The Agentic AI Explosion: Why Enterprise Security Is About to Get a Lot Messier

ZDNET’s Key Takeaways

• Agent sprawl could mirror the VM explosion era, creating unmanageable complexity
• Excessive agent agency increases breach blast radius exponentially
• Treat AI agents like employees with credentials, monitoring, and oversight
• Current enterprise security controls lag dramatically behind AI adoption rates
• The “AI agent as insider threat” represents a fundamental shift in cybersecurity thinking

Ever since October, I’ve been happily vibe-coding a series of apps using Claude Code. Every so often, I would give them an instruction, and they would go off and do my bidding. It was a comfortable collaboration. I could see everything the AI was doing, and I could produce new code at a pace far faster than ever before.

But then Anthropic updated its language model. The key feature was Claude’s ability to launch subordinate agents that could simultaneously work on different parts of the problem and communicate with each other. In theory, this was a big technical advance.

In theory.

My entire experience changed. Suddenly, Claude was kicking off four, five, six, seven, even eight agents at once. I had no visibility into what they were all doing. I didn’t even have a way to stop them if one or more ran amok. And run amok they sure did.

One got stuck trying to access a file for which it didn’t have root privileges. Another went in and attempted to refactor an entire app (which I did not request). That agent failed partway through the process, leaving inconsistent naming conventions and conflicting object declarations throughout the code. Efficiently and cheerfully, it fully destroyed my app.

Fortunately, I had source control check-ins and backups, so I was able to recover. I also instigated a protocol forbidding Claude from launching parallel, simultaneous agents. The potential for damage was just too great.

So that was me. I’m a lone developer working on fairly low-priority apps as a side project. And still, rogue agents launched by the AI nuked my project.

Now, scale that up to enterprise size. Instead of seven or eight rogue agents ruining the source code for some side project, those agents are running loose through your entire IT system, many with the credentials and access to spend money, hack databases, modify files, and initiate and respond to communications on your company’s behalf.

What Could Possibly Go Wrong?

Let’s go down a laundry list of examples of where AI has gone wrong in companies and agencies.

As far back as 2022, an AI chatbot promised an Air Canada customer a discount that wasn’t really available. The customer sued, and won. The company contended that the AI was at fault, but the court determined that the AI was representing the company.

In 2025, an AI hiring bot exposed personal information from millions of people who applied for McDonald’s jobs. Apparently, the AI company running the bot used the password 123456.

Last year, security researchers showed that a prompt-injection attack (where a malicious prompt is fed to an AI) exposed Salesforce’s CRM platform to the potential of data theft. Fortunately, this hack was never carried out (or at least nobody has reported it), and instead the researchers used news of it as a way to promote their company’s skills.

Also last year, a vulnerability was discovered in the ServiceNow AI Platform that could allow an unauthenticated user to impersonate another user and perform any operations the authenticated user could. According to the researcher who discovered the vulnerability, “the attacker can remotely drive privileged agentic workflows as any user.”

Another vulnerability was found in Amazon Q’s VS Code extension. Amazon Q is Amazon’s generative AI assistant, sold as a SaaS resource as part of the company’s extensive AWS offerings. Last year, a GitHub token error enabled a threat actor to push and commit malicious code directly to the extensions’ open source repository, which would then be downloaded to any Q user’s development environment. The only thing that prevented this from being a total disaster was a syntax error that kept the hack from running properly.

OpenAI was excited about using its Codex AI to write its Codex code-writing tool. But in late 2025, researchers discovered a vulnerability in OpenAI’s Codex CLI coding agent that could allow attackers to execute malicious commands on a developer’s machine. By embedding harmful instructions in project configuration files within shared repositories, an attacker could trigger the tool to run those commands locally when a developer uses it. That local compromise could expose credentials, alter source code, or enable unauthorized changes to downstream systems. The result would be turning an AI coding assistant into a potential entry point for broader enterprise intrusion.

Perhaps the best example of where rogue AI agents will go in the near future is from an unsourced hearsay example cited by cybersecurity company Stellar Cyber. They describe a “real-world example” from just this year.

Documented as part of their list of top agentic AI security threats, “A manufacturing company’s procurement agent was manipulated over three weeks through seemingly helpful clarifications about purchase authorization limits. By the time the attack was complete, the agent believed it could approve any purchase under $500,000 without human review. The attacker then placed $5 million in false purchase orders across 10 separate transactions.”

82 to 1

One of my more recent jobs was to scare the pants off generals and admirals about cybersecurity. These were people who commanded brigades of tanks and fleets of warships.

