TL;DR: The rise of AI assistants and agents creates a new agentic workspace where human and machine risks overlap across email, collaboration, data, and SaaS applications, according to Proofpoint. The security model now has to govern both people and AI agents, because the attack surface expands faster than legacy workspace controls can absorb, while Q3 2025 results showed double-digit ARR growth and broad enterprise adoption.
At a glance
What this is: Proofpoint’s Q3 update argues that the modern workspace now includes AI agents, making collaboration and data security a shared control problem across human and non-human actors.
Why it matters: For IAM, PAM, and NHI teams, this matters because identity governance now has to cover delegated agent behaviour, data access, and abuse paths that traditional human-centric controls do not fully model.
By the numbers:
- Proofpoint said its Q3 2025 results included double-digit ARR growth year over year, driven by strong adoption of its Data Security portfolio and Proofpoint Prime Threat Protection.
- Gartner named Proofpoint a Leader in its 2025 Magic Quadrant for Digital Communications Governance and Archiving Solutions for the second consecutive year.
👉 Read Proofpoint’s analysis of the agentic workspace and AI agent security
Context
The primary issue here is not a new product feature, but the widening governance gap between human-centric workspace security and AI agent behaviour. In the new agentic workspace, the same collaboration channels, SaaS apps, and data stores are being touched by both people and software entities, which means identity, access, and content controls now have to handle both.
That shift matters to IAM and NHI programmes because agent-driven actions inherit human workflows without inheriting human accountability. When assistants can read, generate, and act on data at machine speed, organisations need policy boundaries, auditability, and least-privilege controls that apply to non-human identities as well as users. The starting assumption that only employees create risk is now out of date.
Key questions
Q: How should security teams govern AI assistants that can access audit data?
A: Treat them as privileged non-human identities with defined scope, logging, and approval boundaries. Access should be limited to the smallest useful data set, and any output that can influence operations should require human authorization before execution. That approach reduces the chance that an AI assistant becomes an unreviewed control point inside security operations.
Q: Why do conversational AI systems create new identity and access risks?
A: Because they can combine data retrieval, decision-making, and execution in a single interaction. That collapses the gap between information access and business action, which traditional IAM and security tools were not built to manage. The result is higher exposure when the system can modify records or disclose sensitive guest data.
Q: What breaks when prompt injection is not governed like an access problem?
A: The organisation may treat malicious text as a harmless message, even though it can steer an agent into exposing data or taking privileged actions. Prompt injection is dangerous because it turns untrusted content into a control plane for behaviour. Teams need policy and authorisation checks around outputs, not just message filtering.
Q: Who is accountable when an AI agent accesses sensitive data it was not meant to use?
A: Accountability sits with the team that approved the agent, its connectors, and its policy boundaries, not with the runtime behaviour alone. Organisations need ownership for intent, permissions, monitoring, and validation so they can prove whether the agent stayed inside its approved purpose. Without that, audit and regulatory response become retrospective guesswork.
Technical breakdown
Agentic workspace security: why identity boundaries are blurring
An agentic workspace is an operating model where AI assistants and agents work alongside people across email, chat, files, and SaaS workflows. The security problem is that these systems can consume content, generate messages, and trigger actions while appearing to be ordinary productivity tooling. That breaks older assumptions in IAM and DLP, where the main question was whether a human user was authorised. In agentic environments, the relevant control question becomes whether the delegated software identity is authorised for the specific data, action, and context. Practical implication: treat AI assistants as governed identities with scoped access and explicit oversight, not as neutral features.
Practical implication: Model each assistant or agent as a governed identity with explicit scope, review, and revocation conditions.
Prompt injection, social engineering, and data exposure in the same workflow
The article aligns two familiar threat classes that now converge inside the same workspace. Humans remain exposed to social engineering, while agents are exposed to prompt injection, where attacker-controlled text changes the model or agent’s behaviour. Both can lead to disclosure of sensitive information or unauthorised actions, but the failure mode differs: humans are persuaded, agents are steered through their inputs and tool permissions. This is why collaboration security and NHI governance are increasingly linked. Practical implication: separate content trust from action trust, and do not let message origin alone determine whether an agent can act.
Practical implication: Separate content trust from action trust so malicious inputs cannot directly trigger privileged agent behaviour.
Data security for AI assistants depends on policy, not just detection
The article emphasises that AI agents interact with data at higher speed and scale than previous workspace tools. That means classic monitoring is necessary but insufficient, because the organisation also needs preventive policy around what data an agent can access, copy, summarise, or forward. This is where DLP and DSPM become governance controls rather than after-the-fact detection tools. For identity teams, the same principle applies: access rights should be bounded by task and purpose, not by broad application ownership. Practical implication: align workspace policy with data sensitivity and agent purpose, then verify continuously.
