Executive Exchange video with Tim Rains above for the complete conversation on agentic AI, the principle of least privilege, and why identity is central to securing AI agents.
