Posture Has to Become Agentic

Two numbers from this week have been rattling around in my head. One is a maximum-severity flaw in a popular agent toolkit, ModelScope's MS-Agent, CVSS 9.8, that has sat without a patch for nearly three months. The other is thirteen hours: the gap, in a different framework, between a vulnerability going public and being exploited in the wild. Hold those side by side and a comfortable assumption falls apart. We tend to treat a security posture score as a fact about where we stand. But a score from last night's scan was already wrong by lunch, and for the bug with no patch, the scan can't even tell you what to do about it. That's the quiet problem with how we measure AI security today. Most posture management runs point-in-time: it checks configurations and permissions, produces a score, hands you a report. A snapshot is genuinely useful, until the thing you're securing starts acting on its own and the ground keeps moving underneath the picture. A report tells you where you stood. It doesn't do anything. So where does this go? I think posture has to become agentic. Stop treating it as a nightly photograph and start treating it as something live: scoring every agent action against current vulnerability feeds and what's actually happening at runtime, and then acting on that score rather than just printing it. The shape of that, to me, is two moves. Contain first, the moment an agent's dependency goes public with no fix, its blast radius should shrink on its own: egress cut, permissions narrowed, the agent sandboxed, before anyone touches a ticket. Fix second, patch on the normal cycle, because containment already bought you the time. You can't out-patch a thirteen-hour exploit, and you can't patch a flaw that has no patch. When you can't win the race, you change the prize, and you make it smaller. I don't think any one tool does this end to end yet, but you can feel the market leaning toward it. CodeIntegrity's $5M round this week funds a deterministic control layer that constrains what agents are allowed to do while they run, enforcement at runtime, not a pre-flight scan. That's the tell. The category is shifting from "tell me my exposure" to "reduce my exposure for me." The static report had a good run. But AI risk now lives at runtime, and posture has to meet it there.