Microsoft warns AI agents with excessive privileges can become insider threats to enterprises

Microsoft says your AI agent can become a double agent

New security research flags misused permissions and poisoned memory, pushing companies to lock down agent access. Microsoft is warning that the rush to deploy workplace AI agents can create a new kind of insider threat, the AI double agent. In its Cyber Pulse report, it says attackers can twist an assistant's access or feed it untrusted input, then use that reach to cause damage inside an organization. The problem isn't that AI is new. It's that control is uneven. Microsoft says agents are spreading across industries, while some deployments slip past IT review and security teams lose sight of what is running and what it can touch. Recommended Videos That blind spot gets riskier when an agent can remember and act. Microsoft points to a recent fraudulent campaign its Defender team investigated that used memory poisoning to tamper with an AI assistant's stored context and steer future outputs. Shadow agents widen the blast radius Microsoft ties the double agent risk to speed. When rollouts outpace security and compliance, shadow AI shows up fast, and attackers get more chances to hijack a tool that already has legitimate access. That's the nightmare scenario. The report frames it as an access problem as much as an AI problem. Give an agent broad privileges, and a single tricked workflow can reach data and systems it was never meant to touch. Microsoft pushes observability and centralized management so security teams can see every agent tied into work, including tools that appear outside approved channels. The sprawl is already happening. Microsoft cites survey work finding 29% of employees have used unapproved AI agents for work tasks, the kind of quiet expansion that makes tampering harder to spot early. It's not just bad prompts This isn't limited to someone typing the wrong request. Microsoft highlights memory poisoning as a persistent attack, one that can plant changes that influence later responses and erode trust over time. Its AI Red Team also saw agents get tricked by deceptive interface elements, including harmful instructions hidden in everyday content, plus task framing that subtly redirects reasoning. It can look normal. That's the point. What to do next Microsoft's advice is to treat AI agents like a new class of digital identity, not a simple add-on. The report recommends a Zero Trust posture for agents, verify identity, keep permissions tight, and monitor behavior continuously so unusual actions stand out. Centralized management matters for the same reason. If security teams can inventory agents, understand what they can reach, and enforce consistent controls, the double agent problem gets smaller. Before you deploy more agents, map what each one can access, apply least privilege, and set monitoring that can flag instruction tampering. If you can't answer those basics yet, slow down and fix that first.

Risky business? AI agents are asking for your SSH keys. 21,000 exposed instances tell their own cautionary tale...

