AI Agents Are Creating a New Enterprise Attack Surface

AI Agents Are Creating a New Enterprise Attack SurfaceAI agents are moving from pilots into production, exposing businesses to identity risks, tool misuse, prompt injection, and weak runtime oversight.
͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     
Forwarded this email? Subscribe here for more
AI Agents Are Creating a New Enterprise Attack Surface
AI agents are moving from pilots into production, exposing businesses to identity risks, tool misuse, prompt injection, and weak runtime oversight.
Hey Maria
Jun 8 

READ IN APP

Build your next campaign from Slack (Sponsor)
Builders are moving faster than ever. But sending messaging still means jumping between docs, email editors, audience filters, and approvals.
With the Knock agent for Slack, you can now build, edit, and ship campaigns entirely from Slack. Prompt the agent, watch it build, and get a link to review when it’s ready.
Use it to:
Create and manage onboarding and lifecycle workflows
Draft and publish in-app tooltips, upgrade nudges, and more
Build and schedule newsletters and announcements
Filter and target audiences in real-time
And so much more
Try Knock Slack agents today →
Enterprises are no longer just experimenting with AI agents. They are putting them inside customer support, software development, security operations, finance workflows, supply chain planning, internal knowledge systems, and business process automation. That shift matters because an AI agent is not simply a chatbot that answers questions. It is a system that can reason, call tools, access data, trigger workflows, and act across enterprise environments.
That is where the security problem begins.
Deloitte’s recent research found that only 21% of surveyed enterprises report having a mature governance model in place for agentic AI. The same Deloitte article cites a multicountry survey of 3,235 IT and business leaders across 24 countries who are directly involved in AI programs. TechRadar, citing Deloitte’s findings, also reported that 73% of organizations are concerned about AI security and data privacy risks, while many are already moving agents into live workflows.
The headline risk is not “AI might make a mistake.” The real risk is that enterprises are giving autonomous systems operational authority before they have enforceable controls around identity, permissions, observability, auditability, and shutdown.
Governance exists on paper, not at runtime
Most companies already have an AI policy. Many have acceptable-use rules, model approval processes, legal reviews, vendor questionnaires, and risk committees. But agentic AI exposes the gap between governance documentation and governance enforcement.
Traditional software follows deterministic logic. Human employees have identities, managers, roles, access reviews, and disciplinary accountability. AI agents sit awkwardly between both worlds. They are software, but they behave more like digital workers. They interpret instructions, make decisions, call APIs, use credentials, retrieve files, and sometimes delegate tasks to other tools or sub-agents.
That means an AI agent can become a new form of privileged non-human identity. If it has access to CRM data, billing tools, email, Slack, Jira, GitHub, cloud consoles, or customer records, it is no longer just an assistant. It is an actor inside the business.
The OpenID Foundation has warned that enterprises need to treat agents as “first-class citizens” inside identity and access management, with lifecycle management, governance policies, and accountability measures. Its October 2025 whitepaper also notes that current frameworks begin to strain as agents become more autonomous, spawn sub-agents, operate across organizational boundaries, and make many decisions daily.
That is why AI identity management is becoming one of the most important enterprise AI security topics of 2026.
Why this is different from normal SaaS risk
Enterprises already know how to govern SaaS apps, service accounts, API keys, and automation bots. But AI agents add several new complications.
First, they operate through natural language. That means instructions and data can blur together. A malicious email, webpage, support ticket, PDF, or code comment can contain hidden instructions that manipulate the agent. This is the core danger behind prompt injection and indirect prompt injection.
Second, agents act across systems. A customer support agent might read a ticket, inspect account history, issue a refund, update billing, send an email, and escalate a case. Each step may look legitimate in isolation, but the combined workflow can produce unintended or unauthorized outcomes.
Third, agents can move faster than human review. A human employee might process 20 tickets in an hour. An automated agent can process thousands. That scale turns small governance gaps into operational exposure.
Fourth, agents can create audit problems. If an agent reads from one system, reasons inside a model, invokes a tool, and triggers an action in another system, security teams need to know: what data influenced the decision, which identity authorized the action, what policy was checked, and who owns the outcome?
That audit chain is not optional. It is the difference between safe automation and untraceable automation.
The Instagram AI support incident
A recent Instagram incident shows why this matters beyond theory. Reuters reported that attackers manipulated Meta’s AI support chatbot into handing over access to high-profile accounts, including the dormant Obama White House page, Sephora, and a senior U.S. Space Force official. The chatbot reportedly reset account credentials without independently verifying identity, turning an automated support function into a security weakness.
The lesson is not limited to social media. Any enterprise that lets AI agents perform sensitive actions such as account recovery, access approval, refund processing, password reset, customer verification, payroll changes, vendor onboarding, or code deployment is facing the same architectural question: what is the agent authorized to do, and what hard control prevents it from exceeding that authority?
A policy is not a control. A prompt is not a control. A dashboard is not a control. The control must exist at the execution layer.
Prompt injection, tool abuse, memory poisoning, and identity drift
OWASP’s Agentic Security Initiative describes agentic AI as an expansion of autonomous systems enabled by LLMs and generative AI, with a broader scale, greater capabilities, and new associated risks. OWASP’s GenAI Security Project also now tracks agentic application security, AI threat intelligence, secure AI adoption, data security, and red teaming as distinct areas of concern.
For security teams, the most important risks include:
Prompt injection: malicious instructions embedded in user input or external content that persuade an agent to ignore policies or perform unintended actions.
Tool misuse: agents using legitimate tools in unauthorized ways, such as exporting data, changing records, sending messages, or modifying code.
Memory a