The 22-Second Problem: What Google Cloud NEXT '26's Agentic Defense Means for Essential Eight Compliance

これは Google Cloud NEXT 執筆コンテストへの投稿です。 Mandiant の M-Trends 2026 年レポートが、初期侵入から二次的脅威行動者に引き渡されるまでの平均時間が 3 年間で 8 時間から 22 秒に縮小したと明らかにした際、多くのセキュリティ専門家がすでに予想していたことが確認されました：従来のセキュリティ運用は、現代の攻撃の速度に対応できていません。 Google Cloud NEXT '26 年の告知される主要な発表——「エージェント型防御」、3 つの新しい自律型セキュリティ運用エージェント、および Wiz へのパートナーシップ——は単なる製品発表を超えています。それは組織が脅威に対応する方法における根本的なアーキテクチャ変化を象徴しています。オーストラリアの企業はシグナル庁（ASD）の Essential Eight フレームワークの下で運用しており、この変化は重要な問いを提起します：エージェント型セキュリティは Essential Eight 準拠を強化するか、新しい隙間を生むか？ Google のセキュリティストーリーの核心は、Next '26 で提示された「Agentic Defense」です——Google Threat Intelligence、Security Operations、および Wiz の Cloud/AI Security Platform を統合した統一された自律的防御システムへの統合です。 3 つの新しい Security Operations エージェントがプレビューリリースされました： - Threat Hunting Agent：テレメトリを継続的に分析し、反常または疑わしいパターンを検出する。 - Detection Engineering Agent：出現する脅威に基づき、自動的に検出規則を作成・修正する。 - Third-Party Context Agent：ベンダーの通告書や脅威フィードから外部インテリジェンスを取り込み、アラートを強化する。 これらに加えて、Wiz は Google Cloud、AWS、Azure、Oracle環境において、継続的な攻撃シミュレーション、検出検証、自動化された修復のために Red、Blue、Green エージェントを導入しました。AI Application Protection Platform（AI-APP）は、AI ワークロード用にコードからクラウド、そしてランタイムまでの保護を拡張しました。 また、パートナーシップは Dark Web Intelligence（内部テストで 98% の精度が主張された）、AI-BOM（モデルの透明性のための AI Bill of Materials）、および Google Security Operations へのリモート MCP サーバーサポートを交付しました。 技術的なアーキテクチャは素晴らしいですが、準拠フレームワーク——特に Essential Eight に対する戦略的な影響はより明白ではありません。 オーストラリアの Essential Eight 緩和戦略は、シンプルかつ基本的な原則——攻撃表面を削減し、予防が失敗した場合に損傷を封じ込める——に基づいて設計されました。このフレームワークは、3 つの成熟度レベル（ML1、ML2、ML3）にわたって 8 つの特定のコントロールを規定し、それぞれに計測可能な技術要件があります。 エージェント型セキュリティがそれぞれどのように交差するかを確認しましょう： Essential Eight ML3 は、アプリケーションが許可された場所からのみ実行されることが定められており、すべての実行ファイルは許可されたリストに対して検証され、Microsoft の推奨されるアプリケーションコントロールポリシーが実装されていることを要求します。 エージェント型セキュリティの影響：Detection Engineering エージェントは、人間分析家よりも是が早い速さで未許可のアプリケーション実行パターンを識別できますが、許可リストの実装はそれを強制するわけではありません——それは GPO/Intune のポリシー決定です。自律的エージェントは秒間未満のレイテンシーでポリシー違反をアラートできますが、すでにその重要な 22 秒の間で実行されたことは事後に阻止することはできません。 準拠のギャップ：アプリケーションコントロールは予防的であり、エージェント型検出は極めて速い反応的ものです。これら 2 つは相互補完的であり、互いの替換ではありません。 ML3 は、インターネットに公開されるサービスのためにリリースから 48 時間以内のパッチ適用、その他のシステムで 2 週間以内を義務付け、脆弱性スキャンは少なくとも毎日実施することを規定します。 エージェント型セキュリティの影響：Wiz の Green エージェント（自動化された修復）は、理論的には機械の速度でパッチを適用できますが、Essential Eight 準拠はデプロイ速度で測定されるのではなく、パッチのカバレッジとリスク優先順位で測定されます。あらゆる CVE に対 indiscriminately パッチを適用するエージェントは運用リスクを生み出し、脅威インテリジェンスを使用してトラージエーションを行うエージェントの方が、このフレームワークの意図に合致します。 準拠の機会：これが真に Essential Eight の姿勢を強化するエージェント型セキュリティが存在する場所は、組織が修復エージェントを適切に構成する場合です。

This is a submission for the Google Cloud NEXT Writing Challenge When Mandiant's M-Trends 2026 report revealed that the average time from initial intrusion to handoff to a secondary threat actor had collapsed from 8 hours to 22 seconds over three years, it confirmed what many security practitioners already suspected: traditional security operations aren't built for the speed of modern attacks. Google Cloud NEXT '26's headline announcements—Agentic Defense, three new autonomous Security Operations agents, and the Wiz partnership—represent more than just another product launch. They signal a fundamental architectural shift in how organisations defend against threats. For Australian enterprises operating under the Australian Signals Directorate's Essential Eight framework, this shift raises an important question: does agentic security strengthen Essential Eight compliance, or does it create new gaps? The core of Google's security story at NEXT '26 centres on Agentic Defense — the integration of Google Threat Intelligence, Security Operations, and Wiz's Cloud/AI Security Platform into a unified autonomous defence system. Three new Security Operations agents entered preview: -Threat Hunting Agent: Continuously analyses telemetry for anomalies and suspicious patterns -Detection Engineering Agent: Automatically creates and refines detection rules based on emerging threats -Third-Party Context Agent: Enriches alerts with external intelligence from vendor advisories and threat feeds Alongside these, Wiz introduced red, blue, and green agents for continuous attack simulation, detection validation, and automated remediation across Google Cloud, AWS, Azure, and Oracle environments. The AI Application Protection Platform (AI-APP) extends code-to-cloud-to-runtime protection specifically for AI workloads. The partnership also delivered Dark Web Intelligence (98% accuracy claimed in internal testing), AI-BOM (AI Bill of Materials for model transparency), and remote MCP server support for