The most dangerous systems may not be the ones breaking rules, but the ones following them perfectly. That paradox is playing out in a recent security incident involving OpenClaw, an open-source AI agent designed for autonomous task execution and browser control. Security researchers discovered more than 21,000 publicly accessible instances exposed to the internet, alongside a linked social network, Moltbook, that reportedly leaked API keys, login tokens, and email addresses for connected agents. The incident exposes a growing enterprise security problem. AI agents operate with legitimate credentials, approved workflows, and trusted integrations - the same signals security teams traditionally associate with normal behavior. When those systems are misconfigured or compromised, the resulting activity can appear indistinguishable from authorized use. In a Zoom interview, Marijus Briedis, Chief Technology Officer at NordVPN, said the incident reflects a pattern he has watched unfold across the AI ecosystem: software shipped quickly, then secured later - if at all. NordVPN has been tracking how rapidly AI tooling is spreading inside organizations, and Briedis views OpenClaw as a vivid example of how "easy to deploy" can become "easy to expose." He explains: It was vibe-coded without any security defaults in general in mind because it was just pushed to production as fast as possible as a product to use and easy to use. And it is, right? But people who basically installed it, whether it's a local host or VPS or any server that you own, the creators mismatched the boundaries. The failures themselves were basic: cleartext local secrets, high-privilege tokens with indefinite lifespans, and a one-click browser takeover chain through trusted gateway URLs, alongside direct access to connected APIs including email and messaging platforms. Rather than an isolated vulnerability, the exposure reflected architectural decisions made without strong security defaults. As Briedis notes: It's such a basic thing. It's not like an isolated bug or something. It's the design flaw in general, how the software was created. Enterprises have spent the last two years worrying about shadow AI - employees entering sensitive data into large language models without authorization. Briedis believes a related pattern is now emerging, one that extends beyond data exposure into autonomous action: Right now, I think there is going to be new phenomena, shadow agents. Because can you imagine? If you have an ability to install an agent, to automate your personal tasks, and to have its productivity, like 10x or 20x, you're going to do that. Shadow agents can act on data leaked from shadow AI - extending the risk from exposure into execution. The pressure is already visible in day-to-day operations. At NordVPN, a 2,000-person organization, Briedis says security teams receive approximately 200 requests per day from employees seeking approval to use different AI tools. Those requests represent employees asking permission; the more difficult question is how many deployments occur without oversight. Briedis sets out where the responsibility lies: This is not a developer problem, or a failure of the developer. This is a failure of control of that organization, in a way, because shadow agents right now is reality. Approval, however, is not the boundary. An employee running an AI agent on a personal device could inadvertently provide access to corporate systems. Briedis describes a scenario in which an agent captures a session cookie and accesses corporate email - activity that originates outside the enterprise perimeter but operates with legitimate credentials: You are using the same OpenClaw or whatever agent on your personal device. If the agent can get your session cookie or something like that and go into your corporate email, there's a problem straight away. Traditional security operations rely on behavioral patterns to identify compromise. Human threat actors work in shifts, leave recognizable traces, and exhibit temporal signatures that analysts can detect in logs. AI agents operate differently. He elaborates: If you're going to look at the logs in general, most of the time, those actions were approved already. So how are you going to detect that it was hacked in the first place? Because all behavior is going to look legitimate or almost legitimate. Speed changes the problem as well. Automated agents compress activity timelines and execute tasks continuously, making retrospective analysis more difficult while reducing the signals that typically reveal malicious intent. Briedis encountered this boundary-testing behavior firsthand while working with Claude Code on testing infrastructure that required private SSH keys. Despite explicit instructions to use alternative credentials, the agent repeatedly attempted to access his private keys after losing context. The risk increases when agents operate with high-privilege tokens, persistent credentials, and broad API access across connected systems, creating pathways that attackers could exploit if the agent itself were compromised. From a security perspective, many of the required controls are familiar. Strong isolation, role-based access control, policy enforcement, and monitoring remain foundational. What changes is the scope of application - not only who can access an agent, but what the agent itself is permitted to do within automated workflows. Breidis argues: You have to think about the same simple RBAC [role-based access control], not only from the connecting to the agent level on what people can use it, but what the agent can do within the automated tasks. We are talking not about what information is coming in, but what information is going out. Data loss prevention becomes critical when agents can autonomously access and transmit information across connected systems. Briedis emphasizes short-lived credentials, strong isolation of agent infrastructure, and policy enforcement at both network and application layers. He also points to an emerging category of security tooling: agents that monitor other agents for anomalous behavior. These approaches aim to establish baselines for normal agent activity and alert on deviations, though the field remains early. Industry groups are beginning to formalize the risk model. The Open Worldwide Application Security Project (OWASP) - a nonprofit foundation that works to improve the security of software - has categorized agentic supply chain vulnerabilities, while zero trust architecture principles provide guidance for managing identity and access in distributed environments. The insurance industry has already begun pricing AI-related security risk, with coverage increasingly dependent on evidence of cybersecurity controls. Insurers now assume breaches will occur and focus on detection and response rather than prevention. For enterprises experimenting with AI agents, the OpenClaw incident illustrates how quickly automation can outrun oversight. The productivity gains are real, which makes adoption difficult to slow, yet agents also expand the attack surface in ways traditional security models were not designed to manage. Briedis puts it simply: If you don't understand what the machine wrote instead of you and what is happening underneath, you lose control of that. AI agents introduce a different kind of security question. When automated systems act with legitimate access, traditional signals of compromise become less reliable, shifting the challenge from blocking intrusion to maintaining visibility over systems acting on an organization's behalf.

Microsoft Says AI Tools With Too Many Privileges Can Become 'Double Agents'

