Axios – New cybersecurity risk: AI agents going rogue
The cybersecurity industry is rushing to confront a new identity crisis — not for people, but for AI agents that act autonomously and now need to be managed like employees.
Why it matters: Without proper guardrails, agents could, at the very least, cause incidental data breaches, misuse login credentials, and leak sensitive information.
The big picture: Just as companies start to embrace AI agents for critical tasks, security vendors are scrambling to build guardrails around them, warning that every agent must have an identity — or risk undermining trust, compliance and control.
- Even without AI agents, hackers have already proven to be pretty pretty good at hacking employee accounts through stolen and reused passwords.
- “You can’t treat them like a human identity and think that multifactor authentication applies in the same way because humans click things, they can type things in, they can type codes,” David Bradbury, chief security officer at Okta, told Axios.
- Agents require a new way of thinking: they need the same “elevated, high trust” that human accounts receive but in a new way, Bradbury said.
Driving the news: Securing AI agents’ identities was a major theme of last week’s RSA Conference in San Francisco.
- 1Password introduced two security tools right before the conference tailored to both AI agent developers and IT managers to help make securing agents’ identities easier.
- Other identity security providers, including Okta and OwnID, also released products for securing AI identities earlier this year.
By the numbers: Deloitte predicts that 25% of companies that use generative AI will launch agentic AI pilots this year. Half will launch pilots by 2027, Deloitte says.
State of play: Security pros are already used to securing so-called nonhuman identities.
- Bot accounts, file servers, VPN gateways and any other machine-based entities require their own version of a username and password.
- IT teams also have needed to closely monitor which company files and systems these tools have access to and constantly rotate out their passwords.
Between the lines: Securing the identities of AI agents doesn’t require much additional innovation. But the stakes are higher since those agents could be given free rein on a company’s network.
- Jeff Shiner, CEO of 1Password, told Axios. An agent They work 24/7, without sleeping and at very quick speeds,
- “acts and reasons, and as a result of that, you need to understand what it’s doing.”
- Kevin Bocek, senior vice president of innovation at CyberArk, told Axios that security teams should create a kill switch for any agents operating on their networks.
- “If that agent should happen to have a bad day, or its many copies happen to have a bad day, then it’s simple,” Bocek said. “I can say, ‘You know what, these agents are no longer authorized.'”
The intrigue: Knowledge of agents’ unique security challenges varies across companies, and security companies are hustling to evangelize executives on the need to start securing these agents now as they rapidly deploy them in their environments.
- Shiner said agent security has come up at most of his private dinners with CISOs and developer leaders in recent month. “A lot of companies are just learning the implications from a security perspective and are looking for answers,” he added.
- Bocek warned that many security teams don’t have a seat in the room as companies discuss their new agent deployment plans.
- “They are not part of those AI agent discussions that are moving fast, to be completely honest,” Bocek said.
What to watch: Agent deployment is expected to accelerate over the next year, Jason Clinton, CISO at Anthropic, said during a Coalition for Secure AI panel last week.
- Clinton warned that there could soon be a world where AI agents are managing other AI agents — and every human employee could one day be required to undergo management training to supervise these virtual employees.
- “If you have entry-level folks, help them make the transition to management, because they’re going to be managing agents, not managing people,” he added.
READ the latest news shaping the cybersecurity market at Cybersecurity News Central
Axios – New cybersecurity risk: AI agents going rogue, source