Google Security Operations. The technical architecture is impressive. The strategic implications for compliance frameworks like Essential Eight are less obvious. Australia's Essential Eight mitigation strategies were designed around a simple principle: reduce the attack surface and contain damage when prevention fails. The framework mandates eight specific controls across three maturity levels (ML1, ML2, ML3), each with measurable technical requirements. Let's examine how agentic security intersects with each: Essential Eight ML3 requires that applications can only be executed from approved locations, all executables are validated against an approved list, and Microsoft's recommended application control policies are implemented. Agentic security impact: Detection Engineering agents can identify unauthorised application execution patterns faster than human analysts, but they don't enforce allowlisting—that remains a GPO/Intune policy decision. Autonomous agents can alert on policy violations with sub-second latency; they cannot retroactively prevent execution that already occurred in those critical 22 seconds. Compliance gap: Application control is preventative. Agentic detection is reactive, albeit extremely fast reactive. The two are complementary, not substitutional. ML3 mandates patching within 48 hours of release for internet-facing services and two weeks for other systems, with vulnerability scanning at least daily. Agentic security impact: Wiz's green agent (automated remediation) can theoretically patch at machine speed, but Essential Eight compliance isn't measured by deployment speed—it's measured by patch coverage and risk prioritisation. An agent that patches every CVE indiscriminately creates operational risk; an agent that triages using threat intelligence aligns better with the framework's intent. Compliance opportunity: This is where agentic security genuinely strengthens Essential Eight posture—if organisations configure remediation agents to respect change management windows and business-critical system dependencies. ML3 requires phishing-resistant MFA (FIDO2, smart cards, Windows Hello for Business) for all users. Agentic security impact: Minimal direct impact. MFA is an identity control; Security Operations agents operate in the detection/response layer. However, the Third-Party Context Agent can enrich MFA-related alerts (impossible travel, repeated failures) with threat intelligence that helps security teams identify credential compromise faster. Compliance status: Unchanged. Essential Eight MFA requirements remain a policy and technology deployment challenge, not a detection problem. ML3 requires privileged access workstations, just-in-time administration, separate privileged accounts, and strict segmentation. Agentic security impact: Threat Hunting agents can detect privilege escalation attempts and lateral movement patterns that indicate compromised admin credentials, but they don't enforce least-privilege policies. Google Cloud's Agent Identity and Agent Gateway features (announced at NEXT '26) do provide governance for agent-to-agent communication and MCP server access—this is relevant because autonomous agents themselves represent a new privileged entity class. Compliance consideration: Organisations need to treat Security Operations agents as privileged accounts. If an agent has read/write access to Security Command Center policies or can trigger automated remediation, it must be governed under Mitigation Strategy 5. ML3 mandates daily backups, weekly testing of restoration, and offline/immutable storage. Agentic security impact: None. Backups are an operational resilience control. Detection agents don't back up data; they detect ransomware encryption patterns. The green remediation agent could theoretically automate restoration workflows, but Essential Eight explicitly requires tested restoration—automated restore without validation doesn't satisfy ML3. Compliance status: Unchanged. ML3 requires that macros can only execute from trusted locations, all macros are digitally signed, and Microsoft's recommended macro security settings are enforced. Agentic security impact: Detection Engineering agents can identify malicious macro execution (e.g., spawning PowerShell, making network connections), but macro execution restrictions are enforced by GPO, not by Security Operations tooling. Compliance gap: Same pattern as Application Control—detection is reactive, policy is preventative. ML3 mandates