Original article appeared here. 

As enterprises race from pilot copilots to production-grade autonomous agents, the security conversation is shifting fast — and according to Bonfy co-founder and CEO Gidi Cohen, most of the industry is still asking the wrong question. While competitors focus on agent configuration and access control, Bonfy is staking its identity on a harder problem: tracking what sensitive data an AI agent actually reads, transforms, and sends once it’s already inside the system. With Gartner projecting that more than half of successful attacks on AI agents through 2029 will exploit access-control gaps, and roughly 22% of cyberattacks and data leaks tied to generative AI by 2028, that runtime blind spot is quickly becoming one of the defining risks heading into Black Hat USA 2026.

Ahead of the show, VMblog caught up with Cohen to dig into how Bonfy’s entity-aware approach fits alongside tools enterprises already run — Microsoft Purview, DLP, and DSPM — without becoming just another overlapping layer; what’s actually driving the company’s claim of eliminating false positives in a category notorious for alert fatigue; and why he believes the industry’s next reckoning won’t be about whether to deploy agents, but who’s accountable when one inevitably gets it wrong. Read on for the full Q&A, and if Cohen’s take on shadow AI, agent-to-agent data flows, and the runtime governance gap resonates, stop by the Bonfy booth at Black Hat to see how they’re putting it into practice.

VMblog: For readers who may not be familiar, give us the elevator pitch — who you are, what you do, and what genuinely sets you apart in today’s crowded cybersecurity market.  

Gidi Cohen: Bonfy is an AI data security company. We protect unstructured data everywhere it moves, email, SaaS apps, collaboration tools, browsers, copilots, and increasingly, autonomous AI agents. Legacy DLP and DSPM were built for a world of users and static repositories. We built Bonfy for a world where AI agents read, write, transform, and share sensitive data across dozens of systems on their own. Our entity-aware engine understands the people and customers behind the data, so we catch real risk with very few false positives, and we treat AI agents as first-class entities, not just an extension of someone’s login.

VMblog: If a CISO walks away from your booth remembering exactly one thing about your company, what do you want that to be?

Cohen: That Bonfy secures the data flowing through AI agents, not just the agents themselves. Everyone else is asking “what agents do we have and how are they configured?” We answer the harder question: what data did that agent actually touch, how did it transform it, and where did the output land?

Read the rest of the article here.