The New AI Security Problem Is an Employee With Tools

For years, the default question in AI security was whether a model would say something dangerous. That question still matters. But it is no longer enough.

The new question is whether an AI system can do something dangerous. That is the difference agentic AI introduces. A chatbot can hallucinate a bad instruction. An agent can follow one.

From Speech Risk To Action Risk

A chatbot can leak a secret in a conversation. An agent may have access to the system where the secret lives. A chatbot can be tricked by a prompt injection. An agent can be tricked by a prompt injection and then use a connector, a browser, an API key, or a workflow permission to take action.

This is why security teams are starting to treat agents less like software features and more like digital employees with badges, tools, and audit requirements.

The Visibility Problem

The hardest part is visibility. Traditional identity and access management assumes the actor is a person, service account, or application with reasonably stable behavior. An agent may be all three at once: a model, an application, a delegated identity, a memory store, a retrieval system, and a set of tools.

If it sends a message, queries a database, opens a ticket, or initiates a refund, investigators need to know not just which account acted, but why the agent chose that action and what data shaped the decision.

Why Least Privilege Gets Harder

The obvious defense is least privilege. Agents should only access what they need, only for the task at hand, and only under policies that can be reviewed.

But least privilege becomes harder when the product promise is flexibility. The more useful an agent is, the more systems it wants to touch. The more systems it touches, the larger the blast radius if it is compromised, misled, or poorly scoped.

The Attacker Side

Security researchers are also warning about tool and supply-chain risk. Agent ecosystems increasingly depend on plugins, skills, connectors, and protocols. A poisoned tool description, compromised package, or malicious third-party connector can become an instruction channel.

Google Threat Intelligence has described adversaries moving toward more agentic workflows for vulnerability exploitation and initial access. Anthropic has reported disrupting AI-enabled cyber operations that used model capabilities to assist parts of intrusion workflows.

Controls That Need To Become Normal

Companies need live inventories of agents and the tools they can use. They need runtime authorization, not just one-time approval. They need logs that preserve prompts, tool calls, retrieved context, outputs, and human approvals where appropriate.

They need sandboxing for high-risk actions. They need evaluation suites that test agents against prompt injection, data exfiltration, goal hijacking, and unsafe autonomy before production. And they need incident-response playbooks that assume an agent might have touched multiple systems before anyone noticed.

Sources

Cloud Security Alliance: Enterprise AI Security Starts with AI Agents: https://cloudsecurityalliance.org/artifacts/enterprise-ai-security-starts-with-ai-agents

Workday press release: Agent Passport, June 2, 2026: https://investor.workday.com/news-and-events/press-releases/news-details/2026/Workday-Launches-Agent-Passport-to-Test-Verify-and-Continuously-Monitor-Every-AI-Agent-in-the-Enterprise/default.aspx

Google Cloud Threat Intelligence: AI vulnerability exploitation and initial access: https://cloud.google.com/blog/topics/threat-intelligence/ai-vulnerability-exploitation-initial-access

Anthropic: Disrupting the first reported AI-orchestrated cyber espionage campaign: https://www.anthropic.com/news/disrupting-AI-espionage

UC Berkeley CLTC: Agentic AI Risk-Management Standards Profile: https://cltc.berkeley.edu/publication/agentic-ai-risk-profile/