Only 10% of organizations have a well-developed strategy for managing non-human and agentic identities, according to a recent Okta survey of 260 executives. This gap is alarming given that credential abuse remains the most common initial access vector in breaches, according to the 2025 Verizon DBIR, and agentic AI introduces entirely new categories of identity that most security frameworks were never designed to address.
The challenge is not simply that AI agents are new. Traditional AI systems generate predictions or recommendations that humans review before implementation. Agentic systems close that loop entirely. They interpret instructions, develop multi-step plans, access resources and execute operations across infrastructure with minimal oversight. Security teams accustomed to defending stateless applications now face systems that maintain persistent state, remember previous interactions and use those memories in future decisions.
The risks that emerge from this architecture go beyond the prompt injection and hallucination concerns that dominated earlier LLM security discussions. Here are six that security teams should prioritize.
6 Cybersecurity Risks of Agentic AI
Risk 1: Autonomy Without Boundaries
Agents initiate actions based on goals and environmental triggers that might not require human prompts or approval. This creates risks of unauthorized actions, runaway processes and decisions that exceed intended boundaries when agents misinterpret objectives or operate on compromised instructions.
Unlike traditional software that follows deterministic logic, agents can modify their own objectives based on learned patterns, making it difficult to maintain predictable security boundaries.
Cloudflare’s November 2024 logging incident illustrates this pattern. A misconfiguration in Cloudflare’s log forwarding system cascaded through backup systems, causing 55% of customer logs to be lost over 3.5 hours. A single automated configuration error propagated through interconnected infrastructure because failsafes had not been properly tested.
Real-world deployments are already demonstrating both the potential and the risk. Agentic AI use cases in production show that the most successful implementations combine autonomous execution with strict identity scoping and human oversight for high-impact actions.
Risk 2: Tool Chain Exposure
Agents directly integrate with databases, APIs, services and potentially other agents to execute complex tasks autonomously. AWS describes this as an expanded attack surface where a single agent breach can propagate through connected systems, multi-agent workflows and downstream data stores. This tool integration vastly expands the potential impact of a compromise, allowing agents to interact with and affect multiple systems simultaneously.
When an attacker chains a permitted data retrieval function with a poorly sandboxed code execution tool, they can exfiltrate sensitive data through pathways that individual security controls never anticipated.
The OWASP Agentic Security Initiative identifies tool misuse as one of the top three concerns for agentic deployments, alongside memory poisoning and privilege compromise.
The challenge is that agents can invoke external tools based on inferred goals or natural language inputs, creating privilege management challenges that go beyond what role-based access controls typically address.
Risk 3: Identity Fluidity and Attribution Gaps
The often blurry line between agent identity and the user identity on whose behalf it operates creates new impersonation and privilege escalation opportunities. Most access models were built for people, not self-directed software.
Many still rely on static secrets and shared credentials, creating risk and obscuring accountability. Worse, agents’ actions are often hidden behind the identity of a human, making it nearly impossible to audit the actions each actor has taken.
Understanding what kind of identity AI agents should have is becoming a critical security question. McKinsey research highlights synthetic identity risk as a critical concern: adversaries can forge or impersonate agent identities to bypass trust mechanisms entirely.
An attacker who forges the digital identity of a claims processing agent and submits a synthetic request gains access to sensitive data without triggering security alerts, because the system trusts the spoofed credentials.
The first three risks emerge from how individual agents operate. The next three compound when agents interact with each other, persist across sessions, or depend on external components.
Risk 4: Cascading Compromises Across Multi-Agent Systems
A flaw in one agent can cascade across tasks to other agents, amplifying risks exponentially. Unlike single-agent settings where threats are largely confined to prompt injection or unsafe tool use, multi-agent ecosystems amplify risk through protocol-mediated interactions.
Message tampering, role spoofing and protocol exploitation create opportunities for adversaries to compromise not just a single agent but entire coordinated workflows.
Consider a healthcare scenario where a compromised scheduling agent requests patient records from a clinical data agent, falsely escalating the task as coming from a licensed physician.
The clinical agent releases sensitive health data, resulting in unauthorized access and potential data leakage without triggering security alerts. The attack succeeds because the agents trust each other’s delegated authority.
Risk 5: Persistent Memory as an Attack Vector
Memory poisoning represents a particularly insidious threat category. Unlike traditional stateless applications, an attacker can introduce misleading information that lingers in the agent’s memory and influences future decisions.
Anthropic research has demonstrated that as few as 250 malicious documents can successfully poison large language models, establishing that the attack barrier is low enough for widespread exploitation.
