The dark side of AI agents: Power without control

The adoption of AI agents has advanced faster than our ability to govern them.

A SailPoint study shows that 82% of organizations already have AI agents in production, but only 44% have documented policies defining their permissions and operational limits. The results are visible on the ground: 80% of deployments record unintended actions, and 23% expose credentials in logs or error messages. These aren’t isolated incidents—they are symptoms of an operating model that hasn’t kept pace with the technology.

The structural difference from traditional chatbots is simple: agents don’t just respond—they act. They make authenticated API calls, use service accounts and tokens with broad privileges, and bypass controls designed for humans—such as MFA, email DLP, or manual approvals. A customer support agent can read and modify data without triggering any oversight mechanisms; a DevOps agent can manage CI/CD pipelines with little or no direct supervision.

This new perimeter opens attack vectors without any human interaction. At Black Hat USA 2025, Zenity demonstrated zero-click exploit chains against enterprise agents. In the case of Microsoft Copilot Studio, a single booby-trapped file from an integrated source—like SharePoint or an email invitation—was enough to inject hidden instructions. When the agent processed that content, it interpreted the text as commands, bypassed prompt barriers, and, using valid credentials, enumerated connectors and extracted CRM records—all without a single click.

Addressing this risk doesn’t mean slowing adoption; it means treating agents as privileged identities, with full lifecycle management: authentication with regular rotation, a maintained inventory of agents with a defined owner, a clear purpose and planned deactivation date, plus break-glass procedures to quickly revoke credentials when something goes wrong.

Observability also needs to evolve. It’s not enough to log the final outcome; we must capture the decision chain—which tools were invoked, with what parameters, what values were returned, and how they led to the next action. With this visibility, organizations can establish a behavioral baseline for each agent; from there, behavioral profiling enables early detection of deviations—before they escalate into incidents.

The most effective controls live outside the model: rate limiting to prevent mass data extraction, network segmentation to reduce lateral movement, and approval tokens for sensitive operations such as bulk updates, payments, or destructive actions. Whenever possible, apply guardrails at the execution layer—APIs, queues, gateways—rather than only at the prompt level.

The operating model also needs adjustment: pre-production risk reviews, agent-specific penetration testing (including indirect injection scenarios), clear segregation of environments, and governance metrics that actually matter—mean time to revocation, percentage of agents with an identified owner, average secret age, and decision logging coverage. Without these basic controls, automation amplifies mistakes and multiplies impact.

Competitive pressure will make agents inevitable—and when configured with discipline, the gains are real. Gartner estimates that 40% of such projects will fail by 2027 due to costs, unclear business value, and weak risk controls. The problem isn’t the technology—it’s governance. Treat agents as highly privileged software operating with production credentials. With clear rules, they deliver speed without creating vulnerabilities; without discipline, they give rise to shadow AI—more dangerous than any unauthorized tool, because it operates legitimately within your own systems.

João Sequeira, Director Secure e-Solutions GMV in Portugal

*This article was first published in IT Security.