Shift in Deception Defense
We have spent years telling employees to slow down. CISOs bought phishing simulators, forced staff through tedious annual compliance training, and plastered bright yellow warning banners over every email originating from outside the company firewall. The theory was simple: the human user is the perimeter. If we could only patch human psychology and turn every staff member into an alert security guard, the corporate network would remain secure. It didn't work. The relentless volume of social engineering attacks, credential harvesting campaigns, and business email compromise incidents proves that relying on human cognitive vigilance is a losing battle. The moment a user gets tired, distracted, or panicked, the defense breaks.
But we are at the edge of a structural shift. The rise of AI-native operating systems and autonomous agentic workflows is moving the burden of vigilance from the human operator directly to the core software system. Look at what tech companies did recently. Google wired Gemini deep into the Android OS, and Apple pushed Apple Intelligence across its entire ecosystem of devices. These systems aren't just launchpads for apps anymore. They are active partners that read, summarize, and act on the content we consume.
When your operating system reads your email for you and presents you with a three-sentence summary, the traditional phishing lure loses its grip. The human user never sees the deceptive language, the spoofed header, or the urgent plea for help. Instead, the AI-native OS consumes the raw digital input. This sounds like an absolute win, but it simply changes the nature of the target. Attackers don't need to trick your director of finance; they just need to feed the AI natural language cues that override its instructions. The threat vector has migrated from cognitive manipulation to prompt interface exploitation. If the machine does the reading, the machine has to do the defending. According to technologist Arun Vishwanath in his opinion piece for Dark Reading, this signals the beginning of the end of traditional social engineering, shifting the responsibility of detecting deception and maintaining vigilance from human users to autonomous systems.
Identity Access Risks in Agentic Workflows
This new architecture brings a much larger operational risk: the way AI agents handle permissions. In a typical enterprise rollout, an agent doesn't run in a sandboxed, low-privilege bubble. To do anything useful—like updating CRM pipelines, compiling code repositories, or sending automated supplier emails—the agent must use the authority of the human user it is acting for. Under the hood, it inherits long-lived OAuth tokens, active session cookies, and API credentials.
This brings us to a massive governance black hole that identity professionals are starting to call "identity dark matter." As highlighted in The Hacker News guide on guardian agents, when an employee authenticates to run a task, the agent spins up, inherits that identity's access rights, and starts traversing systems. A single request might touch a document repository, pull customer records, and hit a database API. But unlike a human user, the agent doesn't stop for security check gates. It doesn't get prompted for multi-factor authentication (MFA) midway through a chain of API calls. It moves at machine speed, carrying broad permissions across corporate boundaries long after the human has walked away from their desk.
If an attacker uses prompt injection to compromise an agent session, they inherit that entire permission graph. Because normal identity governance structures only check credentials at the initial login point, they are blind to what the agent does afterward. We have plenty of tools to manage static service accounts, but we have almost nothing that governs dynamic, multi-hop agent execution paths. This is why teams are beginning to look at projects like Claw Patrol to act as execution firewalls, intercepting commands before they run wild.
For a risk analyst, this is an absolute nightmare. A single compromised session can result in massive, unlogged data extraction. When an agent inherits permissions to touch customer personal identifiable information (PII) without a clear audit trail, compliance frameworks like GDPR and CCPA become impossible to satisfy. We are building a massive tower of autonomous actions on top of an identity foundation that wasn't designed for it.
Market Vulnerability and Scanner Blind Spots
The risk isn't theoretical. Look at the software supply chain that feeds these agents. To make agents more capable, developers install third-party plugins and modules, often referred to as "skills." The industry treats these skills like normal open-source libraries, relying on marketplace scanners and community metrics like GitHub stars to decide if they are safe.
It is an illusion. Security firm AIR recently ran an experiment that exposed just how fragile this trust model is. As reported by The Hacker News, they built a fake agent skill called brand-landingpage, which claimed to automate the creation of landing pages using Google's design tool, Stitch. To make the skill look legitimate, the researchers opened a pull request to add it to a popular public marketplace repository with 36,000 stars and 156 skills. Once merged, the skill inherited the repository's high-trust signals. They then ran targeted ads to push the skill to marketers, designers, and sales teams. It allegedly reached 26,000 agents, including those on corporate networks.
Every scanner that evaluated the skill—including tools developed by Cisco, NVIDIA, and community checkers—marked it clean. Why? Because the skill submitted at scan time contained no malicious code. Instead, it instructed the agent to install a package by pulling down documentation from an external domain controlled by the researchers (stitch-design.ai rather than the authentic Google address stitch.withgoogle.com). The scanners checked the static package, saw a link to what looked like a legitimate setup guide, and approved it.
Once the skill was widely installed, the researchers swapped the code behind the external link. The new script ordered the agents to harvest user email addresses and transmit them back to their server. A real attacker could have used this execution hook to read local files, execute commands, or extract enterprise data. The structural lesson is clear: static scanning is useless against systems that fetch runtime instructions dynamically. If an agent can fetch instructions from a URL that someone else controls, the security of that agent is only as good as the security of that external URL.
Rebuilding Defense Around Running Systems
If static scans fail and credentials are inherited blindly, how do we secure this architecture? We cannot go back to telling users to be careful. The entire promise of agentic AI is that we do not have to double-check every transaction ourselves. The defense must shift from training the human to restricting the execution environment.
First, security teams have to map what is running. You cannot secure identity dark matter if you do not know it exists. Enterprises need a live, continuous inventory of every running agent, its parent identity, and the specific APIs it is calling. This is part of the broader work of securing autonomous agents that modern CISOs face today. When an agent spins up via a low-code integration, it must be logged and monitored immediately.
Second, we need runtime policy enforcement. Instead of granting an agent the full scope of a user's permissions, we must constrain its access dynamically based on the specific job it is performing. If an agent is tasked only with summarizing an email, it has no business requesting access to a financial database or an HR system, even if the user running it has access to those systems. This requires a dedicated oversight plane—what industry analysts describe as "guardian agents"—to monitor execution paths in real time. We are seeing CISOs face this challenge head-on, trying to put boundaries around tools that are designed to dismantle boundaries. As discussed in the analysis of securing agentic workloads, perfect defenses do not exist, but we must establish clear guardian layers and human oversight to prevent catastrophic failures.
Moving security from the authentication gate to the execution path will not be clean or easy. But as long as we rely on static tools and human eyeballs to defend dynamic, machine-speed systems, we are leaving the door open. The transition to system-level vigilance is not just a trend; it is the only way forward.