An attacker who successfully poisons an agent’s memory does not just compromise a single transaction. They potentially influence every subsequent action that agent takes, creating what government security frameworks identify as persistent state attacks.
Risk 6: Supply Chain and Integrity Gaps
Organizations are building on foundations they cannot fully trust. There are many pressing questions about the integrity of the AI supply chain:
- How can you verify the provenance of a model or its training data?
- What assures you that an agent has not been subtly poisoned during its development?
This risk of a digital Trojan horse is compounded by the persistent opacity of many AI systems, where a lack of explainability hinders effective forensics and thorough risk assessments.
Agentic applications often integrate dozens of libraries and APIs. Without strict, automatic controls on package provenance and permissions, any upstream breach leaves organizations open to dependency chain abuse attacks.
An attacker only needs to compromise one obscure component to gain access to an entire system acting on its own.
Building Security Into Agentic AI
The evidence is overwhelming: security controls must be embedded into agentic architectures from day one, not bolted on after deployment. The NIST AI Risk Management Framework provides a roadmap for governing, mapping, measuring and managing AI risks.
Applying these principles to agentic systems requires addressing several key areas.
Lock Down Agent Permissions
Each agent should receive only the minimum permissions required for its defined task. The NSA recommends least privilege as the first and most important line of defense. Static API keys and long-lived credentials create persistent attack vectors that agent prompt injection attacks love to exploit.
Replacing these with short-lived, cryptographically bound credentials issued at the moment of use eliminates the risk of stolen secrets entirely. Secretless authentication for AI workloads offers a practical path forward.
Establish Behavioral Baselines and Monitoring
Security teams must know what normal behavior looks like before an incident happens. Define baselines for each agent documenting typical API call patterns, standard data access volumes, expected tool invocation sequences and routine operation timing.
Any deviation from this baseline should trigger immediate investigation. NIST and CISA recommend retaining audit logs for a minimum of 90 days in tamper-proof storage, a baseline that aligns with frameworks like FedRAMP and PCI-DSS.
Segment Networks and Enforce Boundaries
A compromised agent must not be allowed to move freely across the network. CISA specifically recommends network segmentation as a critical control for AI systems in operational environments.
Deploy default-deny configurations where nothing gets in or out unless explicitly allowed, and monitor agent-to-agent traffic for anomalous patterns.
Implement Human Oversight for High-Risk Operations
If an agent’s action affects physical processes, safety systems or large financial transactions, CISA guidance recommends that a human approve it.
The efficiency-security tradeoff is real: the operational efficiency that makes agentic systems valuable stems from reduced human oversight, yet that same independence creates security exposure.
High-risk environments, such as financial services or critical infrastructure, require more conservative approaches with mandatory approval gates.
Aembit’s Approach to Agentic AI Security
The identity and access challenges created by agentic AI are amplified versions of the workload identity problems that have plagued distributed systems for years.
The same principles that secure microservice-to-database communication apply to agent-to-tool interactions, but with higher stakes and faster execution speeds.
Aembit’s perspective is that every AI agent requires its own cryptographically verified identity, not borrowed human credentials or shared secrets. When agents inherit user privileges or operate with elevated roles without strict identity separation, they become conduits for privilege escalation.
The solution is treating each agent as a distinct workload with its own identity, its own access policies and its own audit trail.
This approach manifests in two core capabilities:
- Blended Identity gives every AI agent its own verified identity and, when needed, binds it to the human it represents. This establishes a single, traceable identity for each agent action and allows secure credentials to reflect that combined context. Instead of agents hiding behind user identities, every action becomes attributable to the specific agent that performed it.
- The MCP Identity Gateway controls how agents connect to tools through the Model Context Protocol. The gateway authenticates each agent, enforces policy and performs token exchange to securely retrieve the necessary access permissions for each connected resource, without ever exposing credentials to the agent runtime. Agents receive short-lived, scoped credentials just-in-time for each task rather than storing long-lived secrets that can be stolen or misused.
The result is that security teams gain centralized visibility into which agents accessed what resources and when, with every access decision recorded and attributable.
This is the same level of control and audit over agent access that IAM systems have long provided for employees, extended to the autonomous software that increasingly drives enterprise operations.
For organizations deploying different AI agent architectures, this unified approach addresses identity security risks across all deployment patterns.
The agentic AI cybersecurity risks facing organizations today will only intensify as autonomous systems become more capable. Organizations that establish identity controls now will avoid the significant costs of retrofitting security after deployment. The path forward requires treating agent identity as a first-class security concern, implementing least privilege at the workload level, and maintaining visibility into every agent action. Those who act now can close identity gaps before attackers exploit them. Learn more about securing agentic AI with Aembit.
