AI agent security readiness lags incident expectations in enterprises

At a glance

What this is: Arkose Labs reports that enterprise leaders overwhelmingly expect an AI-agent-driven security incident within a year, yet formal governance and budget allocation remain sparse.

Why it matters: For IAM practitioners, the finding shows that agentic AI is becoming an identity governance problem, not just a detection problem, because legitimate credentials now drive high-speed actions across systems.

By the numbers:

• 97% of respondents expect a material AI-agent-driven security or fraud incident within the next 12 months.
• Only 6% of security budgets are currently allocated to this risk.
• The report is based on a global survey of 300 enterprise leaders across security, fraud, identity and AI functions.

👉 Read Arkose Labs' 2026 report on AI agent security and enterprise readiness

Context

AI agent security is the governance problem that appears when software can plan, choose actions, and execute them inside enterprise systems using legitimate credentials. In this article, Arkose Labs argues that enterprises adopted agentic AI faster than the identity, security, and oversight controls needed to manage it, leaving a widening readiness gap.

That gap matters because the actor is not a traditional workload in a fixed workflow. AI agents can retrieve data, trigger transactions, and move across services in ways that look operationally normal, which makes attribution, monitoring, and access governance inseparable from the security question.

Key questions

Q: How should security teams govern AI agents that operate with legitimate enterprise credentials?

A: Security teams should govern AI agents as non-human identities with explicit ownership, traceable scope, and monitored action paths. The priority is not just blocking abuse, but proving what each agent can do, which systems it can touch, and who is accountable when behaviour crosses its intended boundary.

Q: Why do AI agents create more attribution risk than conventional automation?

A: AI agents create more attribution risk because they can choose actions at runtime and move across multiple services using valid credentials. That makes their behaviour resemble legitimate operations, so investigators may see normal-looking system activity without a clear proof of intent, actor, or approval path.

Q: What do organisations get wrong about AI agent governance?

A: Organisations often treat AI agent governance as a policy exercise after deployment instead of an identity problem before deployment. The common mistake is assuming existing IAM and logging will be enough, when the real requirement is to classify, own, and trace every agent identity from the start.

Q: What should teams do first when AI agents are already in production?

A: Teams should first inventory all agent identities, map the credentials they use, and verify that each one has a named sponsor and monitored workflow. That creates the minimum basis for containment, investigation, and accountability before broader policy changes are attempted.

Technical breakdown

Legitimate credentials create the first control blind spot

AI agents in this model are not breaking in through stolen passwords alone. They are operating through service accounts, API tokens, and application identities that the enterprise already trusts, which makes their activity harder to separate from routine machine-to-machine traffic. The problem is not simply access, but access that is valid, privileged, and difficult to distinguish from normal automation once it starts moving across systems. That is why visibility into credential use, invocation paths, and downstream actions becomes a prerequisite for governance rather than an afterthought.

Practical implication: map every agent-used credential to an accountable owner and monitored workflow path.

Attribution breaks when automated actions look legitimate

Attribution is the ability to prove which actor performed which action, through which identity, and with what outcome. In agentic environments, that becomes difficult because the agent can move through several services in a single workflow, leaving evidence that resembles approved system behaviour rather than malicious activity. Without correlated logs across APIs, services, and identities, investigations can stall at the point where regulators or internal response teams need a defensible narrative. The core issue is not just detection, but provable causation.

Practical implication: retain cross-system telemetry that links each agent action to a traceable identity and outcome.

Governance controls must cover autonomous decision chains

Agentic AI changes the control surface because the risk accumulates across a sequence of decisions, not a single event. A workflow may begin with sanctioned access, then branch into data retrieval, transaction initiation, or credential disclosure without a human approval point between those steps. That means policy has to be expressed around decision chains, not just isolated entitlements. When the actor can select actions at runtime, the governance question becomes whether the organisation can bound the chain before it becomes a business process of its own.

Practical implication: define approval and scope boundaries for each automated decision chain before production release.

Threat narrative

Attacker objective: The objective is to use trusted automated identities to produce business-impacting actions while remaining difficult to distinguish from legitimate enterprise automation.

1. Entry begins with legitimate access through service accounts, API tokens, or application identities that have already been approved for enterprise use.
2. Escalation occurs when the agent uses those credentials to retrieve data, trigger transactions, or move across connected services in ways that exceed the intent of the original workflow.
3. Impact follows when those actions become difficult to attribute, investigate, or constrain, creating fraud, security, and accountability exposure across the environment.

Breaches seen in the wild

• Moltbook AI agent keys breach — Moltbook breach exposed 1.5M AI agent keys.
• MongoBleed breach — MongoBleed exposed secrets across 87K MongoDB servers.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Legitimate credentials are now the insider threat surface for agentic AI. Arkose Labs' findings reinforce a structural shift that identity teams cannot ignore: malicious behaviour is no longer defined by compromised human logins alone. When AI agents operate through service accounts and API tokens, the enterprise must treat machine identities as active participants in insider-risk analysis, not passive infrastructure.

