Every AI Agent Is an Identity. Most Organizations Don't Treat Them That Way AI Security

This is no longer theoretical, 65% of organizations experienced a security incident involving an AI agent in the past year, with 61% reporting exposure or mishandling of sensitive data as a result (source). Then, organizations started connecting them to critical business services such as Salesforce, Snowflake, GitHub, Jira, production databases, and cloud environments.

The AI Risk

Request a Tech DemoAccording to a 2026 CSA survey commissioned by us here at Token Security, 82% of organizations discovered at least one AI agent created without the knowledge of security, IT, or governance teams in the past year, and 41% found this happening multiple times.

Further details indicate that an agent connected to customer records, source code, financial systems, and admin-level cloud credentials is a different problem entirely.

Security and governance can’t be purely permission-based with AI agents.

Impact

on AI Systems

Then, organizations started connecting them to critical business services such as Salesforce, Snowflake, GitHub, Jira, production databases, and cloud environments. The pattern is consistent across organizations. An agent might be created by one team, used by another, connected to five different applications, and running on credentials that were provisioned for a completely different purpose.

Safeguards

1. Now, they retrieve information, trigger workflows, update records, write and deploy code, and take actions across multiple systems.

2. Permissions can be trimmed to match the agent’s actual purpose, overprivileged service accounts remediated, unused credentials rotated or removed, and risky connections caught before they turn into incidents.

3. The reason is that agents change, instructions update, user bases shift, and integrations expand.

4. The enterprises that succeed with AI will not be the ones that block agents entirely.

Analysis

As AI tooling proliferates, security teams face expanding attack surfaces tied to model inference and data pipelines.

AI security teams should evaluate their model deployment pipelines for similar weaknesses, paying close attention to input validation, prompt injection defenses, output filtering, and access controls. Organizations building or deploying AI systems should incorporate adversarial testing and red-teaming exercises into their development lifecycle. Data governance policies may need updating to address the specific risks highlighted by this incident, including data leakage, model inversion, and unauthorized inference access. Security teams should also review logging and monitoring coverage for AI services, as traditional security tools may not detect model-specific attacks. Vendor security assessments should be refreshed for any third-party AI components in use.

Industry observers note that this type of development highlights the ongoing need for defense-in-depth strategies and proactive security posture management. Organizations that invest in regular security assessments and employee training tend to fare better when responding to emerging threats. The security community continues to share indicators and best practices to help defenders stay ahead.