Telstra is weeks away from putting autonomous AI agents into production, and it is doing so with eyes deliberately open to the risks. The move, reported by iTnews, casts a spotlight on a tension playing out across corporate Australia: the productivity gains from agentic AI are real, but so is a security risk that most enterprise frameworks were never built to handle.
Marcella Wells, chief of Telstra's customer sales and commerce engineering group, told Salesforce's Agentforce World Tour in Sydney that the carrier had been exploring Agentforce for roughly nine months and was approximately six weeks from piloting the technology in production. The company is keeping the specifics of its intended use case close, but confirmed it is working with Salesforce on strategy. In parallel, Telstra's joint venture with Accenture, run from a hub in Mountain View in San Francisco, has been preparing the architecture needed to interoperate with Salesforce Foundations, the free add-on module that switches on Agentforce capabilities across the platform.
The commercial pressure behind the move is not hard to read. At its recent half-year results, iTnews reports that Telstra identified 380 potential AI use cases across its business, though CFO Michael Ackland was careful to warn that each deployment needed to justify its cost against commercial return. That caution was reinforced by Telstra's group technology chief Kim Krogh Andersen, who put it plainly: without the right foundation, the running cost of AI would outpace its benefits. It is a disciplined position, and one that separates Telstra from enterprises rushing deployment with little governance in place.
Strip away the buzz and the fundamentals show a significant security problem forming beneath the surface. ZDNet's analysis of the agentic AI threat frames the issue precisely: when AI moves from chatbot to autonomous actor, able to spawn other agents, commit spending, and modify live systems, the line between productivity tool and insider threat dissolves. This is not theoretical. Gartner predicts that 40% of enterprise applications will integrate task-specific AI agents by the end of 2026, up from less than 5% in 2025 — an explosion of autonomous systems carrying database access, API credentials, and decision-making authority into corporate environments.
The attack surface is novel. Where traditional insider threats involve employees misusing legitimate access, AI agents fit the same pattern but operate at machine speed, around the clock, and without the hesitation or moral agency that might cause a human to pause. Security researchers have documented how agents can be manipulated through prompt injection, where malicious instructions are embedded in ordinary-looking inputs. Once compromised, an agent with access to internal CRM data, payment systems, or cloud storage becomes, in effect, a perfect insider threat that never sleeps. Microsoft's own AI Red Team has found that agents can be misled by deceptive interface elements and have their reasoning subtly redirected through manipulated task framing.
The Australian Cyber Security Centre has not yet issued specific guidance on agentic AI risks, but the broader threat environment is worsening. A 2025 cloud security study by Thales found that 61% of enterprises now cite AI as their top data security risk, and more than half are prioritising AI security investment above all other security categories. Yet 53% of organisations still depend on traditional security programmes built primarily for human users, leaving them exposed to a fundamentally different risk profile.
The productivity case for agentic AI is also genuine and should not be dismissed. Proponents point to real outcomes: One NZ reported a fourfold increase in customer engagement after deploying Salesforce's Agentforce for Communications, and Lumen Technologies said agents saved its teams more than 300 hours of productivity per week. For a carrier like Telstra, facing structurally slowing telco revenue growth and intense cost pressure, those numbers are hard to ignore.
What the market hasn't priced in yet is the governance gap. A survey of 275 security leaders published by Acuvity found that CIOs control AI security decisions in 29% of organisations, while CISOs, the traditional owners of security posture, rank fourth at just 14.5%. That scattered ownership reflects an industry that hasn't resolved whether agentic AI is a technology deployment question, a data governance challenge, or a traditional security problem. Until enterprises develop unified governance structures, they will keep identifying risks they cannot adequately address.
Telstra's stated approach to its pilot is, at least, more considered than most. Wells described the early focus as establishing the operating model: learning how to observe agents, run them securely, and take them offline when required. That emphasis on non-functional processes, governance before features, reflects the kind of discipline Andersen was calling for. Around 75% of Telstra's staff have been given AI tools, and nearly 9,000 have received training on the technology, according to iTnews. That investment in foundations is meaningful.
The harder conversation is the one Telstra has yet to fully start publicly: the workforce impact. The same cost-reduction strategy driving the agentic AI push sits alongside the elimination of around 650 roles, with roughly 442 positions moving offshore to Infosys and a further 209 roles cut from the Accenture joint venture. Automation and offshoring are legitimate business decisions, but the conjunction of the two makes it harder to frame agentic AI as purely augmenting rather than replacing human labour.
The honest position is that both the opportunity and the threat are real. Agentic AI, governed carefully, with least-privilege access, full audit trails, and the ability to pull agents offline quickly, can deliver genuine efficiency gains. Governed carelessly, with broad permissions and weak oversight, it creates a class of autonomous insider that no existing security framework was designed to contain. Telstra's conservative pilot design suggests it understands which side of that line it needs to stay on. Whether the broader enterprise market follows that lead before the first high-profile agentic breach occurs is the more consequential question.