AI Agents Face Critical Identity Security Gap as Attackers Exploit Agentjacking Vulnerability

Agentic AI Has an Identity Problem and Attackers Know It

By Itamar Apelblat, CEO and co-founder, Token Security The New Frontier of Security Challenges Every major technology wave creates the same uncomfortable moment for security leaders. Oftentimes, the business moves first and security is asked to make it safe afterward. We saw this pattern with Cloud, SaaS, and DevOps adoptions. Now, agentic AI is doing it again. The difference is that AI agents are not just another service or application category. They are digital actors that authenticate, receive permissions, call APIs, write code, trigger workflows, query databases, and take action across production environments. In many organizations, they are already doing this with credentials, API tokens, OAuth grants, and cloud roles that nobody has fully inventoried. This makes the central security question bigger than "what can the model say?" The real questions that need to be answered are: Who is this agent, what is it allowed to do, who is responsible for its actions, and can we revoke or constrain it when something changes? Yes, agentic AI has an identity problem and attackers are starting to take notice. Why Traditional Identity Programs Fall Short The Human-to-Machine Identity Shift Security teams have spent years building identity programs around humans. Employees join, move, and leave. Access can be reviewed, managers can attest to what people need, and behavior can be monitored against a relatively stable baseline. Machine identities strained that model. Service accounts, secrets, certificates, workload identities, and API keys multiplied across cloud and DevOps environments. Many were overprivileged, poorly owned, and rarely reviewed. Still, most machine identities were deterministic and performed defined tasks in predictable ways. The Autonomy Problem AI agents break this assumption. An agent behaves more like a human in that it can interpret a goal, choose a path, and act across systems. But it scales like software and processes at machine speed. It can be created quickly, embedded into SaaS products, copied by developers, delegated permissions by users, and left running long after the original need is gone. This combination of autonomy, scale, and decentralization creates a new class of identity risk that traditional models were never designed to handle. Least Privilege Doesn't Scale Traditional least privilege is where identity and access management falls short for agentic AI. With a human or service account, least privilege often means granting the minimum static permissions required for a role or function. But an agent may need different access depending on its goal, the data involved, the user or system on whose behalf it is acting, and the environment it is touching. For example, a support agent summarizing a ticket does not need the same privilege as an agent that can issue refunds, modify customer records, or execute commands in production. A coding agent running in a sandbox is different from one that can open pull requests, access secrets, or deploy infrastructure. Access for agents should be contextual, intent-based, time-bound, and continuously evaluated, but this is not how most enterprises operate today. The Three Critical Problems 1. Visibility Problem Many organizations already have shadow AI, just as they once had shadow IT. Agents are built by internal teams, arriving through SaaS platforms that quietly add autonomous features, running locally on endpoints or inside developer environments, and connecting to automation platforms, identity providers, cloud consoles, and ticketing systems. If security teams do not know these agents exist, they cannot secure and govern them. Without knowing which credentials the agents use, they do not understand the scope of the blast radius, and if they do not have the ability to map the agent to an owner, purpose, and lifecycle, they will not be able to hold anyone accountable when the agent makes a harmful decision or is abused by an attacker. 2. Overprivilege Problem Agents are often given broad access because it is easier during experimentation. A developer may grant an API token so a prototype can work, a business unit may connect an agent to a SaaS account with admin rights, or an application team may embed secrets into a workflow because it is faster than designing proper delegation. These types of shortcuts create identity debt, and agentic AI can accumulate that debt at scale and machine speed. 3. Prompt Injection and Indirect Manipulation If an agent can read untrusted content and also take privileged action, attackers do not always need to compromise a traditional account. They may only need to influence what the agent can access because that agent may be overprivileged. Without proper scope boundaries and access controls, prompt injection becomes a vector for unauthorized action. The Path Forward: Identity-Centric Governance Why Identity Security is Foundational CISOs cannot wait for a separate AI security program to mature in isolation. Agentic AI governance must be anchored in identity security. The controls we need start with the basics, but they must be adapted for autonomous systems. Essential Controls for Agent Identity Every agent should have a distinct identity. Shared accounts and borrowed human credentials are unacceptable. Each agent must have an owner, a business purpose, an approved scope of action, and a defined lifecycle. Access needs to be granted based on the task, not convenience. Privileges should expire when no longer needed and secrets should be protected, rotated, and removed from places agents can expose them. Automated Enforcement and Governance Manual reviews do not scale when agents can be created by developers, business users, and SaaS vendors across the enterprise. Identity governance for agents must discover new agents, classify access, detect risky paths, enforce policy, and trigger remediation without waiting for a quarterly review. Decentralized Control with Centralized Policy Accountability requires a shift: security teams cannot be the central bottleneck for every agent. The better model allows teams to build and adopt agents while requiring guardrails for identity, access, ownership, logging, and revocation. Decentralized control with centralized policy enables innovation without sacrificing governance. Learning From Past Technology Waves Cloud, SaaS, and DevOps all moved faster than traditional security models. The enterprises that succeeded were not the ones that said no. They rebuilt their controls around how the new technology actually worked. Agentic AI is now forcing the same evolution. Organizations that treat this as a standalone AI security problem will miss the mark. This is fundamentally an identity problem, and it demands an identity solution. Reframe the Security Question Security leaders should stop thinking only about what AI generates and start focusing on what AI can do. Today's magnifying risk is an autonomous action taken by an identity nobody governed, using access nobody reviewed, toward an outcome nobody intended. That is the identity problem at the heart of agentic AI, and it is the problem CISOs need to solve now. The time to act is not in six months. It is now. The longer organizations wait to implement identity-centric agentic AI governance, the harder it will be to regain control. Get started with a demo from Token Security to see how an identity-centric approach could work in your organization.

