>
    Strata Copilot
    Respond to Risk Recommendations
    Focus
    Download PDF
    Focus
    1. Home
    2. SaaS Agent Security
    3. Respond to Risk Recommendations
    Download PDF
    SaaS Agent Security

    Respond to Risk Recommendations

    Table of Contents

    Respond to Risk Recommendations

    Respond to risk recommendations related to AI agents to close the security gaps before bad actors can exploit them.
    Where Can I Use This?What Do I Need?
    • Strata Cloud Manager
    • SaaS Agent Security license
    Or any of the following licenses that include the SaaS Agent Security license:
    • CASB-X
    • CASB-PA
    • SaaS Security Posture Management license
    SaaS Agent Security detects agent risks and recommends remediation actions you can take to close the security gaps before bad actors can exploit them. For example, SaaS Agent Security can detect the following risks and suggest remediation actions.
    • Agents with access to sensitive knowledge bases, which could result in unauthorized data exposure.
    • Agents that have not shown any activity for an extended period. Because these dormant agents are not being actively managed, they could represent a hidden attack surface. Their inactivity might delay detection of malicious use.
    • Agents that have elevated, administrator-level access to the applications that they connect to, which might be a violation of the principle of least privilege (PoLP).
    • Agents without delegated permissions. By interacting with the agent, users might indirectly gain access to information and actions that they are not directly authorized to access.
    For a complete list of the risks that SaaS Agent Security can detect, refer to Risk Recommendations.
    1. Log in to Strata Cloud Manager.
    2. To navigate to the SaaS Agent Security dashboard, select InsightsSaaS Agents. In the Insights menu, the SaaS Agents item is located in the AI AGENT SECURITY section.
      The Recommendations panel on the right side of the page lists the risks that SaaS Agent Security detected. SaaS Agent Security filters this list based on the current dashboard view. If the dashboard is showing an overview of all agentic platforms, then the Recommendations panel shows all detected risks across all platforms. If you have navigated to view agents in a single agentic platform, or to view a single agent, SaaS Agent Security filters the risk recommendations list accordingly. Each risk in the list shows the number of agents where SaaS Agent Security detected the risk.
    3. For each recommendation, complete the following steps:
      1. Select Review & Remediate.
      2. Review the description of the risk, and take action.
        You can investigate the risk further to determine whether it represents an actual threat to your organization. If it does represent an actual threat, you can follow SaaS Agent Security's recommendation for remediating the risk. You can also select from the following actions to create a ticket to remediate the risk or to unpublish the risky agent.
        • Create Ticket
          If you have linked SSPM to an issue tracking system, you can create a ticket for someone to investigate and resolve the risk.
          1. From the recommendation's actions, click Create Ticket.
          2. In the Create Ticket dialog, select whether you're using Jira or ServiceNow to track issues. If SSPM isn’t linked to a Jira or ServiceNow instance, the Create Ticket dialog displays a link for you to Go to Ticketing Settings. From the Ticketing Settings page you can link SSPM to a Jira or ServiceNow instance.
          3. Specify where you want to create the ticket, and ticket information.
            • For Jira, select the Jira board on which you want to create the ticket, and the type of ticket you want to create. Specify a title, which will be assigned to your Jira ticket.
            • For ServiceNow, select the ServiceNow instance. Specify a title, which will be assigned to your ServiceNow ticket.
          4. Create Ticket.
        • Unpublish
          For some agentic platforms, the Recommendations panel includes an Unpublish action for automated remediation. This action streamlines risk remediation by enabling you to take agents offline from within SaaS Agent Security. You provide SaaS Agent Security with credentials for accessing the agentic platform instance, and SaaS Agent Security will take the necessary steps to disable the agents. The steps that SaaS Agent Security takes on your behalf to unpublish an agent will differ based on the agentic platform and its capabilities. Depending on the agentic platform's capabilities, SaaS Agent Security might unpublish the agent by removing all the agent's connections, by pausing the agent, or by deleting the agent entirely.
          1. From the recommendation's actions, click Unpublish.
            The Unpublish action is available only for certain agentic platforms. If the recommendation's actions do not include the Unpublish action, the Unpublish action isn’t available for the agentic platform.
            The Remediation page opens. This page contains a guided workflow for defining a remediation task. By following the workflow steps, you will enable SaaS Agent Security to connect to an agentic platform to unpublish one or more agents. When you complete the workflow steps, SaaS Agent Security creates a remediation task to unpublish the agents.
          2. On the Create Tasks & Select Agents tab, specify the following information:
            • The Name of the remediation task. Later, this name will appear on a Remediation tasks page where you can view the task's status. For this reason, specify a meaningful name that will be distinguishable from other remediation tasks.
            • A Description of the remediation task. Later, this description will appear on a Remediation tasks page where you can view the task's status. Provide a brief description that will help administrators understand the purpose of the task when they view its status.
            • The Instance of the agentic platform that SaaS Agent Security will connect to for remediation. Depending on the agentic platform, you might need to provide other identifying information, such as the Environment for Microsoft Copilot Studio.
            After you select the agentic plaform Instance, the Create Tasks & Select Agents tab will list the impacted agents. These are the agents where SaaS Agent Security detected the risk.
          3. On the Create Tasks & Select Agents tab, select the impacted agents the you want SaaS Agent Security to unpublish.
          4. On the Select Credentials tab, select a credential that SaaS Agent Security will use to connect to the agentic platform instance for remediation. If no credential was previously defined, you can Create New Credential.
          5. Review the information on the Summary tab to verify that the information is correct. If necessary, you can Edit the information.
          6. After you have reviewed the information on the Summary page and are sure that this is the remediation task that you want to create, click Remediate.
            It takes one hour for the SaaS Agent Security dashboard to display changes to any impacted agentic platforms as a response to a remediation.

    © 2025 Palo Alto Networks, Inc. All rights reserved.