Nine out of 10 organisations are already running AI assistants beyond pilot — and many are unsure they can detect when those assistants are compromised, according to Proofpoint’s 2026 AI and Human Risk Report.
The new exposure model: AI as an identity and a threat
Agentic AI changes the security frame from tools to actors. “Every AI agent assumes an identity, access rights, data permissions, and operational intent, either on its own or inherited from a person,” Jennifer Cheng, Director of Cybersecurity Strategy, APJ at Proofpoint, told iTNews Asia. If an agent is misconfigured, over‑permissioned, or compromised, it becomes “a high‑speed pathway for data exposure, credential abuse, or lateral movement.”
That risk is concrete: a hidden instruction inside an email, for example, can trick an AI assistant into silently exfiltrating sensitive data. The core questions for defenders are therefore not whether AI exists in the environment, but what each agent can access, what it is allowed to do, and whether its behaviour matches its intended purpose.
Frontier models, scheduling agents, and machine‑speed risk
Frontier AI models expand the operational footprint of agents. Cheng describes a plausible chain: an employee connects an AI scheduling agent to email, calendar and customer communications. If that agent is compromised, attackers could “read sensitive messages, impersonate trusted users, send malicious links, or trigger business processes at machine speed.”
AI does not merely introduce a new capability — it introduces a new actor inside workflows that must be governed, monitored and constrained. That actor has no inherent concept of integrity, Cheng notes, and can be manipulated through prompt injection or “semantic privilege escalation” to exceed its intended role.
Shadow AI and unsafe connectors discovered at customer sites
Shadow AI — unsanctioned tools adopted without IT oversight — deepens exposure. Proofpoint’s investigators found Model Context Protocol (MCP) connectors to Telegram and to banking middleware at customer sites, unapproved connections from approved AI tools that “would be an extremely dangerous setup if computing devices are compromised.”
Cheng stresses that the risks are familiar in type — social engineering, insider risk, credential compromise, fraud and accidental data mishandling — but AI amplifies them through speed, autonomy and cross‑system connectivity. The consequence: organisations that rely on fragmented security controls will face visibility gaps and slower investigations.
What a unified, intent‑based defence looks like
Cheng proposes a single, integrated approach: a unified AI‑powered cybersecurity platform that brings together threat protection, data security, identity context, behavioural signals and AI governance into one risk lens. That unified view is intended to answer the basic operational questions: “who is risky, what data is exposed, which agent or account is acting outside its intended purpose, and where controls need to be applied before an incident becomes a breach.”
Practical controls she names include Data Loss Prevention, Data Security Posture Management, insider risk management, email and collaboration security, and AI governance combined in a unified platform. Runtime controls and intent‑based access controls are essential to detect prompt manipulation and to stop agents from performing actions outside their business intent.
What this means for CISOs, procurement leaders, and end users
- CISOs and security teams: Prioritise a unified platform that correlates identity, data and agent behaviour so you can detect when “an interaction is legitimate, careless, compromised or malicious.” Leverage intent‑based controls and runtime monitoring rather than relying solely on static rules.
- Procurement and IT leaders: Treat shadow connectors as a procurement and risk problem. Proofpoint’s survey data shows that in Singapore 98 percent of organisations see managing multiple security tools as a major challenge — a fragmentation problem that enables unsafe integrations such as MCP links to Telegram or banking middleware.
- End users and business owners: Expect agents to be governed like accounts. Previously, organisations were mainly worried about employees pasting sensitive information into browser AI services; the next phase includes desktop‑native assistants and autorunning agents that must be configured with least privilege and clear usage boundaries.
Data visibility is the foundation: “Organisations cannot protect data they cannot see, classify or understand,” Cheng warns. In practice the immediate priorities are simple and specific — inventory AI agents and connectors, classify sensitive data, apply least‑privilege and intent‑based runtime controls, and consolidate fragmented tools into a single risk view. Without those steps, agentic AI risks becoming a fast, automated pathway to the very exposures organisations hope AI will eliminate.
Read the original iTNews Asia interview with Jennifer Cheng / Proofpoint