Claude Code hijacked via Sentry -- Datadog, PagerDuty at risk | VentureBeat

A single fake error report hijacked Claude Code in controlled testing -- the agent ran the attacker's code with the developer's full privileges, and not one alert fired. EDR, WAF, IAM, and the firewall all missed it completely. Tenet Security's June agentjacking disclosure describes a single crafted Sentry error event -- sent through a public credential that requires no breach and no authentication -- that injected attacker instructions into error data that Claude Code, Cursor, and Codex then executed as trusted diagnostic output. Tenet tested 100-plus targets in controlled conditions and achieved an 85% success rate. Sentry called the flaw "technically not defensible." he Cloud Security Alliance classified agentjacking as a systemic MCP vulnerability class within days of the disclosure. No credentials were stolen, no policy was violated, no perimeter was breached: every step in the chain was authorized. That is the problem. Tenet identified 2,388 organizations with publicly exposed Sentry credentials that could be used to inject malicious events at scale. The research is proof-of-concept, not confirmed exploitation across all 2,388. But one captured Claude Code environment held a live AWS secret access key and private repository URLs. Here is the scope test: If your AI coding agents are connected to Sentry, Datadog, PagerDuty, Jira, or any MCP-connected data source your developers trust -- and those agents can execute shell commands -- then your stack has the same blind spot. Organizations running Sentry should audit all publicly exposed DSNs immediately. Sentry's architecture intentionally makes DSN credentials public for frontend error reporting, so the mitigation isn't revoking the DSN -- it's restricting what agents can do with the data those DSNs return. Why your stack can't see it Agentjacking works because every step is authorized: The attacker sends a valid Sentry API call using a public DSN, the MCP server returns the injected event as authentic output, and the agent executes the instruction using the developer's privileges. No signature fired. The victim saw only benign diagnostics while the agent silently exposed cloud credentials and source-control tokens. SOC teams have never needed to distinguish between a developer running an npm install and an agent running that command in response to a malicious error event. That distinction did not exist until AI coding agents became production tools. The stack that cannot make it is the stack agentjacking bypasses. Five surveys, one pattern Five independent surveys from the first half of 2026 found that enterprises trust their AI agents far more than their enforcement justifies. Only 34% of organizations apply the same security controls to AI agents as to humans, according to an Okta/Apprize360 survey of 292 executives and 492 knowledge workers. Fifty-two percent of employees use unapproved AI tools, and 58% of executives reported an AI-related incident or close call in the prior year. HiddenLayer's 2026 AI Threat Landscape Report surveyed 250 IT and security leaders: 33% reported agents had already exceeded intended scope, and 31% could not confirm whether they had experienced an AI breach. One in eight AI breaches was linked to agentic systems. Gravitee's survey of over 900 executives and practitioners found only 14.4% of agents went live with full security approval, and 88% reported confirmed or suspected incidents. A follow-up of 750 leaders in April found agent estates had doubled while monitoring barely moved. The runtime gap nobody closed "Securing agents looks very similar to securing highly privileged users," said Elia Zaitsev, CTO of CrowdStrike, in an interview with VentureBeat. "They have identities, access to underlying systems, they reason, they take action." Zaitsev pointed to the gap the industry left open. "No one has been talking about securing agents at runtime. We are doing that now. What is your safety net? If all these controls fail, how do you prevent them from failing silently?" CrowdStrike's fleet data quantifies the exposure: more than 1,800 agentic applications on enterprise endpoints, approximately 160 million instances under monitoring. On June 15, CrowdStrike shipped Continuous Identity for AI Agents at Identiverse, replacing static policies with continuous enforcement that authorizes every agent action in real time. The control class that announcement reflects -- continuous action-level authorization with verifiable agent identity -- is now a baseline procurement criterion regardless of vendor. "People have kind of forgotten about runtime security," Zaitsev said. "We did this with endpoint, virtualization, and cloud. People focused on patching vulnerabilities, locking down permissions. Somehow, they always seem to miss something. The safety net is runtime." Zaitsev was equally direct about sandbox approaches. "If you start with an agent in a sandbox that has no ability to touch anything, it is worthless. Very quickly, you are in this race of giving it more capabilities. And then what is the point of your sandbox?" Agents derive their value from access. Every access grant is an attack surface. The governance gap is a budget problem Kayne McGladrey, an IEEE Senior Member, described the structural challenge in an exclusive interview with VentureBeat. "The CISO doesn't have the budget. The CISO doesn't have the staff. We can observe risks, we can advise on business risks, but we don't own the business systems affected by those risks," McGladrey said. When agent governance spans six departmental budgets, no single executive can confirm whether agents get the same access reviews as humans. The Okta survey quantifies the disconnect. Only 43% of workers say agent policies are clear, compared to 65% of executives, and nearly two-thirds apply weaker controls to agents than to humans. The people deploying agents daily do not recognize the governance posture their leadership claims to have built. Assaf Keren, chief security officer at Qualtrics and former CISO at PayPal, put it plainly. "The real risk starts not by the implementation of AI systems. It is the fact that baseline architecture is not well established. When we put an AI system on top of something not architected well, we are accelerating the fractures." Keren called runtime behavior analytics "an unsolved problem right now." The 5-question gap test The five-question gap test draws on five surveys from the first half of 2026. Each question maps to a gap that agentjacking exploits. Run this before any Q3 vendor evaluation. Security director action plan EU AI Act high-risk compliance obligations take effect August 2, 2026. Worth factoring into Q3 planning timelines. Agentjacking stripped away an assumption that has survived every security architecture since the first firewall went live. Authorized does not mean safe. When every step in the chain is legitimate, the only defense that matters is the one watching what agents do. Not what policies say. What agents do.