Press TechRound interviews Secure.com CEO on the future of AI security
Read

How Does Governed Autonomy Work in Offensive Security?

See how governed autonomy powers autonomous red teaming, keeps adversary emulation mapped to MITRE ATT&CK, and still leaves humans in control.

Key Takeaways

  • Governed autonomy means an AI agent can plan and run attack simulations on its own, but every risky action still needs a human check.
  • Autonomous red teaming uses this setup to test networks around the clock instead of once or twice a year.
  • Adversary emulation stays grounded in MITRE ATT&CK, so every simulated attack maps back to real-world tactics.
  • Guardrails, approval steps, and audit logs are what separate governed autonomy from a bot running wild on your network.

A state-sponsored hacking group recently used an autonomous coding agent to carry out an estimated 80 to 90 percent of an attack campaign on its own, from recon to exploit generation, according to a report published on GitHub. Humans only stepped in a handful of times. That single case sums up where offensive security is headed, and why the industry keeps circling back to one question: how do you get the speed of autonomy without losing control of it?

What Governed Autonomy Actually Means in Offensive Security

Governed autonomy is a simple idea with a lot riding on it. An AI agent gets the freedom to plan and execute parts of an attack simulation by itself. At the same time, it operates inside rules a human security team set in advance.

Think of it like a new hire on a probation period. They can do real work. They just cannot sign off on the big decisions alone yet.

In practice, governed autonomy usually includes a few things working together:

  • Clear boundaries on what systems or environments the agent can touch.
  • Pre-approved playbooks for common actions, so the agent is not improvising blind.
  • A required human check before any high-impact step, like exploiting a live production system.
  • Full logging of what the agent did and why, so someone can review it later.

This is different from full automation, where a script just runs start to finish with no oversight. It is also different from fully manual red teaming, where a person drives every single step. Governed autonomy sits in the middle, and that middle ground is exactly what makes it useful for offensive security work.

Industry researchers have flagged this tension directly. Analysts covering the space note that in regulated industries like healthcare or finance, the promise of machine-speed security runs straight into strict rules around accountability and explainability. Governed autonomy is the answer teams are building toward, because it keeps a paper trail that a regulator can actually follow.

Inside Autonomous Red Teaming and Adversary Emulation

Autonomous red teaming is where governed autonomy shows up most clearly today. Instead of scheduling a red team engagement once or twice a year, an AI-driven system runs continuous tests against your environment.

Here is how that usually plays out.

Continuous testing replaces the calendar-based model

Traditional red teaming works like a fire drill. It happens on a schedule, then everyone moves on until next time. Autonomous red teaming flips that. The agent keeps probing your cloud, identity, and application layers as your environment changes, which matters because your attack surface changes daily even if your red team calendar does not.

Autonomous Red Teaming

Always-on testing, grounded in real numbers

Autonomous red teaming supplies the engine. Adversary emulation supplies the script. Together they’re an always-on validation layer — but autonomy still isn’t magic.

Testing model Shift

📅
Calendar-based — once or twice a year
Continuous — probes cloud, identity & apps as your environment changes

Exploitation success rate By difficulty

Easy tasks32%
Medium tasks11%
Hard tasks<2%
The takeaway: autonomy is powerful, but success rates drop fast as task difficulty rises — which is exactly why governance, not just speed, is what makes autonomous testing trustworthy.

Adversary emulation gives the testing a real target to chase

Autonomous red teaming on its own just finds weaknesses. Adversary emulation adds the missing piece: it has the agent act as a specific, known threat actor would. Instead of random probing, the AI follows the tactics, techniques, and procedures that real attackers use, so your defenders are practicing against something that looks like a real adversary, not a generic scanner.

The two work as a pair, not a substitute

Autonomous red teaming supplies the always-on engine. Adversary emulation supplies the realistic script that engine follows. Together they turn red teaming from a periodic checkbox into what researchers are now calling an always-on validation layer for security teams.

One caveat worth noting: autonomous exploitation success rates vary significantly by task complexity. Research on AI red teaming benchmarks found that easy exploitation tasks succeed around 32% of the time, medium difficulty tasks around 11%, and hard tasks under 2%. Autonomy is powerful, but it is not magic, and that gap is exactly why governance still matters.

The Guardrails That Make Autonomy Governed, Not Reckless

This is the part that gets skipped in a lot of vendor pitches, so let’s slow down here.

Governed Autonomy

Where governed autonomy sits on the spectrum

Not a script running wild, and not a human driving every click. Governed autonomy is the middle ground where offensive security actually works.

Fully Manual

A person drives every single step of the red team engagement.

The Sweet Spot

Governed Autonomy

AI plans & executes inside pre-set rules. Humans approve every high-impact move.

