What do you do about an employee you never hired, never interviewed, never trained, and never gave a contract to, but who quietly has access to your customer data, your internal chats, your finance folder, and the authority to act on your behalf? This is not a thought experiment. It is happening right now inside thousands of organizations, and most of them have not noticed it yet.
In June 2025, security researchers at Aim Labs disclosed EchoLeak, tracked as CVE-2025-32711 with a CVSS score of 9.3. It was the first publicly documented zero-click attack against an AI agent. The target was Microsoft 365 Copilot and the weapon was a single email. The user did not need to open it. They did not need to click anything. The email just needed to sit in their inbox. From there, Copilot did the rest, pulling data from SharePoint, OneDrive, and Teams, and sending it out through trusted Microsoft channels.
What’s troubling is that nothing exploded. No malware was deployed. No firewall lit up. The agent simply did its job, exactly as it was designed to do, and that was the problem. EchoLeak was patched, of course. But what it revealed cannot be patched, because it is not a bug in a product. It is a new category of risk that we have all walked into without much of a plan.
We have spent decades getting good at securing four things: networks, devices, identities, and humans. Agentic AI introduces a fifth category, and it does not behave like any of the others. It reasons. It remembers. It makes decisions. It calls APIs. It writes to your databases. It sends emails on your behalf. It has credentials. And in almost every organization I have spoken with in the last twelve months, nobody can answer three basic questions about it: who owns it, what can it actually do, and how do we stop it when it goes wrong?
That is the gap I want to talk about. Because while we have been arguing about whether AI will take our jobs, AI agents have quietly taken their seats at the table, and no one is checking their badges.
The Problem We Built While We Were Looking the Other Way
Let me give you some numbers that should make any security officer pause. According to Palo Alto Networks’ 2026 Identity Security Landscape Report, machine identities in the average enterprise now outnumber human identities by 109 to 1, up from 82 to 1 just one year earlier. In financial services, the ratio is even higher. And these are not just API keys and service accounts anymore. They are autonomous agents that can plan, decide, and act. Only 37 percent of organizations can actually revoke an AI agent’s credentials. Only 30 percent have immutable audit logging for what those agents do. Think about that. A new workforce, one hundred times the size of your human one, and most of it cannot be fired.
In December 2025, OWASP responded to this new reality by releasing the Top 10 for Agentic Applications 2026, a framework built from real incidents across more than one hundred contributing organizations. The risks it documents do not look like the ones we are used to. They have names like Agent Goal Hijack, Tool Misuse, Memory Poisoning, and my personal favorite for capturing the moment we are in, Human-Agent Trust Exploitation. That last one matters because it admits something we do not say out loud. We trust these systems too much. They sound confident. They explain themselves fluently. They produce answers that look authoritative, and so we approve what they suggest without checking, and we deploy what they build without questioning.
The other risks in that list are more familiar in shape but new in scale. Goal hijack is when an attacker manipulates what the agent thinks it is trying to do. The EchoLeak case showed how to do this in natural language, with no code, no malware, and no user action. Tool misuse is when the agent uses its legitimate access in ways the designer never intended. Memory poisoning is when corrupted information gets into the agent’s long-term context and influences every future decision it makes, including decisions about other users. None of these were possible at scale before agentic AI. All of them are now everyday risks.
And here is what makes me lose sleep. The Kiteworks 2026 Forecast Report found that among organizations that already reported AI-agent-driven incidents, the most common outcome was not that the agent broke. It was that the agent leaked. Sixty-one percent of incidents involved data exposure. The agent was doing its job. Its job description was just never bounded by a data governance policy.
Treating Agents Like Contractors
Here is the mental shift I am asking you to make. Stop thinking of agents as features. Stop thinking of them as tools. Start thinking of them the way you think of a temporary contractor with privileged access. Because they have credentials they did not earn, access they did not request, and the ability to act on your behalf without your knowledge. If a human contractor walked into your office tomorrow with that same profile, they would not make it to lunch. Their badge would be deactivated, their laptop confiscated, your security team would be in an uproar by 10 a.m. and your CISO would be writing an incident report by noon. Why are we treating our agents any differently?
