Consider a scenario your organization may already be closer to than it realizes. Your Threat Agent detects early exploitation activity around a newly disclosed CVE, such as dark web chatter consistent with a zero-day discovery or a new exploit in circulation — the kind of early signal that platforms like Mythos are increasingly able to surface, arriving before CISA has added the CVE to the Known Exploited Vulnerabilities list. Your Vulnerability Agent cross-references your environment and finds the CVE present in your payments processing system. No compensating controls.
Your Remediation Agent knows what it needs to do. But it also knows what that action will cost. Patching requires a maintenance window the business hasn’t approved, but not patching leaves a confirmed attack path open on your most critical revenue infrastructure.
That gap — between what the agents know and what they’re allowed to decide — is the central challenge of agentic AI in the enterprise. Filling it requires something most organizations have never had to make operational: a genuine risk appetite.
From “How Early Can We Decide?” to “Do We Let the Machine Decide At All?”
Part 2 of this blog series, When Prediction Forces a Business Decision, framed the preemptive security dilemma: acting early means potentially disrupting the business before leadership has seen the attack. Agentic workflows make that question more fundamental: do we let the machine make that call entirely?
The answer isn’t binary — it needs to be based on a risk threshold. And the threshold is a business decision masquerading as a technical one.
The Threshold Problem
The Remediation Agent isn’t just alerting — it can push a patch, trigger an outage window, and isolate affected infrastructure. At what point should it act autonomously? At what point escalate? That’s a question about how much operational disruption the business will accept in exchange for how much risk reduction, at what level of threat confidence. In other words: risk appetite.
// Remediation Agent decision logic
IF predicted_breach_impact ≥ $X AND threat_confidence ≥ Y%
→ act autonomously
IF predicted_breach_impact ≥ $X AND threat_confidence < Y%
→ escalate to security leadership
IF predicted_breach_impact < $X
→ act autonomously regardless of confidence
That sounds simple until you try to fill in X and Y with numbers your CFO, COO, and CISO can all stand behind — especially when the cost of patching and the cost of not patching are both in the millions, and confidence on a pre-KEV exploit is still evolving.
The Business Reckoning Nobody Planned For
Most organizations have a risk appetite statement. Few have one operational enough to drive automated decisions in real time. The payments system scenario makes that gap concrete. Your agents need answers to questions your governance documents don’t contain:
- What categories of business disruption will we accept to prevent a predicted threat? The CFO’s answer — protect revenue — may directly conflict with the CISO’s, which is to patch immediately and close the attack path. Both are defensible. Neither is an agent config.
- What’s the threshold above which a human must be in the decision? A payments platform at $3M/hour in outage costs with a $25M remediation cost is not the same calculation as a back-office system. The agents need to know which is which before they act.
- Who owns the answer, and how often is it reviewed? Today’s pre-KEV exploitation windows close in days — in the future it will be in a matter of minutes. A risk appetite reviewed annually won’t hold up in real time.
These are business strategy questions with security implications. They must be answered before you deploy your agentic workflow— not after an agent does something your board wouldn’t have sanctioned.
Why This Is Harder Than It Looks
When agents surface a CVE to a human analyst, there’s a conversation — context shared, judgment applied, Legal looped in on breach notification timelines. When an agent acts autonomously, that conversation already happened, when you configured the system. If you got the thresholds wrong, the agent doesn’t know. It just executes.
What that looks like in practice: In July 2024, a routine CrowdStrike content update took down 8.5 million Windows machines globally and cost Delta Air Lines an estimated $500 million — not because anyone made a malicious decision, but because a software change hit critical infrastructure without the right guardrails. Now imagine your Remediation Agent, configured with an overly aggressive threshold, triggers an unscheduled maintenance window on your payments system at 11 PM on a Friday — the night before your highest-revenue retail day of the quarter. The “remediation” costs more than the breach would have. Delta’s outage was an accident. This one would be self-inflicted.
That’s not an argument against agentic automation — the efficiency gains are real and the competitive pressure to deploy is genuine. It’s an argument for treating the threshold-setting conversation as a first-class deliverable, not an afterthought.
What Operationalizing Risk Appetite Actually Looks Like
The goal isn’t a more elegant risk appetite statement. It’s decisions expressed as logic the Remediation Agent can execute against: what’s our breach cost estimate for this CVE class at this confidence level? What’s our outage cost at this time of day, in this business cycle? Does a pre-KEV dark web signal authorize autonomous action, or do we require KEV confirmation first?
Arriving at those answers requires the right people at the table: CFO (revenue impact), COO (operational continuity), CISO (threat confidence), and Legal (regulatory exposure). That’s not a security team meeting — it’s a business strategy session with a specific output: thresholds the agents can run against the next time a pre-KEV CVE lands on a critical system.
The Payoff
Organizations that do this work get more than well-configured agents. They get something rarer: a documented, business-owned decision about how much autonomy their automated systems have — and why.
When a regulator asks how an autonomous remediation was authorized without executive sign-off, they’ll have an answer. When an agent’s decision is later scrutinized, they can show it acted within sanctioned limits that reflected real business decisions, with governance behind the deployment.
Part 2 of this blog series asked: how early can we decide? Agentic workflows change this question to “Have we decided — in advance, with the right people in the room — what the machine is allowed to do on our behalf?” Risk appetite has always been the answer — it just took an autonomous agent staring at a pre-KEV CVE on a critical system at midnight to make that impossible to ignore.
Next in this series: what the threshold-setting conversation actually looks like in practice — who needs to be in the room, what data you need to bring, and how to turn a governance exercise into an operational config your agents can actually run.
Dataminr for Cyber Defense
Transform intelligence into a preemptive cyber advantage from first signal to risk-prioritized action.
Learn More