I had to explain to them how a simple thumb drive with a virus could cause more harm than an APFSDS (Armor-Piercing Fin-Stabilized Discarding Sabot) round shot from a M256 120mm smoothbore cannon on an M1A2 Abrams tank or a TLAM-E Block IV tactical Tomahawk missile containing the Unitary High-Explosive (WDU-36/B) 1,000-pound warhead fired from an Arleigh Burke-class destroyer.

I found that nothing drove home the need for cybersecurity more than some well-chosen statistics. As we enter the AI era of cybersecurity, I’ll share some statistics with you. I managed to destroy the sleep of an entire generation of military leaders. Let’s see if you sleep any better after this.

We’ll kick it off with 82 to 1. CyberArk is a division of Palo Alto Networks. In its recently released 2025 Identity Security Landscape survey of security professionals, it discovered that machine identities outnumber human identities by 82 to 1.

This is basically a measure of how many users have logins, whether those users are people or software. The term “machine identity” can encompass everything from basic scripts to AI agents. But the fact is that, in enterprises, there is a whole lot of software running around with unfettered access to the crown jewels.

Here’s another fun stat, and this time I’ll quote directly from the study: “Organizations now report that 72% of employees regularly use AI tools on the job — yet 68% of respondents still lack identity security controls for these technologies.”

Gartner says that less than 5% of enterprise apps used task-specific AI agents in 2025. In 2026, that number will increase 800%. The analyst company estimates that more than 40% of enterprise apps will use AI agents in 2026.

According to data security firm BigID, only 6% of organizations have an advanced AI security strategy. In a LinkedIn post, IDC researcher Bjoern Stengel says that only 22% of organizations are governing AI use through a central governance or ethics board. He says that 43% manage AI, “Only through disconnected efforts or do not have an established responsible AI governance process in place.”

In a late 2025 survey of C-suite leaders, EY (Ernst & Young) reported that 99% of companies experienced financial losses from AI-related risks, with 64% exceeding losses of $1 million. On average, the companies experienced losses of $4.4 million, and across their entire 975-company survey space, AI-related losses added up to $4.3 billion.

Bottom line: We are not prepared.

How Good Agents Can Go Bad

OWASP stands for the Open Worldwide Application Security Project. It’s a nonprofit that focuses on improving software security. In late 2025, it published a study documenting “the most critical security risks facing autonomous and agentic AI systems.”

Here’s a quick rundown:

1. Prompt injection: Attackers can manipulate an AI agent’s instructions to cause it to perform unintended or malicious actions.
2. Insecure output handling: AI-generated output can trigger unsafe actions in downstream systems if not validated and sanitized.
3. Training data poisoning: Corrupted or malicious data introduced during training can bias or weaken the model’s behavior.
4. Model denial-of-service: Attackers can overload or exploit resource limits to crash or degrade AI system availability.
5. Supply chain vulnerabilities: Compromised libraries, plugins, or model dependencies can introduce hidden backdoors or weaknesses.
6. Sensitive information disclosure: The model may leak secrets, credentials, or proprietary data through its responses.
7. Insecure plugin design: Poorly secured extensions or tools connected to the AI can serve as attack vectors.
8. Excessive agency: Granting an agent too much autonomy or system access increases the blast radius of compromise.
9. Overreliance: Users may trust AI output without verification, enabling subtle errors or manipulation to propagate.
10. Model theft: Attackers can copy or extract a model’s weights or behavior, stealing intellectual property or capabilities.

As you can see, there are many entry points for malicious actors to gain a hold on supposedly secure internal AI agents.

Insider Threats

Back when I spent most of my time giving cybersecurity lectures, insider threats accounted for a measurable portion of enterprise cybersecurity risk. Before the pandemic, Ponemon’s 2018 Cost of Insider Threats report found that 64% of insider incidents were caused by employee or contractor negligence, with criminal or malicious insiders accounting for 23% and credential theft for 13%.

Verizon’s 2019 Data Breach Investigations Report (DBIR) reported that 34% of breaches involved internal actors, demonstrating that insider involvement was a persistent component of breach activity.

During the 2020–2022 pandemic years, remote and hybrid work expanded the exposure surface for insider risk. The 2022 Ponemon report categorized incidents as 56% negligence, 26% criminal insiders, and 18% credential theft, showing that negligence remained the dominant category while credential-based compromise increased in share compared to 2018.

As of 2025, Verizon’s DBIR began exploring the use of generative AI within enterprises. Their study found that 15% of employees routinely accessed generative AI systems on corporate devices. Of those accounts, 72% used non-corporate email identifiers and 17% used corporate email addresses without integrated authentication. Essentially, employees were dumping internal company confidential data into cloud-based public AI systems like ChatGPT.