Treating agents like contractors gives us a playbook we already know. Below are five things that any organization can start doing this quarter. They are not technological breakthroughs. They are the basic identity and governance hygiene we have applied to humans for thirty plus years, finally applied to the machines that now outnumber us a hundred to one.
Inventory every agent you have. You cannot govern what you cannot see. Start with a simple question across every department: which AI tools, agents, copilots, or assistants have any form of access to organizational data or systems? You will be surprised. Marketing has one. Finance has one. Engineering has three. Customer service has integrated one through a vendor without telling anyone. Shadow AI agents are already the dominant unmanaged risk in most enterprises, and you cannot apply controls to identities you have not discovered.
Scope agents to the minimum they need, not the maximum they can use. Post-incident analysis of agent-involved breaches in 2025 and 2026 found that seventy-eight percent of agents had significantly broader permission scopes than their function required. Why? Because under delivery pressure, teams over-provision and intend to tighten permissions later. Later never comes. Treat agent permissions the way you treat database production access. Justify every grant, review them, and expire them. By design.
Put a human in the loop for actions that matter. Not every action. That defeats the point. But for any action that touches money, customer data, security policy, or external communication, the agent should propose and the human should approve. The Air Canada case in 2024, where a tribunal ruled the airline liable for a refund its chatbot promised, established something we should all internalize: organizations are legally accountable for everything their agents output. The agent is not a separate entity. It is you. Design your workflows accordingly.
Build a kill switch and test it. If you cannot answer the question: how do I stop this agent in the next sixty seconds, you do not own it. Every agent in production should have a documented and tested procedure for immediate revocation of credentials and termination of running tasks. Test it quarterly. The first time you try to stop an agent should not be the day it goes wrong.
Monitor behavior, not just access. The traditional security question was: is this identity authorized to do this action. The new question is: is this agent behaving consistently with how it normally behaves. An agent that usually checks inventory and suddenly starts querying the customer database is not just violating its permissions. It is violating its purpose. Behavioral monitoring catches what permission checks cannot.
What Getting This Right Looks Like
I want to be clear about something. None of this is an argument against agentic AI. The productivity gains are real, as are the customer experience improvements and the operational efficiency. I am writing this article from a position of having watched these technologies move from curiosity to production faster than any technology I have seen in twenty years of doing this work, and I am not asking anyone to slow down.
I am asking us to apply the discipline we already know. The organizations that will thrive in the agentic era are not the ones with the most agents or the cleverest prompts. They are the ones that treat agents the way mature organizations treat any privileged identity. With an owner, a scope, with monitoring, and with a way to revoke. In other words, with a clear accountability chain that ends in a human name.
When you get this right, the picture changes. Your agents become genuine force multipliers instead of unmanaged liabilities. Your security team stops being the department that says no, because they have a framework for saying yes. Your auditors stop asking nervous questions, because you can show them an inventory, a scope matrix, and a kill switch test from last Tuesday. And when the next EchoLeak comes, and there will be a next one, you will have the controls in place to contain it before it becomes a headline.
Start This Week
If you are reading this and you are responsible for security, risk, or compliance in your organization, here is what I am asking you to do this week. Schedule a meeting. Invite IT, invite whoever runs your AI initiatives and other relevant teams. Put one question on the agenda. What agents are currently operating inside our environment, what can they access, and what would happen if one of them were compromised today? If you can answer that question with confidence, you are ahead of ninety percent of organizations. If you cannot, you have just discovered the most important project of your year.
Here is something we do not say out loud often enough. The most dangerous insider in your organization today does not show up on any HR report. It has no manager, no performance review, no exit interview. It is the agent you deployed last quarter, the one quietly making decisions in the background while everyone celebrated the productivity gains. It is not malicious. It is not careless. It is just doing its job. And that is exactly what makes it the hardest insider threat we have ever had to govern.
We secured access. We secured intent. Now we have to secure autonomy.







