88% of organisations reported a confirmed or suspected AI agent security incident in the past year. Here's what's going wrong and how to fix it.
Let me share a stat that should make every platform engineering and security leader uncomfortable: 68% of organisations cannot distinguish AI agent actions from human activity. That's from a January 2026 survey by the Cloud Security Alliance and Aembit, covering 228 IT and security professionals.
Think about what that means. Your agents are making API calls, accessing databases, reading emails, creating documents — and if something goes wrong, you can't tell whether it was a person or an agent that did it.
Bessemer Venture Partners called AI agent security "the defining cybersecurity challenge of 2026." After months of watching this space — and building infrastructure to address it — I think they're right.
The threat landscape is real, not theoretical
This isn't a future problem. OWASP released their Top 10 for Agentic Applications in December 2025, developed with over 100 security researchers. CrowdStrike and Mandiant data shows 1 in 8 enterprise breaches now involves an agentic system. And the incidents are getting more creative.
McKinsey's red team compromised an autonomous agent in under two hours. Barracuda found 43 agent framework components with embedded vulnerabilities. Over 1,000 malicious skills were discovered on the OpenClaw ClawHub marketplace. And in a separate incident, a Comet-class agent system autonomously acted on hidden instructions and leaked a user's one-time password.
The pattern is consistent: agents have broad access, minimal monitoring, and no identity of their own. Attackers don't need to be sophisticated when the default configuration is this permissive.
Why agents are harder to secure than apps
Mike Gozzo, Chief Product and Technology Officer at Ada, put it well: "AI agents aren't tools — they're actors that make decisions and take actions. Securing an actor is fundamentally different than securing a tool."
Traditional application security assumes deterministic behaviour. You can read the code, map the attack surface, and predict what the application will do. Agents are non-deterministic. They decide at runtime which tools to call, what data to access, and how to chain actions together. The attack surface changes with every prompt.
This creates three security problems that existing tooling doesn't solve:
The credential sprawl problem
A typical agent needs credentials for multiple external services — Gmail, Slack, GitHub, search APIs, vector databases. Most teams handle this the same way they handle microservice credentials: dump everything into Kubernetes Secrets or environment variables.
The numbers tell the story. 45.6% of teams rely on shared API keys for agent-to-agent authentication. Only 17.8% use mTLS. And 74% of organisations acknowledge their agents receive more access than necessary.
That flat credential model means your research agent can see the HR bot's Google Drive token. Nobody intends for that to happen, but it's the default when you don't scope credentials per workspace.
The identity gap
Only 21.9% of organisations treat agents as independent identity-bearing entities. The rest authenticate agents using shared service accounts, hardcoded API keys, or — disturbingly often — the developer's personal credentials from testing that never got rotated.
BeyondTrust reported a 466.7% increase in enterprise AI agents on their Pathfinder Platform over the past year. 1Password just launched "Unified Access" in partnership with Anthropic, Cursor, and GitHub, specifically to discover agents and exposed credentials across environments. Aembit introduced an "MCP Identity Gateway" that issues ephemeral credentials to agents at runtime.
The market is waking up to this, but most organisations are still running agents with credentials that were set up during a proof-of-concept six months ago.
The MCP security gap
MCP is becoming the standard way agents connect to tools — the TypeScript SDK has 34,700+ dependent projects. But the security story is alarming.
When Knostic scanned roughly 2,000 internet-exposed MCP servers in mid-2025, every single one lacked authentication. A separate analysis by Pillar Security found that 43% of MCP servers have flaws in their OAuth authentication flows, and roughly two-thirds of open-source MCP servers show poor security practices.
The MCP specification makes all security controls optional and unenforced. A single configuration line can bypass protections. The 2026 roadmap acknowledges this and lists enterprise readiness — audit trails, SSO-integrated auth, gateway behaviour standardisation — as a priority. But the fixes are still in draft.
Until the protocol catches up, you need a gateway layer between your agents and MCP servers that validates JWTs, enforces per-tool RBAC, and handles OAuth token exchange without exposing secrets to the agent runtime.
What a secure agent deployment looks like
OWASP's core design principle for agentic applications is "Least Agency" — don't give agents more autonomy than the business problem justifies. Here's what that looks like in practice:
Workspace-scoped credentials
Every agent gets only the credentials for its own workspace. Encrypted at rest with proper key management (not just base64 in a Kubernetes Secret). Decrypted just-in-time at deploy time. Every credential access logged to an immutable audit trail.
When your compliance team asks "which agents had access to customer email in March?" you should be able to answer that query in under a minute, not spend a week grepping through YAML files.
Agent identity as a first-class concept
Each agent deployment should have its own identity — a service account with scoped permissions, not a shared key that twelve agents use. Rotate credentials automatically. Set expiry dates. Clean up orphaned secrets when agents are decommissioned.
The CSA/Aembit survey found that only 3.9% of organisations have more than 80% of their agents actively monitored and secured. That number needs to change.
Gateway-enforced tool access
Every tool call goes through an agent gateway. The gateway validates the request, checks authorisation, transforms authentication headers, and logs the interaction. If you need to revoke an agent's access to Slack, you do it at the gateway — no redeployment required.
This is especially critical for MCP connections, given the protocol's current security posture.
Runtime observability
Not just "is the agent running?" but "what is the agent doing right now?" Track tool invocation chains, credential usage patterns, token consumption, and cost per execution. Set alerts on anomalous behaviour — an agent that suddenly starts accessing resources outside its normal pattern is either broken or compromised.
80% of organisations report unintended agent actions, according to AGAT Software. You can't fix what you can't see.
The EU AI Act adds a deadline
August 2, 2026 triggers application of the EU AI Act's remaining provisions for high-risk AI systems. Requirements include documented risk management, automatic logging, human oversight mandates, and incident reporting. Fines run up to 35 million euros or 7% of global annual turnover.
If your agents interact with customer data, financial systems, or HR processes, they likely fall under the high-risk category. The time to build audit trails and governance controls is before the deadline, not after.
Where to start
If you're looking at this and thinking "we're behind," you're not alone. Most organisations are.
Start with visibility: inventory every agent running in your environment, what credentials they have, and what tools they can access. You might be surprised — most teams discover agents from proof-of-concepts that are still running with broad permissions.
Then scope down: apply least-privilege per workspace, put a gateway in front of tool access, and start logging. You don't need to solve everything at once, but you do need to know what your agents are doing.
The average shadow AI breach costs $4.63 million. The cost of setting up proper agent security is a fraction of that.
Manny Maun is the Founder and CEO of BiznezStack — the agentic operations runtime for deploying, securing, and governing AI agents at scale.