AI agents don’t knock before entering. They write code, trigger workflows, and call production APIs directly – and in most organizations, no one on the security team knows you’re there.
This is not a future risk. A recent survey found that 48% of security professionals already expect agent AI to be the leading attack vector by the end of the year, putting it ahead of deepfakes and all other threats on the list.
The speed of delivery makes it worse. When Moltbot – an open-source AI tool – went live, it connected 150,000 independent agents to a shared network almost overnight.
The article continues below
CEO and founder of Appknox.
Security researchers have flagged it as a blueprint for what unregulated agent access looks like at scale: exposure of private data, external communication channels, and delayed execution attacks bundled into seemingly innocuous inputs.
That management gap between what AI agents can access and what cyber security teams can monitor is actually where the attack surface grows.
Traffic Your Stats Won’t Show
Mobile APIs are often built on the assumption that the entity making the requests is the person using your app. Validation logic, rate limiting, and time monitoring are all designed into that mental model. However, AI agents are breaking that assumption.
Agents bypass the UI layer entirely. They interact directly with APIs, which operate without the behavioral constraints created by human users. That means they don’t generate session data, navigation patterns, or interaction signals that analytics tools use to establish trends. Their traffic appears legitimate at the API level. It usually doesn’t appear in the log that security teams are actually monitoring them.
And the problem is growing fast. Non-human identities – service accounts, API keys, automation tools, AI agents – now outnumber human users by as much as 50 to 1, but most operate without any governance lifecycle. There is no clear owner. There is no expiration date. There is no monitoring. The identities that drive most of the API work are the ones that have little visibility attached to them.
Moltbot put a face on the threat. Palo Alto Networks identified rapid injection attacks hidden within plain content, instructions that silently directed agents to leak confidential data or create delayed payloads from inputs that looked harmless when they arrived. No warnings, no distractions, just an agent doing what he’s told.
How Engineers Unwittingly Open the Door
AI agents hit the mud before security teams even know they’re there. The adoption of Shadow AI and the rapid, often untested integration of open source MCP (Model Context Protocol) servers into the development workflow means that deployments are outpacing oversight by a wide margin.
Agents need broad access to work, and once that access is granted, it is almost never updated or restricted after deployment. An agent provisioned for a single task ends up having access to more than that task requires.
The code itself carries risk, too. Written AI code can pass each check and be vulnerable because errors lie in the way its components interact at runtime. Logical errors occur in the spaces between programs, not within them.
Third-party integration increases additional exposure. Agents interact with payment APIs, analytics, and messaging under the same unexamined assumptions of trust that already make external communications a legal liability, responsible for 35% of common security breaches.
The Deepseek Android app puts a face to this. It’s exactly the kind of product you’d expect to have its security in order. It didn’t happen. Six vulnerabilities – insecure network configuration and lack of SSL authentication among them – were discovered in the leading AI application. The same categories of risk that AI tools should eliminate.
What AI Governing Agents Really Need
The first point is to accept that point-in-time testing does not work for agents. They work continuously and dynamically, so a static snapshot of their behavior tells you almost nothing about what they do an hour later. A traditional pentest captures a moment in time. Agents create danger in every moment after it. Security should match that cadence.
From there, check the permissions. Least privilege is not a rule reserved for human users. It applies to all non-humans in your area. The scope agent is robust from the start, and builds in a review process that doesn’t rely on someone remembering to do it manually.
Vigilance needs to evolve, too. Volume-based anomaly detection misses many abuses by agents. What matters are behavioral patterns, such as unusual API call sequences, unexpected combinations of data access, and combinations firing outside normal parameters.
And because agents operate at machine speed, human-reviewed monitoring alone will not catch up in time. Automated authentication, where AI continuously scans your site in the same way as a malicious agent, is what closes that gap.
The same concept applies within the development pipeline. Security checkpoints need to be embedded in CI/CD so that AI-written or AI-enabled code is validated before it reaches production, not after.
Finally, treat agents as their own identity class. They are not users, and they are not ordinary software. They need the same administrative rigor applied to third-party APIs and external integrations, which many organizations are still working to get right.
AI agents don’t go away. The groups they dominate will be better than those they treat as passive tools. Bridging the gap between access and oversight is a workflow decision as a safeguard.
Check out our list of the best storage security software.