Microsoft has highlighted several risks with artificial intelligence (AI) agents in its latest security report. The most interesting insight is about "AI double agents," which are basically agents with excessive privileges but not enough safeguards. This makes them vulnerable to prompt engineering attacks by bad actors, and turns them into "double agents." With these tools becoming increasingly popular in the enterprise space, the cybersecurity report highlights the security gaps that businesses must address to protect their sensitive data. Microsoft Highlights Risks With AI Double Agents The Redmond-based tech giant published findings from its first-party telemetry and research in the latest Cyber Pulse Report. This report focuses on the rise in adoption of AI agents and the security risks that emerge from that. "Recent Microsoft data indicates that these human-agent teams are growing and becoming widely adopted globally," the company said in a blog post. Adding to this, the report claims that more than 80 percent of the Fortune 500 companies are currently deploying AI agents built with low-code or no-code tools. Microsoft says this is a concerning trend as agents built using vibe coding will lack the fundamental security protocols required for an enterprise environment. In the report, the tech giant mentions that AI agents require protection by increasing observability, governance, and Zero Trust principles-based security measures. Zero trust is essentially a security framework which is built on the principle of "never trust, always verify," assuming no user or device, inside or outside the network, is trustworthy by default. One interesting trend the report mentions is the concept of AI double agents. Microsoft says the AI agents being developed by companies today have excessive privileges, which poses a security threat. "Bad actors might exploit agents' access and privileges, turning them into unintended 'double agents.' Like human employees, an agent with too much access -- or the wrong instructions -- can become a vulnerability, the post added. Explaining the risk, the tech giant said that researchers have documented how agents can be misled by deceptive interface elements, such as following harmful instructions added to regular content. Another risk discovered by researchers is redirecting agents via manipulated task framing. Citing a multinational survey of more than 1,700 data security professionals commissioned by Microsoft from Hypothesis Groups, the report claimed that 29 percent of employees are using AI agents for work tasks that are not sanctioned by IT teams. "This is the heart of a cyber risk dilemma. AI agents are bringing new opportunities to the workplace and are becoming woven into internal operations. But an agent's risky behaviour can amplify threats from within and create new failure modes for organisations unprepared to manage them," the report said.

Businesses Move to Rein In AI in the Shift to Autonomous Finance | PYMNTS.com

The promise of agentic AI is efficiency. Unlike earlier copilots that generated drafts or recommendations, agents can execute multistep workflows across systems with limited human intervention. That shift from assistance to action is precisely what creates risk. A compromised, poorly trained or misaligned agent can move funds, expose sensitive data or replicate flawed decisions at scale, turning what would once have been an isolated human error into a systemic event. Security researchers cited by CSO Online estimate that more than 1.5 million AI agents deployed across enterprise environments could be exposed to misuse or compromise. The figure is derived from telemetry across cloud platforms, SaaS integrations and API-connected automation tools, where organizations have rapidly embedded agents into ticketing systems, payment rails and data pipelines without consistently applying identity governance. As companies experiment with hundreds or thousands of task-specific agents, the cumulative attack surface expands faster than traditional security controls were designed to handle. At the same time, Fortune has reported that enterprises are accelerating adoption despite persistent internal concerns about trust, accountability and job redesign. Executives describe measurable gains in productivity, particularly in back-office workflows, yet acknowledge that risk and compliance leaders are demanding clearer frameworks before granting broader autonomy. That tension between speed and control defines the current phase of agentic AI deployment. The first line of defense mirrors established cybersecurity doctrine: identity and access management. But instead of governing human users, companies are assigning credentials, roles and permissions to nonhuman agents. In practice, that means every agent is provisioned with a defined digital identity, access rights and permissions. An accounts payable agent may reconcile invoices and flag discrepancies but lack authority to release funds without escalation, for example. A compliance agent may gather documentation across sanctions lists and internal databases but stop short of filing regulatory reports independently. VentureBeat has described how enterprise IT operations are straining under the proliferation of loosely governed agents, prompting the emergence of "AgenticOps" frameworks. These frameworks apply DevOps-style life cycle management to AI agents, embedding policy enforcement, observability and runtime controls into deployment pipelines. Rather than granting blanket API access, enterprises are segmenting environments so that each agent's authority is narrow, auditable and revocable. Computer Weekly outlined the concept of "guardian agents." These supervisory systems continuously monitor the behavior of operational agents, enforcing policy boundaries and detecting deviations in real time. If a procurement agent suddenly attempts to access payroll systems or initiates unusually large transactions, the guardian layer can flag, throttle or block the activity. The architecture effectively creates a hierarchy of oversight in which AI systems monitor other AI systems, echoing internal audit functions in traditional enterprises. Controls alone are insufficient if organizations cannot reconstruct what an agent did, why it did it and which data it relied upon. Comprehensive logging is becoming a baseline requirement. Enterprises are capturing prompts, model versions, retrieved data sources and execution outcomes to ensure that every action can be replayed and reviewed. The Wall Street Journal reported that Noma Security raised $100 million to secure AI agents, highlighting that governance tooling will become a core cybersecurity category. Noma and similar vendors focus on monitoring agent communications, validating tool usage and preventing prompt injection or unauthorized escalation of privileges. Insurance markets are also beginning to formalize the risk. Fortune reported that AIUC, an insurance startup launched by former GitHub CEO Nat Friedman, raised $15 million in seed funding to underwrite losses tied specifically to AI agent failures, including erroneous financial transactions and compliance breaches. The company is building actuarial models around autonomous system risk and requiring enterprises to demonstrate documented controls before extending coverage.

