"AI agents are becoming privileged insiders. Security and identity programs must now catch up before those insiders become invisible attack paths," wrote Token Security in a sponsored analysis of how enterprises are treating software agents.
A new identity layer has quietly appeared
For years, enterprise security programs assumed a simple equation: control the identities, control the risk. Employees logged in through identity providers, service accounts connected systems, and API keys let workloads speak to cloud services and databases. That premise is breaking as AI agents — first introduced as productivity helpers that summarize meetings and draft email — have been connected to critical business services.
The source lists concrete examples: agents now link into Salesforce, Snowflake, GitHub, Jira, production databases, and cloud environments. In those contexts agents retrieve information, trigger workflows, update records, write and deploy code, and take actions across multiple systems — sometimes on behalf of a human, sometimes autonomously, and sometimes in ways where it is unclear which.
Scale, sprawl, and the privilege problem
Because agents were given broad access early to avoid slowing projects, organizations now face "a sprawl of high-privilege, low-visibility actors," the source reports. Typical patterns include an agent created by one team and used by another, connected to multiple applications, and running on credentials provisioned for a different purpose. That combination produces actors that security teams "can't inventory, let alone govern."
Worse, agents create, use, and rotate identities at machine speed — a pace that, the source says, outstrips traditional identity and access management (IAM) controls. An overprivileged agent can transform a bad prompt, a compromised session, a malicious plugin, or a misconfigured integration into a path for data exfiltration, destructive action, or lateral movement across systems never intended to be connected.
How widespread the problem is, according to a 2026 survey
Token Security cites a 2026 Cloud Security Alliance (CSA) survey it commissioned showing how common undocumented agents have become: 82% of organizations discovered at least one AI agent created without the knowledge of security, IT, or governance teams in the past year, and 41% found this happening multiple times. The same survey, the source notes, reports 65% of organizations experienced a security incident involving an AI agent in the past year, with 61% reporting exposure or mishandling of sensitive data as a result.
What governance and controls must answer
The first requirement is visibility. Security teams need discovery and inventory that goes beyond platform-level names to answer operational questions the source lists explicitly: who owns an agent; who can invoke it; what systems it connects to; what credentials it uses; and what it can read, write, delete, or execute in each target application.
The source argues governance must also incorporate purpose, not only permissions. An agent with the narrow intent to prepare sales briefings should only need read access to CRM records; a finance workflow agent should only read invoices. Where intent and permissions diverge, the source says, risk lives and widens over time through least-privilege policy drift.
Enforcement measures the source recommends include trimming permissions to match intent, remediating overprivileged service accounts, rotating or removing unused credentials, and catching risky connections before they become incidents. The piece stresses these are not one-time actions; access reviews and audits provide only point-in-time checks while agents, instructions, user bases, and integrations continually evolve.
What this means for technologists, procurement leaders, and end users
- Technologists and security teams: The source urges teams to adopt continuous discovery and lifecycle controls for agent identities — not just manual audits — and points to Token Security's offering as a tool to "manage the full lifecycle of AI agent identities, reduce risk with remediation, and maintain governance and audit readiness."
- Procurement and enterprise leaders: Enterprises, the source advises, should not try to block agents outright but instead make them governable and "promote secure AI innovation" by treating agents as first-class identities with owners and lifecycle controls.
- End users: The piece flags concrete user risks: when agents gain unnecessary access, a malicious prompt, compromised session, or misconfiguration can lead to exposure or mishandling of sensitive data, or destructive actions across interlinked systems.
Token Security's diagnosis is blunt: the old identity model assumed predictable human and machine actors; AI agents have disrupted that predictability. Organizations that succeed, the source argues, will be those that treat agents as identities — with ownership, purpose, permissions, and continuous governance — before those identities become invisible attack paths.
