Only 10% of organizations have a well-developed strategy for managing non-human and agentic identities, according to a recent Okta survey of 260 executives. This gap is alarming given that 87% of breaches involve some form of compromised or stolen identity, and agentic AI introduces entirely new categories of identity that most security frameworks were never designed to address.
The challenge is not simply that AI agents are new. Traditional AI systems generate predictions or recommendations that humans review before implementation. Agentic systems close that loop entirely.
They interpret instructions, develop multi-step plans, access resources and execute operations across infrastructure with minimal oversight. This autonomy transforms how defenders must think about access control, because agents do not just read data. They act on it.
Security teams accustomed to defending stateless applications now face systems that maintain persistent state, remember previous interactions and leverage those memories in future decisions.
The risks that emerge from this architecture are distinct from the prompt injection and hallucination concerns that dominated earlier LLM security discussions. Agentic AI cybersecurity risks require their own framework.
How Agentic AI Creates New Cybersecurity Risks
The shift from traditional AI to agentic systems is not merely an incremental change. It is a move from systems that enable interactions to systems that drive transactions, directly affecting business processes and outcomes.
This distinction matters because it intensifies challenges around confidentiality, integrity and availability in ways that existing security frameworks were not built to handle.
Consider the architectural dependencies required to make agents functional. Each system typically integrates an LLM for reasoning, a planning module that breaks complex objectives into executable steps, memory storage that maintains context across sessions and connections to tools ranging from internal APIs to external services. AWS describes this as an expanded attack surface where a single agent breach can propagate through connected systems, multi-agent workflows and downstream data stores.
Autonomy Without Boundaries
Agents initiate actions based on goals and environmental triggers that might not require human prompts or approval. This creates risks of unauthorized actions, runaway processes and decisions that exceed intended boundaries when agents misinterpret objectives or operate on compromised instructions.
Unlike traditional software that follows deterministic logic, agents can modify their own objectives based on learned patterns, making it difficult to maintain predictable security boundaries.
Cloudflare’s 2024 global service outage illustrates this pattern. A configuration management system deployed changes without staged rollout or approval gates, demonstrating how self-directed systems can execute high-risk changes across entire infrastructures when human authorization gates are absent.
Tool Chain Exposure
Agents directly integrate with databases, APIs, services and potentially other agents to execute complex tasks autonomously. This tool integration vastly expands the potential impact of a compromise, allowing agents to interact with and affect multiple systems simultaneously.
When an attacker chains a permitted data retrieval function with a poorly sandboxed code execution tool, they can exfiltrate sensitive data through pathways that individual security controls never anticipated.
The OWASP Agentic Security Initiative identifies tool misuse as one of the top three concerns for agentic deployments, alongside memory poisoning and privilege compromise.
The challenge is that agents can invoke external tools based on inferred goals or natural language inputs, creating privilege management challenges that go beyond what role-based access controls typically address.
Identity Fluidity and Attribution Gaps
The often blurry line between agent identity and the user identity on whose behalf it operates creates new impersonation and privilege escalation opportunities. Most access models were built for people, not self-directed software.
Many still rely on static secrets and shared credentials, creating risk and obscuring accountability. Worse, agents’ actions are often hidden behind the identity of a human, making it nearly impossible to audit the actions each actor has taken.
Understanding what kind of identity AI agents should have is becoming a critical security question. McKinsey research highlights synthetic identity risk as a critical concern: adversaries can forge or impersonate agent identities to bypass trust mechanisms entirely.
An attacker who forges the digital identity of a claims processing agent and submits a synthetic request gains access to sensitive data without triggering security alerts, because the system trusts the spoofed credentials.
The Agentic AI Cybersecurity Risks That Matter Most
While prompt injection and hallucination remain relevant, the most consequential agentic AI cybersecurity risks emerge from the unique properties of autonomous systems: their persistence, their tool access, their ability to chain actions and their operation across trust boundaries.
Cascading Compromises Across Multi-Agent Systems
A flaw in one agent can cascade across tasks to other agents, amplifying risks exponentially. Unlike single-agent settings where threats are largely confined to prompt injection or unsafe tool use, multi-agent ecosystems amplify risk through protocol-mediated interactions.
Message tampering, role spoofing and protocol exploitation create opportunities for adversaries to compromise not just a single agent but entire coordinated workflows.
Consider a healthcare scenario where a compromised scheduling agent requests patient records from a clinical data agent, falsely escalating the task as coming from a licensed physician.
The clinical agent releases sensitive health data, resulting in unauthorized access and potential data leakage without triggering security alerts. The attack succeeds because the agents trust each other’s delegated authority.
Persistent Memory as an Attack Vector
Memory poisoning represents a particularly insidious threat category. Unlike traditional stateless applications, an attacker can introduce misleading information that lingers in the agent’s memory and influences future decisions.
