We built modern security around a classic, predictable identity perimeter. Employees used single sign-on; service accounts used hard-coded keys or secrets; and internal applications sat comfortably behind corporate firewalls. We felt safe because we knew the actors. We understood the predictable behavior patterns. We categorized the risk into neat, manageable buckets.
That entire framework is now officially obsolete.
AI agents haven't just entered the enterprise; they have completely rewritten the rules of access. They do not behave like human employees, and they certainly do not behave like traditional, static service accounts. They are autonomous, high-velocity, and hyper-privileged entities that most organizations don't fully understand—or, more frighteningly, don't even know they have.
We are currently witnessing a massive, unchecked expansion of the identity perimeter, and security teams are largely standing on the sidelines with zero visibility, nonexistent governance, and a rapidly growing, unidentified stack of risk.
The Identity Sprawl Nobody Asked For
The pattern is sickeningly consistent. A new agent gets built to summarize meetings. Within a few weeks, it's connected to Slack, Jira, and the company's internal documentation repository. A few weeks later, some well-meaning developer hooks it into a production database because it needed to "pull some data" for a report. Nobody in IT approved that access. Nobody in security analyzed the blast radius.
According to a 2026 CSA survey, 82% of organizations discovered at least one AI agent created without a single security, IT, or governance review in the past year. Forty-one percent found this happening multiple times.
We’re not talking about a couple of rogue scripts running on a server. We’re talking about an entire, unmanaged, high-privilege operational layer that is effectively invisible to traditional identity and access management (IAM) systems.
Beyond Model Risk: The Real Threat Is Access
The security industry is currently obsessed with model security—prompt injection, jailbreaks, data poisoning, and model evasion. While these are certainly essential problems to solve, they are effectively distractions from the much more critical enterprise threat: Agent Access.
An agent that summarizes public documentation is an interesting experiment. An agent connected to customer financial records, source code, and admin-level cloud credentials is a breach waiting to happen.
A misconfigured integration, a compromised API key, or a crafty prompt injection exploit doesn't just impact the LLM. It compromises the LLM’s privileges. If that agent has "read/write/delete" access to your cloud infrastructure, your security tools are no longer the perimeter—the agent's permissions are.
This isn't theoretical speculation. 65% of organizations experienced a security incident involving an AI agent in the past year, and 61% reported direct, sensitive data exposure as a result.
Anatomy of an AI-Led Breach
To understand the scale of the risk, let’s look at how this happens in the real world:
- The Infiltration: An attacker uses a prompt injection attack against a public-facing AI agent, forcing it to reveal internal API endpoints.
- The Reconnaissance: The agent, which has authorized internal access to your network, is then used to scan repositories, list databases, and identify sensitive data stores that it should never have touched.
- The Escalation: Because the agent is running with a high-privilege service account identity, the attacker uses the agent to perform actions as that identity, effectively bypassing standard IAM checks and MFA controls meant for humans.
- The Exfiltration: The agent, performing entirely legitimate-looking operations, exports the sensitive data or deploys malicious code to production.
At no point was a "hacker" ever directly on your network. The identity itself was the attacker.
Visibility: The First Step Out of the Abyss
If you don't know where these agents are, you cannot secure them. Discovery must go well beyond the typical "what agent is running on our infra" baseline. You need to map the entire context:
- Who actually owns this agent? (And no, "marketing" is not an owner; a human being is).
- What systems is it connected to, and what APIs is it hitting?
- What are its effective permissions? What can it really do?
This is significantly more difficult than it sounds. You might know your marketing assistant exists. But do you know it’s running on a Snowflake service account that has full admin permissions? Do you know which repositories your developer coding agent can push to?
The agent itself is irrelevant. The identities the agent can touch are the actual attack surface.
Purpose and Intent: The New Governance Model
The second piece of this puzzle is intent. Security and governance cannot be purely permission-based with AI agents. It must account for intent.
A sales prep agent needs read-access to CRM records. It does not need to be able to delete customer database tables. A coding automation agent should be able to create branches, not deploy to production.
When you understand the agent’s specific intent, you can enforce least privilege by matching that scope. But today, most agents operate with "all-or-nothing" permissions. They accumulate rights like sediment in an old pipe. One developer grants access to a GitHub repository, then another adds access to a production database for convenience. Before anyone realizes it, your "helper agent" has the privileges of a senior DevOps engineer.
Governance isn't about blocking AI; it's about restricting the intent.
Tooling Ecosystem: A Nightmare to Audit
The technical integration layer is arguably the most frightening part. Most agents don't just "connect" to an API. They use plugins, "tools," and "functions."
Each of these is a potential vulnerability. When a developer installs a new plugin into an AI assistant, they aren’t just installing code; they are creating a new delegation pathway. If that plugin hasn't been vetted for how it handles secrets or how it requests downstream access, you are effectively opening a new, persistent backdoor into your core systems.
These pathways don't show up in your IAM audit logs as the agent's actions either; they show up as the agent's tools' actions, which are often logged completely differently, or not logged at all.
Continuous Governance: The Only Sustainable Way
If you think a quarterly access review is going to protect you, you are already lost. Agents change. Instructions get updated. Integrations get added by employees who don't even know what security is.
That’s why governance must be continuous. You need automated feedback loops that surface privilege drift the moment it happens, not three months later during an annual audit.
This means monitoring for agents that suddenly start accessing applications outside their normal scope, or agents using credentials that don't fit their historical profile. You aren't building a perfect system upfront; you’re building an immunity response that catches drift the second it becomes problematic.
The Future: Agents as First-Class Citizens
The organizations that win the AI arms race will be the ones that accept a painful, necessary truth: AI agents are digital employees.
They need owners. They need access management. They need lifecycle controls. And they need to be governed with the same intensity as the humans sitting in the office.
NewCore’s recent $66M funding is a massive signal of where this is going. We are moving toward a world where software entities are digital employees. Treat them like that, and you stand a fighting chance. Ignore them, and you’re just watching the clock strike midnight.
The question isn't whether your organization will deploy more AI agents. The question is whether you’ll have the visibility to control that power before someone else uses it against you.
The clock is ticking. And frankly, most security teams are already way, way behind. Stop treating agents like calculators, and start treating them like the privileged identities they are. Your future self will thank you.