Capability Overview
Token Security has released both a security analysis and a commercial platform targeting what it describes as a systemic governance blind spot: AI agents operating as de-facto enterprise identities with no corresponding identity security controls. The article documents a pattern now visible across large organisations — AI agents provisioned quickly by individual teams, connected to five or more critical business applications, and running on credentials that were never scoped, reviewed, or lifecycle-managed for that purpose.
The operational scope described is significant. These agents are not passive summarisation tools. They retrieve data from data warehouses, write and deploy code to GitHub, trigger workflows in Salesforce and Jira, and interact with production databases — sometimes on behalf of a human, sometimes autonomously, and often in ways where the distinction is forensically ambiguous. That ambiguity is itself a security problem.
Attack Surface Analysis
The core attack surface expansion here is the creation of a parallel identity layer that operates at machine speed, with high privileges, and largely outside the visibility of existing IAM tooling.
Credential sprawl at machine scale. AI agents create, consume, and sometimes rotate credentials far faster than human-operated IAM processes can track. A single compromised orchestration layer can cascade across every system the agent touches.
Repurposed and over-provisioned credentials. The article explicitly calls out agents running on credentials provisioned for a different purpose — meaning those credentials were scoped for a different risk profile and never reviewed against the agent’s actual access requirements. This is a direct path to privilege abuse.
Cross-system lateral movement. An agent with simultaneous read/write access to GitHub, Snowflake, and a production database is a lateral movement path waiting to be operationalised. A single prompt injection or supply chain compromise targeting that agent yields access to multiple critical systems in a single step.
Invisible principals in audit logs. When an agent takes an action autonomously, attribution is unclear. This degrades incident response fidelity and can mask attacker activity behind legitimate-looking agent behaviour.
Supply chain exposure. Third-party agent components, plugins, or marketplace extensions that inherit enterprise credentials introduce external supply chain risk directly into the identity plane.
Framework Mapping
MITRE ATLAS AML.T0012 (Valid Accounts) is the primary technique at risk: attackers who compromise an AI agent identity gain access through valid, trusted credentials rather than exploiting a technical vulnerability. AML.T0051 (LLM Prompt Injection) becomes dramatically more dangerous when the targeted agent has write access to production systems. AML.T0010 (ML Supply Chain Compromise) applies to third-party agent components inheriting enterprise credentials.
OWASP LLM08 (Excessive Agency) is the direct OWASP mapping — agents with capabilities and permissions beyond what the task requires. LLM01 (Prompt Injection) and LLM05 (Supply Chain Vulnerabilities) round out the primary risk surface.
Threat Scenarios
Scenario 1 — Credential pivot via prompt injection. An attacker delivers a prompt injection payload through a data source the agent reads (e.g., a Jira ticket or email). The agent, operating with write access to GitHub, executes a malicious workflow that exfiltrates repository secrets or deploys backdoored code.
Scenario 2 — Insider abuse of untracked agent identity. A departing employee who provisioned an agent retains indirect access through that agent’s persistent credentials, which were never tied to the employee’s offboarding workflow.
Scenario 3 — Supply chain compromise. A malicious third-party plugin used by an enterprise agent exfiltrates the agent’s API keys — which have production database access — to an external C2 infrastructure. The compromise is not detected because the agent’s activity is not baselined in SIEM.
Defender Checklist
- Run a full discovery sweep for AI agents across all teams — treat undiscovered agents as shadow IT
- Classify every agent as a non-human identity and enroll it in your IAM lifecycle process (provisioning, review, deprovisioning)
- Audit all credentials used by agents; revoke shared or repurposed credentials immediately
- Apply least-privilege scoping to agent service accounts — no agent should have broader access than its documented workflow requires
- Add agent activity to SIEM with anomaly detection baselines comparable to privileged service accounts
- Establish clear human-approval gates for agent actions that affect production environments
- Include AI agents in your third-party and supply chain risk assessments