AI threat landscape report shows agentic systems widening AI risk

At a glance

What this is: HiddenLayer’s 2026 AI Threat Landscape Report says agentic systems are already tied to 1 in 8 reported AI breaches, alongside widening visibility gaps and shadow AI growth.

Why it matters: IAM and security teams need to treat AI agents as governed identities, because autonomy expands access, alters trust assumptions, and can outpace existing lifecycle and control models.

By the numbers:

• Shadow AI is now a definite or probable problem for over 3 in 4 organizations, or 76%.
• 31% of organizations do not know whether they experienced an AI security breach in the past 12 months.
• 93% of respondents continue to rely on open repositories for innovation.

👉 Read HiddenLayer’s 2026 AI Threat Landscape Report on agentic AI risk

Context

Agentic AI is software that can select actions, use tools, and execute multi-step workflows with limited or no human intervention. That matters for identity governance because the thing being controlled is no longer just a model or an application, but an actor that can consume credentials, invoke tools, and create downstream access paths on its own. In practice, that shifts AI security into the same governance conversation as non-human identity.

HiddenLayer’s report describes a market where adoption is outrunning control design. Security teams are adding AI into production workflows while still relying on monitoring, approval, and disclosure practices that were built for more predictable systems. The result is not only more exposure, but less clarity about who owns the risk, which identities are involved, and when a breach has actually occurred.

The central issue is not whether AI can be useful. It is whether enterprise IAM, PAM, and lifecycle processes can govern systems that behave more like runtime actors than static software. For practitioners, that means the control plane has to expand from access assignment to access behaviour, auditability, and scope drift across the full AI lifecycle.

Key questions

Q: What breaks when AI agents are governed like normal applications?

A: When AI agents are governed like normal applications, the programme usually focuses on deployment and monitoring, but not on runtime authority. That fails because an agent can select tools, execute multi-step actions, and reach data or systems outside the original intent. Governance has to track behaviour, not just installation state.

Q: Why do AI agents complicate zero trust and least privilege?

A: AI agents complicate zero trust and least privilege because their effective privilege can change during execution. A human or static service account may be easy to scope at provisioning time, but an agent can chain actions and widen its practical reach once it starts using tools. Least privilege has to be enforced at runtime, not only at setup.

Q: How do security teams know if shadow AI is actually under control?

A: Security teams know shadow AI is under control when they can inventory every agent, model workflow, and tool connection, then map each one to an owner and access scope. If they cannot explain who owns it, what it can access, and when it was last reviewed, it is not controlled.

Q: What should organisations do first after discovering unmanaged AI agents?

A: Organisations should first isolate the credentials, tool connections, and data paths attached to the unmanaged agent before expanding use further. Then they should decide whether the system is approved, remediated, or retired. That sequence limits hidden authority and reduces the chance of an unseen workflow becoming an attack path.

Technical breakdown

Agentic AI as a non-human identity

Agentic AI becomes an identity problem when the system can browse, execute code, access files, and trigger workflows rather than simply return a response. At that point, it behaves like a non-human identity with runtime authority, because it can touch tools and data without a human present for each step. The important shift is that compromise no longer needs to happen through the model alone. Attackers can target the surrounding access path, the tools the agent may invoke, and the permissions that were assumed to be safe when the system was still assistive.

Practical implication: classify AI agents into identity inventory, map their tool permissions, and govern them alongside other privileged non-human identities.

Prompt injection becomes operational when agents can act

Prompt injection is no longer just a content manipulation problem once the agent can complete actions outside the chat window. If an injected instruction can influence tool selection, code execution, or multi-step task flow, the impact moves from model misbehaviour to operational compromise. That is why the security boundary must include the agent’s execution context, not only the prompt. The more authority the agent has, the more a successful injection can amplify into data access, workflow abuse, or lateral movement through connected systems.

Practical implication: put runtime policy and tool-level authorization around agent actions, not only content filters in front of the model.

Shadow AI widens the identity blind spot

Shadow AI is unmanaged AI activity that exists outside formal governance. In identity terms, that means there may be agents, APIs, or embedded model workflows with active access that are not fully discovered, documented, or recertified. HiddenLayer’s findings show the visibility problem is already common, with many organisations unable to say whether they were breached at all. Once discovery is incomplete, every downstream control becomes partial, because you cannot govern what you have not inventoried.

Practical implication: extend discovery, ownership, and recertification processes to AI assets before expanding production use.

Threat narrative

Attacker objective: The attacker aims to convert trusted AI execution into unauthorized access, workflow abuse, and real-world system compromise.

1. Entry begins when agentic systems inherit access to tools, code execution, web browsing, or file systems that were not designed for adversarial input.
2. Escalation occurs when prompt injection, supply chain compromise, or misconfiguration converts legitimate agent authority into broader system reach.
3. Impact follows when the agent’s actions touch downstream workflows, sensitive data, or other connected systems at machine speed and scale.

Breaches seen in the wild

• Moltbook AI agent keys breach — Moltbook breach exposed 1.5M AI agent keys.
• MongoBleed breach — MongoBleed exposed secrets across 87K MongoDB servers.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Agentic AI turns access governance into behaviour governance. Traditional IAM assumes the identity is relatively stable, and that the main question is whether the right access was assigned. That assumption breaks when the actor can choose tools, sequence actions, and continue operating after context changes. The field needs to stop treating agent governance as a wrapper around the model and start treating it as a runtime identity problem.

