The Enterprise’s New Blind Spot: Agentic AI Risks

Recent red-team exercises have revealed a critical vulnerability in how enterprises deploy agentic AI. While security conversations often focus on model behavior like hallucinations or jailbreaks, the real risk lies in what these agents can do once connected to business systems.

In one internal test across common enterprise tools (ServiceNow, SharePoint, employee directories), an AI-powered IT support agent reconstructed a confidential reorganization plan within two hours—all without violating any individual permission. Every action had a documented audit trail, yet the outcome was clearly unauthorized because no single person in the process had clearance to view the complete picture.

This highlights a fundamental flaw: our existing security controls were designed for human workflows, which inherently include friction points that prevent unintended consequences. Analysts hesitate before making sensitive queries, or someone might question an action mid-process—these delays serve as accidental safety nets. Agentic AI eliminates this latency, moving through tasks at machine speed with no such pauses.

The Scale of the Problem

Data from RSAC 2026 shows that 37% of organizations have already deployed or are testing AI agents, while only 3% have agent-specific security controls in place. Most enterprises are running these systems in environments not designed to govern them.

The issue isn’t necessarily about new vulnerabilities—overbroad permissions and loosely scoped connectors have always existed—but rather how agents amplify them through continuous, automated action.

Beyond Input Filters

Many organizations respond to AI security risks with input filtering or tightening identity controls. While these are valuable first steps, they address the symptoms not the root cause. As OpenAI research found in their March 2026 prompt injection assessment, sophisticated attacks increasingly resemble social engineering and bypass defenses designed for simpler overrides.

The key takeaway is that defense cannot rely solely on preventing bad inputs; systems must be designed so impacts remain constrained even when attacks succeed. This requires a shift from perimeter security to continuous governance across the entire action chain.