Full Automation

A script runs start to finish end-to-end, with no human oversight.

What keeps the middle ground governed
Scoped permissions Human-in-the-loop checkpoints Explainable decision trails Kill switches Defined blast radius

An autonomous agent without guardrails is just a fast way to cause an outage or a real breach during a “test.” Governance is what keeps that from happening. A few guardrails show up again and again in mature programs:

  • Scoped permissions. The agent only has access to what it needs for the specific test, nothing more.
  • Human in the loop checkpoints. High-impact actions, like disabling an account or isolating a host, wait for a human approval before they execute.
  • Explainable decision trails. Every action the agent takes gets logged along with the reasoning behind it, not just the outcome.
  • Kill switches. Someone can pause or stop the agent immediately if something looks off.
  • Defined blast radius. Testing environments and boundaries are set ahead of time, so an agent cannot wander into systems that were never in scope.

These are not nice-to-have extras. A framework built by the Coalition for Secure AI puts human governance, resilience, transparency, and auditability at the center of how agentic AI should be developed and deployed, especially in security contexts. Skip any one of those pieces and you do not have governed autonomy anymore. You just have autonomy, and that is a very different risk profile.

There is also a compliance angle that is easy to underestimate. Regulations like the EU AI Act now require adversarial testing for certain AI systems, with fines that can reach 35 million euros for organizations that skip it. Governance is not just about safety anymore. It is becoming a legal requirement in some markets.

Why MITRE ATT&CK Still Anchors Governed Autonomous Testing

None of this works without a shared reference point, and that is where MITRE ATT&CK comes in.

MITRE ATT&CK is a public framework that catalogs real world attacker tactics and techniques, from initial access to data exfiltration. When an autonomous agent runs a simulation, mapping every action back to ATT&CK does three things at once.

First, it keeps the test grounded in reality instead of letting the agent invent attack paths that no real adversary would actually use. Second, it gives security teams a common language to report findings, so a finding means the same thing to the SOC analyst, the CISO, and the auditor. Third, it makes coverage measurable. Teams can literally track which ATT&CK techniques they have tested against and which ones still have a gap.

Security researchers point to this mapping as a baseline requirement for meaningful AI red teaming. Without it, autonomous testing risks becoming a black box that produces findings nobody can trust or reproduce. With it, governed autonomy and adversary emulation both have something solid to stand on.

Secure.com · Infrastructure Security Teammate

The same governance model, running your infrastructure every day

Discovers assets across your entire estate, benchmarks them against hardening standards, and applies the exact human-in-the-loop guardrails that govern a red team agent — before an attacker ever finds the gap.

Explore Infrastructure Teammate
1
Discover

Assets across AWS, Azure, GCP, SaaS, and on-prem — automatically, continuously.

2
Benchmark

Configurations checked against CIS Benchmarks, DISA STIGs, and NCP standards.

3
Govern & Fix

Low-risk drift auto-remediates. High-impact changes wait on human approval.

Ownership via Asset Insight

Every remediation gets automatic ownership assignment, no chasing down who’s responsible.

SLA tracking

Fixes are timed and tracked against SLA, so nothing quietly slips.

Immutable audit trail

Every action is logged for a paper trail regulators and auditors can follow.

Attack Path blast radius

Calculates exposure from entry points to crown-jewel assets before any change executes.

Benchmarked against CIS Benchmarks DISA STIGs NCP
Human approval required for high-impact changes

FAQs

What is governed autonomy in cybersecurity?
It is a setup where an AI agent can plan and carry out security tasks on its own, but stays inside rules and approval steps that a human security team defines ahead of time.
Is autonomous red teaming safe to run on production systems?
It can be, as long as guardrails like scoped permissions, human approval for high impact steps, and a defined blast radius are in place. Without those, running any autonomous testing on production is a real risk.
How is adversary emulation different from regular penetration testing?
Penetration testing looks for any exploitable weakness. Adversary emulation specifically mimics the tactics of a known threat actor, so the test reflects how a real attacker group would actually behave.
Does governed autonomy replace human red teamers?
No. It changes what humans spend their time on. Instead of manually running every test, security teams focus on setting scope, reviewing findings, and approving the actions that carry real risk.

The Bottom Line

Governed autonomy is not about letting AI run loose in your network and hoping for the best. It is about giving AI agents enough freedom to move fast, while keeping a human squarely in charge of the decisions that actually matter. Autonomous red teaming and adversary emulation show what that looks like on the offensive side. MITRE ATT&CK gives it a shared, checkable structure. And as tools like Secure.com’s Infrastructure Security Teammate show, the same governance model is quickly becoming the standard for how security teams run their day-to-day operations too.