Attribution failure is the real governance breaker, not just poor detection. The report's 26% confidence level for proving that an AI agent caused an incident shows how quickly accountability can collapse once autonomous actions move across systems. That is a governance failure because response, legal, and audit teams cannot close the loop if they cannot reconstruct the actor, the path, and the outcome.

Identity-first agent governance is becoming the category boundary. The market is moving from generic AI security toward controls that classify, observe, and constrain non-human actors before they reach production scale. Organisations that still bolt AI oversight onto existing IAM after deployment will continue to inherit the wrong control model for the problem.

Runtime visibility must now be paired with access accountability. The article's emphasis on monitoring automated decision chains is directionally right, but the deeper lesson is that access without traceable ownership is no longer governable at enterprise speed. Practitioners should view every agent identity as a bounded business actor with a lifecycle, a sponsor, and an audit trail.

From our research:

• 97% of respondents expect a material AI-agent-driven security or fraud incident within the next 12 months, according to AI Agents: The New Attack Surface report.
• Only 52% of companies can track and audit the data their AI agents access, leaving 48% with a complete blind spot for compliance and breach investigation.
• For a deeper NHI context: 52 NHI Breaches Analysis shows how identity visibility failures turn into incident escalation patterns across real environments.

What this signals

Agentic AI is forcing identity programmes to split governance by actor type. The same controls do not belong on human users, workload identities, and runtime decision-making systems, because the evidence, accountability, and review cycles differ materially. Teams should be preparing separate lifecycle and audit paths for each identity class rather than stretching one IAM model across all three.

Attribution is becoming a board-level control requirement, not a security nice-to-have. If only 26% of leaders can prove that an AI agent caused an incident, then incident response, legal hold, and compliance reporting all inherit the same weakness. That is why telemetry design now belongs in the identity architecture conversation, alongside access policy and authentication.

Identity blast radius is the right named concept for this phase. When an agent can retrieve data, trigger transactions, and act across services with legitimate credentials, the question becomes how far one identity can move before governance breaks. Practitioners should reduce the blast radius of each agent identity by narrowing scope, tightening traceability, and making ownership explicit.

For practitioners

• Inventory every AI agent identity and its sponsor Create a register of service accounts, API tokens, and application identities used by AI agents, then assign a human owner and a business purpose to each one. The key control is knowing which credentials belong to which automated workflow and who can attest to its use.
• Correlate agent actions across systems and APIs Instrument logs so that one agent session can be traced across credential use, data access, and downstream actions in connected services. Without that linkage, attribution fails even when detection fires. Use the telemetry to support incident reconstruction and audit review.
• Bound automated decision chains before production Require explicit scope boundaries for what an agent may retrieve, trigger, or disclose, then review those boundaries before release into live environments. Agentic risk emerges when allowed actions compound into a workflow that no one approved as a whole.
• Separate governance for human, workload, and agent identities Do not force AI agents into the same review cadence used for human accounts. Build identity governance rules that distinguish between interactive users, static machine identities, and runtime decision-making systems, with different monitoring and accountability requirements for each.

Key takeaways

• AI agents are becoming a non-human identity problem because they act through legitimate credentials inside enterprise systems.
• The scale signal is clear: 97% of surveyed leaders expect an AI-agent-driven incident within a year, but only 6% of budgets are allocated to the risk.
• Practitioners need identity ownership, cross-system attribution, and bounded decision chains before agentic deployment outruns governance.

Key terms

• Agent Identity: An agent identity is the non-human identity a software agent uses to operate inside enterprise systems. It may be a service account, token, or application credential, but the governance question is always the same: who owns it, what can it do, and how is its behaviour traced when it acts independently?
• Attribution: Attribution is the ability to prove which identity performed a specific action, through which systems, and with what outcome. In agentic environments, attribution must span APIs, services, and workflow steps, because isolated logs are rarely enough to reconstruct decision chains or support audit and incident response.
• Decision Chain: A decision chain is the sequence of automated choices and actions an AI agent takes during execution. Unlike a single policy decision, the chain can branch across systems and produce compound effects, which is why governance must bound the whole sequence rather than only the starting permission.
• Identity Blast Radius: Identity blast radius is the maximum damage one identity can cause before controls stop it. For AI agents, the concept is especially useful because a single credential can trigger data access, transactions, and cross-service movement, making scope, traceability, and ownership the controls that actually shrink exposure.

Deepen your knowledge

AI agent identity governance is a core topic in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building controls for agentic systems with similar exposure, it is worth exploring.

This post draws on content published by Arkose Labs: AI 97% of Enterprises Expect a Major AI Agent Security Incident Within the Year. Read the original.