As AI agents become part of more business processes, controlling their identity and access privileges is now the central issue in cybersecurity. Not only are AI agents a primary cybercrime target, but also they pose major information security risks through their own autonomous behavior on behalf of users. These tandem vectors—compounded by “shadow AI” and unauthorized AI usage—are massively expanding the organizational attack surface. 

How can companies address the unprecedented identity and access risks associated with agentic AI? This article overviews key insights for business and technical leaders. 

How does agentic AI increase cyber risk?

Traditional identity management systems were designed around human users, whose behavioral options are broad but relatively predictable based on their training, judgement, and sense of accountability. Also familiar from an identity perspective are system accounts and similar compute assets with strongly bounded behavior potential but able to execute tasks at machine speed.

AI agents go beyond both these paradigms—confusing the line between human and machine and forcing organizations to rethink their identity and authorization controls. Unconstrained AI agents can reveal and exploit vulnerabilities in identity architecture, magnifying gaps that might have gone unnoticed in a human-centric approach.

For example, an AI agent acting on behalf of an authorized (or unauthorized) human user might independently initiate a series of queries to access sensitive data, such as employee medical records, that should remain protected but are inadvertently exposed. These types of identity gaps can quickly lead to significant data breaches or privacy violations.

According to Geoffrey Mattson, CEO at SecureAuth, “Agentic AI puts identity front and center in security. Really the only way to secure the use of agents is with a strong identity security solution.” 

Human users can be unpredictable, especially if their identities are compromised. But their actions are slow relative to automated processes, which can access data and cause harm much more quickly if they break outside their approved bounds. 

“AI agents are as unpredictable as a human but as powerful as a service account,” says Geoff Mattson. “So, they need a new set of authorization capabilities and controls put on them that don’t just apply a human identity’s privileges to the agent. Even agents that aren’t compromised and are just trying to do their jobs still need to have controls around them to protect the organization.”

AI agents magnify identity weaknesses

AI agents don’t actually create any new identity problems, but they magnify existing gaps or “tech debt” in identity architecture.

There are several types of agents, any of which could have dangerous data access privileges:

• Specialized AI assistants (e.g., a Microsoft 365 Copilot agent) that are designed to act broadly on behalf of a user.
• Autonomous agents that provide a specific workflow function (e.g., developing software or processing resumes). 
• Agent-to-agent clusters or multi-agent systems where specialized AI agents autonomously coordinate complex, multi-step tasks at machine speed (e.g., Microsoft AutoGen). 

“A huge mistake we see companies making is allowing any type of agent to inherit the permissions of a user,” Geoff Mattson observes. “That is extremely dangerous because agents are capable of using their permissions to do things that human users would never dream of or would feel accountable for and avoid. Agents can also do things very, very quickly and cause a lot of damage very quickly.” 

Due to misconfigurations or other privilege issues, AI agents may also have access permissions beyond what a user has or is even aware of. Operating independently, agents can have unpredictable, negative impacts.

A real-world illustration of this problem starts with a human user who asked an AI agent to organize their out-of-control email inbox so they could “focus on the most important things.” The agent helped by deleting everything it deemed unimportant, and the user could do nothing to stop it.

Like malware in your environment

Even with guardrails AI agents may “ruthlessly, deviously, and ingeniously” try to accomplish their assigned task, potentially by indirect, multi-step means. This activity is similar to an attacker using AI to exploit weaknesses and pathways to achieve an objective in a target environment without necessarily installing malware.

Noting that recent LLMs have startling hacking ability, Geoff Mattson relates: “When you bring these agents in, you’re basically bringing a nation state level hacking organization into your environment.”

If cybercriminals compromise an AI agent, the impacts can be even worse. AI agents are highly vulnerable to being taken over by hackers by compromised APIs or open-source tools, via prompt injection attacks, or by leveraging over-permissioning or privilege gaps.

Why AI agents need strict authorization controls

As security leaders have warned, the urgency to deploy agentic AI with ahead of protections is resulting in an unparalleled attack surface expansion. According to Dark Reading’s January 2026 cybersecurity predictions poll, 48% of cybersecurity professionals think agentic AI systems will be this year’s top cyber target. 

To keep AI risks in check, organizations must establish robust authorization protocols and conduct frequent audits if not continuous monitoring of AI agent behavior. A major challenge is that autonomous agents often have access to an unknown number of applications and data sources. Many AI agents are designed to seek and connect to new data sources unless clear boundaries are enforced.

Agentic AI governance problems are intensified by shadow AI agents, which operate with no IT or security team oversight. Organizations frequently are unaware of what agents are accessing their sensitive data, never mind how they are behaving or if they are compromised. 

To track and authorize agentic AI activity across the IT environment requires a gateway that resides in the data path ahead of all digital resources and can authorize or veto every AI agent action in real-time based on agreed policy. This umbrella capability also supports audit/compliance and performance/usage analytics.

Is an agent behaving as expected? If not, the identity and authorization solution can automatically step up the guardrails around the agent, up and including quarantining it. The protocols can be dynamic based on the agent’s scope of powers and how much damage it could potentially do if it “went rogue.” 

It’s not about protecting the AI—it’s about protecting your data from the AI
Most AI-related security investments focus on safeguarding the AI models with controls like guardrails, prompt filters, and other built-in safety features. But while security teams are rightly concerned about attacks on agentic AI systems, the bigger risk is the range of sensitive data a compromised agent can access. 

An agent with wide access is like a skeleton key for attackers. Typical guardrails and prompt injection protections are often insufficient to keep hackers from taking control of agent behavior. But if an agent is properly governed at the data level, the risk is much less.

Why are AI agents such high-value targets for cybercriminals? Their autonomous capabilities to access multiple data sources and make independent decisions creates a unique selection of vulnerabilities:  

• Excessive privileges that often exceed what any individual human would ever accumulate.
• The ability to operate at compute speeds and perform unauthorized actions much faster than humans can detect and respond.
• Lack of oversight that allows malicious injections to inflict damage before security staff are aware.
• Access to multiple target systems via databases, APIs, and third-party services.

Perhaps no other technology opens up such a wide spectrum of high-value vulnerabilities and potential cyber risks for businesses using agentic AI. 

The future of agentic AI security is continuous authorization

The starting point for securing autonomous systems is continuous authentication and access control across all resources that AI agents can access, not guardrails or other controls on the AI systems themselves. 

A comprehensive approach to “continuous authority” leverages longstanding best practices like zero trust and least privilege principles, such as:

• Verifying every agent action in real-time by analyzing behavior, context, and risk/compromise indicators.
• Giving AI agents only the data access permissions they need for their current task, versus “anytime”/static access to resources.
• Immediate access revocation and alerts anytime an agent exhibits atypical or unapproved behavior.

Critical first steps to securing agentic AI in organizational environments include:

• Identify all the authorized and unauthorized AI agents operating in your environment, including service accounts and automated workflows. If you don’t know it’s there, how can you govern it?
• Eliminate static permissions in favor of policy-driven access controls that assess each agentic AI request against context parameters like activity patterns, network location, and risk indicators. 
• Strictly govern API connections and Model Context Protocol (MCP) servers to control what data agents can access.
• Build detailed access limits around agentic AI workflows to limit the fallout if the AI is compromised.

Organizations that successfully govern data access rights for AI agents can greatly reduce AI-related stakeholder risk while achieving greater resilience and productivity. 

What’s next?

For more guidance on this topic, listen to Episode 160 of The Virtual CISO Podcast with guest Geoffry Mattson, CEO at SecureAuth.