All that brings us to 2026. Now, insider threats are moving from mostly human-motivated to the possibility that agents themselves could become malicious insider actors. In an article published in The Register, Palo Alto Networks chief security intel officer Wendi Whitmore is quoted as saying, “the AI agent itself becoming the new insider threat.”

This makes sense because AI agents are being given greater and greater access inside corporate networks as a side effect of enabling them to do the jobs we’re delegating to them. The problem is not only that many of these agents will need to have expanded privileges within the network, it’s that they also become “a very attractive target to attack.”

These agents, running 24/7 inside your network, with expanded privileges and capabilities, are subject to all of the risks and threats I discussed in the previous section.

Now, let’s take this to its logical extreme. Insider threats from humans have mostly been associated with negligence. But there are only so many humans in the company. Now, let’s look at those same humans fielding agents, and the idea that there are 82 machine identities to every human one, and you can see how negligence can be multiplied in the extreme.

Add to that malicious threats that can now be targeted beyond humans to agents with potentially limited protection capabilities, and we are, in a word, screwed.

Protection Methods

The OWASP study does provide some insight into how we might protect our networks. It lists 10 mitigation strategies that, when used together, can harden agent operations inside the corporate network. Here’s a quick summary of those strategies:

1. Treat agents as first-class identities. Each agent should have its own identity. This prevents the use of shared credentials and enables auditing, revocation, and scope control. In other words, from a security perspective, treat agents like you would individual employees.

2. Use least privilege and least agency. Agents should only have the minimum permissions required for a specific task. In addition, they should be given the minimum autonomy necessary, especially for state-changing or high-impact operations.

3. Issue short-lived, task-scoped tokens. Access tokens should be narrowly scoped and time-limited so that a compromised agent cannot act indefinitely or outside its assigned task.

4. Enforce step-up authentication for sensitive actions. High-risk actions like financial approvals, data exports, and configuration changes should require additional human verification rather than relying solely on conversational approval.

5. Separate conversational UI from security boundaries. Critical approvals should happen in secure identity workflows outside the chat interface. This helps mitigate human-agent trust exploitation.

6. Authenticate and secure inter-agent communication. Agents communicating with other agents or tools should use signed requests and mutual authentication to prevent impersonation and tampering.

7. Restrict tool access via authorization policies. Tools and plugins should be bound to strict authorization policies so that even if an agent is manipulated, it cannot exceed predefined operational limits.

8. Enable centralized revocation and monitoring. Security teams (and security agents) must be able to revoke an agent’s access immediately, and monitor its behavior through logging and audit trails. Give security agents the ability to revoke, but not to grant.

9. Segment memory and contextual data. To reduce memory and context-poisoning risks, the system should isolate memory stores and validate or constrain how persistent context can influence agent decisions.

10. Limit blast radius through architectural containment. Identity and authorization layers should be designed so that a compromised agent situation can’t escalate into a full enterprise compromise.

All of these tactics make sense and should be integrated into your internal AI strategy. But I’ll tell you one tactic that OWASP doesn’t specifically recommend: limit your agent exposure. Just don’t create as many agents as you might want to.

Remember the rise in virtual machines back in the day? All of a sudden, we had virtual machines everywhere because every application, project, and challenge was addressed by spinning up a new VM. Eventually, we had so many virtual machines that it was impossible to find them all. Many of them were running with outdated software. It was a mess.

Agents promise to be just as chaotic. Think twice before you create a new agent. Perhaps require human approvals before launching one. If it takes a team of interviews and multiple rounds before you hire an employee, it should take the same or even a greater level of care before you “hire” a new agent.

This could be difficult. As I showed at the beginning of this article, agents like to create new agents. But this is the crux of the battle we face over the next few years. It’s not just malicious actors. It’s all the unintentional and even well-meaning messes we’ll create simply by trying to make our jobs easier and offloading some work to the machines.

Tags: AI agents, agentic AI, cybersecurity, insider threats, OWASP, enterprise security, machine identities, AI governance, prompt injection, supply chain vulnerabilities, agent sprawl, least privilege, identity security, AI adoption, enterprise risk

Viral phrases: “82 to 1 machine identities,” “AI agent as insider threat,” “agentic AI explosion,” “vibe coding disaster,” “rogue AI agents,” “enterprise cybersecurity mess,” “AI security nightmare,” “agent sprawl mirror VM explosion,” “treat AI agents like employees,” “we are, in a word, screwed”

,