web browser isolation, blocking ads/untrusted content, disabling Flash/Java, blocking web content from Office, and implementing DMARC/SPF/DKIM. Agentic security impact: Browser isolation and content filtering are network/endpoint controls. Security Operations agents can detect policy violations (e.g., Flash execution, unvalidated email senders) but don't enforce the restrictions themselves. Google's partnership with Wiz does provide Cloud/AI Security Platform capabilities that can monitor cloud-hosted applications for hardening policy drift, which is relevant for SaaS applications governed under Essential Eight. Compliance status: Detection improves; enforcement remains a separate implementation concern. The 22-second attacker handoff window is real. The idea that autonomous agents can respond faster than human analysts is also real. But Essential Eight compliance isn't measured by response time—it's measured by control implementation, coverage, and maturity level consistency. Agentic security doesn't replace Essential Eight. It accelerates detection and response for Mitigation Strategies 1, 2, 3, 5, 7, and 8—but only if the underlying controls are already implemented. An organisation with no application control policies gains nothing from a Detection Engineering agent that can identify unauthorised execution in 22 seconds if the execution was never blocked in the first place. The real value proposition is for organisations already at ML2 or ML3 maturity. These are the environments where: Application control policies exist but drift occurs For these organisations, Google's Agentic Defense becomes a force multiplier for existing controls. The Threat Hunting agent doesn't replace your application allowlist—it identifies when an attacker finds a bypass. The Detection Engineering agent doesn't replace your patch management workflow—it helps you prioritise which vulnerabilities are being actively exploited in the wild. If you're responsible for Essential Eight compliance in an organisation considering Google Cloud's security stack, here's the practical playbook: 1. Audit your current maturity level honestly. 2. Treat Security Operations agents as privileged accounts. Map agent capabilities to Essential Eight evidence requirements. ASD's Essential Eight Maturity Model includes specific evidence requirements for each control. Can your Security Operations agents generate the logs, audit trails, and compliance reports ASD assessors expect? If not, manual evidence collection still applies—automation doesn't eliminate the compliance burden, it just shifts where the work happens. 4. Test autonomous remediation in non-production first. 5. Use Sydney-based Google Cloud regions for data sovereignty. Google Cloud NEXT '26's security announcements reflect a broader industry shift: security operations are moving from human-led, tool-assisted workflows to agent-led, human-supervised architectures. This isn't speculative—75% of Google's codebase is now AI-generated according to Sundar Pichai's keynote, and that same automation is coming to security operations. For Essential Eight compliance, the question isn't whether to adopt agentic security. The question is how to adopt it without creating new compliance gaps. The 22-second attacker handoff window is real, but so is the Essential Eight requirement for tested backups, validated patches, and auditable controls. Autonomous agents that respond in sub-second timeframes are impressive. Autonomous agents that can generate the evidence trail ASD assessors expect are essential. The organisations that will succeed in this transition are those that treat agentic security as a compliance accelerant, not a compliance replacement. Implement the controls, deploy the agents to monitor and enforce them, audit the agents as privileged entities, and test everything before trusting automation in production. And if you're still running Essential Eight at ML1, focus on the fundamentals first. No amount of autonomous threat hunting will compensate for missing application control policies or untested backups. The 22-second problem is real. But the solution isn't just faster agents—it's faster agents operating within a mature security framework that treats speed and governance as complementary requirements, not competing priorities. Have you implemented Essential Eight in your organisation? How are you thinking about autonomous security agents in a compliance-heavy environment? Let's discuss in the comments.