Anthropic research has demonstrated that as few as 250 malicious documents can successfully poison large language models, establishing that the attack barrier is low enough for widespread exploitation.
An attacker who successfully poisons an agent’s memory does not just compromise a single transaction. They potentially influence every subsequent action that agent takes, creating what government security frameworks identify as persistent state attacks.
Supply Chain and Integrity Gaps
Organizations are building on foundations they cannot fully trust. There are many pressing questions about the integrity of the AI supply chain:
- How can you verify the provenance of a model or its training data?
- What assures you that an agent has not been subtly poisoned during its development?
This risk of a digital Trojan horse is compounded by the persistent opacity of many AI systems, where lack of explainability critically hinders effective forensics or robust risk assessments.
Agentic applications often integrate dozens of libraries and APIs. Without strict, automatic controls on package provenance and permissions, any upstream breach leaves organizations open to dependency chain abuse attacks.
An attacker only needs to compromise one obscure component to gain access to an entire system acting on its own.
Building Security Into Agentic AI
The evidence is overwhelming: security controls must be embedded into agentic architectures from day one, not bolted on after deployment. The NIST AI Risk Management Framework provides a roadmap for governing, mapping, measuring and managing AI risks.
Applying these principles to agentic systems requires addressing several key areas.
Lock down agent permissions
Each agent should receive only the minimum permissions required for its defined task. The NSA recommends least privilege as the first and most important line of defense. Static API keys and long-lived credentials create persistent attack vectors that agent prompt injection attacks love to exploit.
Replacing these with short-lived, cryptographically bound credentials issued at the moment of use eliminates the risk of stolen secrets entirely. Secretless authentication for AI workloads offers a practical path forward.
Establish behavioral baselines and monitoring
Security teams must know what normal behavior looks like before an incident happens. Define baselines for each agent documenting typical API call patterns, standard data access volumes, expected tool invocation sequences and routine operation timing.
Any deviation from this baseline should trigger immediate investigation. NIST and CISA require audit logs to be retained for a minimum of 90 days in tamper-proof storage.
Segment networks and enforce boundaries
A compromised agent must not be allowed to move freely across the network. CISA specifically mandates network segmentation as a critical control for AI systems in operational environments.
Deploy default-deny configurations where nothing gets in or out unless explicitly allowed, and monitor agent-to-agent traffic for anomalous patterns.
Implement human oversight for high-risk operations
If an agent’s action affects physical processes, safety systems or large financial transactions, CISA mandates that a human must approve it.
The efficiency-security tradeoff is real: the operational efficiency that makes agentic systems valuable stems from reduced human oversight, yet that same independence creates security exposure.
High-risk environments like financial services or critical infrastructure require more conservative approaches with mandatory approval gates.
Aembit’s Approach to Agentic AI Security
The identity and access challenges created by agentic AI are not fundamentally new. They are amplified versions of the workload identity problems that have plagued distributed systems for years.
The same principles that secure microservice-to-database communication apply to agent-to-tool interactions, but with higher stakes and faster execution speeds.
Aembit’s perspective is that every AI agent requires its own cryptographically verified identity, not borrowed human credentials or shared secrets. When agents inherit user privileges or operate with elevated roles without strict identity separation, they become conduits for privilege escalation.
The solution is treating each agent as a distinct workload with its own identity, its own access policies and its own audit trail.
This approach manifests in two core capabilities.
- Blended Identity gives every AI agent its own verified identity and, when needed, binds it to the human it represents. This establishes a single, traceable identity for each agent action and allows secure credentials to reflect that combined context. Instead of agents hiding behind user identities, every action becomes attributable to the specific agent that performed it.
- The MCP Identity Gateway controls how agents connect to tools through the Model Context Protocol. The gateway authenticates each agent, enforces policy and performs token exchange to securely retrieve the necessary access permissions for each connected resource, without ever exposing credentials to the agent runtime. Agents receive short-lived, scoped credentials just-in-time for each task rather than storing long-lived secrets that can be stolen or misused.
The result is that security teams gain centralized visibility into which agents accessed what resources and when, with every access decision recorded and attributable.
This is the same level of control and audit over agent access that IAM systems have long provided for employees, extended to the autonomous software that increasingly drives enterprise operations.
For organizations deploying different AI agent architectures, this unified approach addresses identity security risks across all deployment patterns.
Moving Forward with Confidence
The agentic AI cybersecurity risks facing organizations today will only intensify as autonomous systems become more capable and more prevalent. The volume of non-human and agentic identities is expected to scale to billions in the coming months.
Organizations that establish identity controls and prioritize security from the start will avoid the significant risks of over-permissioned and potentially unsecured AI agents.
The path forward requires treating agent identity as a first-class security concern, implementing least privilege at the workload level and maintaining visibility into every agent action.
Those who act now can close identity gaps before attackers exploit them, turning today’s blind spots into tomorrow’s competitive advantage. Learn more about securing agentic AI with Aembit.