Over 80% of Fortune-500 Companies Have Adopted AI Agents, but Security Lags

However, the problem is that the frenetic pace of this digital transformation has resulted in security preparedness lagging considerably A new report by Microsoft describes 2026 as the "Year of the AI Agent" as more than 80% of all Fortune 500 companies have deployed AI agents or autonomous software tools that perform tasks without direct human intervention. However, this growth has also introduced risks within these enterprises around security preparedness. "More than 80% of Fortune 500 companies today use AI active agents built with low-code/no-code tools. AI is ubiquitous in many operations, and generative AI-powered agents are embedded in workflows across sales, finance, security, customer service, and product innovation," says the report (Download it here). What's more it has also created a security problem where unsupervised and ungoverned AI agents are potentially compounding risks to the enterprise across security, business continuity, and reputation. All of these challenges are squarely landing at the feet of the CISO and the leadership group in charge of these enterprises - the C-suite. "This is the heart of a cyber risk dilemma. AI agents are bringing new opportunities to the workplace and are becoming woven into internal operations. But an agent's risky behaviour can amplify threats from within and create new failure modes for organizations unprepared to manage them." Microsoft's "Cyber Pulse: An AI Security Report" notes that businesses across sectors are embedding AI agents into workflows ranging from manufacturing to finance and retail. However, in spite of this widespread adoption, there is a "visibility gap" and security shortfalls that could cause AI-led productivity boosters into inadvertent vulnerabilities without proper management. The report is based on Microsoft's telemetry and security research and suggests that AI agents are now deployed across many Fortune 500 firms in technology, manufacturing, and financial services sectors, often built using low-code or no-code tools that democratises their creation across multiple teams. It notes that AI agents can automate routine tasks, summarise data, interact with internal systems and support humans regularly with their use spreading across geographies in Europe and the Middle East, Africa, Asia and the United States. However, only 47% of enterprises in these regions have implemented specific generative AI security safeguards. A prominent concern identified by Microsoft involves "Shadow AI" or the use of unsanctioned or poorly monitored AI agents used by employees outside the formal IT oversight within an enterprise. In addition, it also introduces the "AI double agents" concept where these system can become liabilities when given excessive privileges without proper safeguards. This opens up the possibility of attackers exploiting deceptive prompts or interface elements to push malware into the agent's memory or into the task logic. This could result in the AI agent performing unintended action such as leaking sensitive data long after the event. Moreover, they can also gain more autonomy and deeper integration with corporate systems becoming conduits for cyberthreats at a future date. Nearly nearly 30% of staff admit to using such tools on their own, creating hidden risks within enterprise networks that security teams may not be aware of. This disparity is noteworthy, as it indicates that numerous organizations are deploying AI capabilities and agents prior to establishing appropriate controls for access management, data protection, compliance, and accountability, the report notes. Following this rapid expansion and the multiplying of transformation opportunities, the report argues that now is the right time to "get foundational controls in place." AI agents must be held to the same standards as employees or service accounts, which means that enterprises should apply Zero Trust security principles consistently. They should be given least privilege access whereby every user, AI agent, or system gets only what they need. Verification should be explicit by ensuring confirmation through the use of identity, health, location, and risk level. And always design systems based on the assumption that compromises can occur and cyber criminals are just a step away. "These principles are not new, and many security teams have implemented Zero Trust principles in their organization. What's new is their application to non‑human users operating at scale and speed. Organizations that embed these controls within their deployment of AI agents from the beginning will be able to move faster, building trust in AI," the report says. "AI governance cannot live solely within IT, and AI security cannot be delegated only to chief information security officers (CISOs). This is a cross functional responsibility, spanning legal, compliance, human resources, data science, business leadership, and the board." The Cyber Pulse report outlines five core capabilities that enterprises would require to establish true observability and governance of AI agents. It starts with a central registry acting as a single source of truth for all agents -- sanctioned, third-party, and emerging shadow agents. It would help prevent agent sprawl and ensures accountability and supports discovery. The next involves access control where each agent is governed by the same identity and policy-driven access controls applied uniformly to human users and applications. The third is visualization whereby real-time dashboards and telemetry provide insights into how agents interact with people, data, and systems to monitor behaviour and impact. Next comes interoperability where agents operate across platforms, open-source frameworks and third-party ecosystem with a consistent governance model so that collaboration with people and other agents are smooth but with the same set of controls. And finally, there is security provided by built-in safeguard agents from internal misuse and external cyberthreats. "You can't protect what you can't see, and you can't manage what you don't understand. Observability is having a control plane across all layers of the organization (IT, security, developers, and AI teams) to understand," the report says.