Prompt injection is a control-plane failure, not just a model flaw. HiddenLayer’s report is another signal that the useful unit of analysis is the agent’s authority, not only the prompt text. Once an injected instruction can trigger file access, code execution, or workflow calls, the issue sits in authorization, containment, and monitoring. Practitioners should read this as evidence that AI security has crossed into NHI governance territory.

Shadow AI is the named concept that captures the hidden identity problem in this report. Unmanaged agents, embedded models, and tool-connected workflows create access paths that do not appear in ordinary app inventories. That is why visibility gaps become breach gaps: if the actor is undiscovered, lifecycle review and incident scoping both fail. The practical conclusion is that discovery must be treated as a governance prerequisite, not an afterthought.

The ownership problem now mirrors classic privilege creep. HiddenLayer’s findings on internal conflict over AI security controls show that the hardest issue is often not technical capability but accountability. When multiple teams assume someone else owns the agent, authority becomes diffuse and review becomes inconsistent. That is the same failure pattern seen in neglected non-human identity programmes, and it means governance must be assigned before scale, not after incidents.

AI security budgets without control alignment create reassurance without restraint. Spending can rise while risk still grows if the organisation funds detection but does not define the identity boundary of the system. The report’s combination of higher adoption, more shadow AI, and limited external detection partnerships suggests a market still optimising for deployment speed over governable autonomy. Practitioners should treat that as a warning that scale can outpace accountability.

From our research:

• 92% agree governing AI agents is critical to enterprise security, yet only 44% have implemented any policies to do so, according to AI Agents: The New Attack Surface report.
• 33% of organisations report their AI agents have accessed inappropriate or sensitive data beyond their intended scope, which shows scope drift is already operational.
• For the broader identity angle, see 52 NHI Breaches Analysis for the recurring failure patterns behind non-human access exposure.

What this signals

Agentic AI governance will increasingly be judged by discovery, ownership, and runtime containment rather than by model adoption alone. If a programme cannot inventory its agents and map their tool authority, it will struggle to prove control when behaviour drifts. The organisations that treat these systems as governed identities now will have a cleaner path to auditability later.

With 76% of organisations already describing shadow AI as a definite or probable problem, the real risk is not just hidden usage but hidden privilege. That makes lifecycle governance and recertification more important than simple monitoring. The practical signal for readers is that discovery work should feed directly into access review and offboarding decisions, not sit in a separate AI inventory.

Prompt injection should now be read through a control-boundary lens. The problem is not merely that a model can be manipulated, but that manipulated instructions can cross into tools, files, and workflows if the authorization layer is weak. For teams formalising their approach, the OWASP Agentic AI Top 10 is a useful reference point for where those boundaries tend to fail.

For practitioners

• Inventory every agentic system as a governed identity Capture agents, embedded models, tool connectors, and API-linked workflows in the same inventory used for other non-human identities. Record owners, business purpose, tool scopes, and downstream systems so discovery becomes actionable rather than descriptive.
• Constrain agent tool access by task and environment Separate browsing, file access, code execution, and workflow triggers into distinct permissions so a single compromised agent cannot move freely across the stack. Align those permissions with the smallest practical task scope and review them at every change in use case.
• Add runtime policy to agent execution paths Enforce policy at the point where the agent calls tools, not only at the prompt or interface layer. Pair this with logging that records tool selection, data touched, and workflow actions so investigations can reconstruct what the agent actually did.
• Tie ownership and recertification to AI control accountability Assign one accountable owner for each AI system and require periodic recertification of its data access, tool privileges, and external integrations. Use the same governance standard for production agents that you would apply to other privileged non-human identities.
• Use discovery findings to prioritise shadow AI containment When unmanaged agents or model workflows are found, isolate their credentials, document their data paths, and decide whether they are approved, remediated, or retired. The point is to remove invisible authority before it becomes untraceable.

Key takeaways

• Agentic AI changes the identity problem because runtime behaviour, not static provisioning, now determines the effective attack surface.
• HiddenLayer’s report shows the gap is already measurable, with 1 in 8 reported AI breaches tied to agentic systems and 76% of organisations flagging shadow AI.
• The immediate priority is to inventory, own, and constrain AI systems as governed non-human identities before their access patterns become invisible and harder to audit.

Key terms

• Agentic AI: AI that can choose actions, use tools, and carry out multi-step work with limited human intervention. In identity terms, it behaves like a non-human actor whose authority can expand during execution, so governance must cover runtime access, not only initial provisioning.
• Shadow AI: AI systems or agent workflows that operate without full organisational visibility or formal approval. The risk is not just unknown usage, but unknown access, unknown ownership, and unknown lifecycle state, which makes audit, recertification, and incident scoping materially harder.
• Runtime authority: The actual permissions and system reach an identity has while it is executing, which can differ from what was assigned on paper. For AI agents, runtime authority is the real control boundary because action choice, tool use, and sequencing can change as the task unfolds.
• Scope drift: A condition where an identity begins operating beyond its intended task, data boundary, or permission set. For autonomous or agentic systems, scope drift can happen inside a single session, making fixed review cadences insufficient unless they are paired with runtime policy enforcement.

Deepen your knowledge

AI agent governance and runtime containment are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If your team is moving from experimental AI into production access decisions, it is worth exploring.

This post draws on content published by HiddenLayer: HiddenLayer Releases the 2026 AI Threat Landscape Report, Spotting the Rise of Agentic AI and the Expanding Attack Surface of Autonomous Systems. Read the original.