Practical implication: Tie agent permissions to data sensitivity and task purpose, then verify access continuously.
Threat narrative
Attacker objective: The attacker aims to use trusted workspace automation to extract sensitive data or trigger unauthorised actions at scale without relying on a single compromised human account.
- Entry occurs when an attacker uses social engineering, prompt injection, or malicious content inside collaboration channels that both humans and agents consume.
- Escalation happens when the agent or user workflow trusts the input and passes data, tokens, or actions into connected SaaS applications and email systems.
- Impact follows when sensitive information is exposed, forwarded, or acted on at machine speed across the workspace, amplifying blast radius beyond a single user session.
Breaches seen in the wild
- Meta AI Instagram Account Takeover — 20,225 Instagram accounts hijacked via compromised Meta AI support chatbot with overprivileged access.
- Replit AI Tool Database Deletion — Replit vibe coding AI assistant deletes live production database and creates 4,000 fake user records.
Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.
NHI Mgmt Group analysis
The agentic workspace is becoming an identity governance problem, not just a productivity story. Once AI assistants can read, summarise, and act on enterprise data, they behave like governed non-human identities whether the organisation labels them that way or not. That shifts the control burden onto IAM, PAM, and data security teams, because access scope and auditability now need to extend to software entities that operate inside human workflows. The practitioner conclusion is simple: if the agent can act, it must be governed like an identity.
Prompt injection turns content into an access path. The article’s framing makes clear that the real boundary is no longer only around the mailbox or collaboration app. It is around the downstream actions an agent can take after interpreting untrusted text. This is a governance gap because many controls still separate message security from authorisation policy. The practitioner conclusion is that content inspection and access control must be joined, not managed as separate silos.
AI governance debt: the longer organisations deploy assistants without explicit identity controls, the larger the remediation burden becomes. The article describes a fast-expanding workspace where agents are already embedded in daily operations. That creates accumulated exposure around permissions, data access, and accountability. In framework terms, the issue aligns with NIST AI RMF GOVERN and MEASURE, plus the OWASP Agentic Applications Top 10 for tool misuse and prompt injection. The practitioner conclusion is to pay down governance debt before agent adoption outpaces control design.
Data loss prevention is no longer only about exfiltration after the fact. In an agentic workspace, the more important question is whether the system can legally and operationally touch the data in the first place. That means policy, classification, and task-level access must be wired into how AI agents are allowed to operate. For identity programmes, this reinforces the need to treat NHI governance and data governance as one operating problem. The practitioner conclusion is to define agent permissions around purpose, not convenience.
The market is converging on human-plus-agent security models. The article suggests that the next security platform boundary is not endpoint, email, or cloud alone, but the workflow layer where humans and AI agents intersect. That validates a broader shift in identity security: NHI and human identity controls increasingly need a shared policy plane. The practitioner conclusion is to re-evaluate whether current architecture separates identity, data, and workflow controls too aggressively.
From our research:
- 96% of technology professionals identify AI agents as a growing security threat, and 66% believe this risk is immediate, according to AI Agents: The New Attack Surface report.
- 92% agree governing AI agents is critical to enterprise security, yet only 44% have implemented any policies to do so.
- That gap is why practitioners should pair agent governance with the Ultimate Guide to NHIs , 2025 Outlook and Predictions and treat AI assistants as identities, not features.
What this signals
The programme signal here is that workspace security and identity governance are converging around the same operational layer. Once AI assistants can move inside email, collaboration, and SaaS workflows, teams need policy that follows the action path, not just the user session. The control model is shifting from endpoint-centric review to identity-aware workflow governance, with human and non-human actors sharing the same trust boundary.
Workflow trust gap: organisations now need a control layer that decides which content can influence which actions. That concept matters because many existing stacks separate message security, DLP, and identity policy. The next stage is to connect those controls with audit trails and data classification so the agent’s decision path is visible and enforceable.
For identity teams, the forward issue is not whether AI agents will be deployed. The question is whether they will be onboarded with the same lifecycle discipline as service accounts and privileged integrations. That is where the use of the Ultimate Guide to NHIs , 2025 Outlook and Predictions becomes practical, because the control problem is now shared across NHI, IAM, and data governance.
For practitioners
- Map agent permissions to specific tasks Inventory every assistant, copilot, and workflow agent that can access mail, files, chat, or SaaS applications, then limit each one to a named purpose and minimal dataset.
- Extend identity governance to non-human actors Create an approval and review process for AI agents that mirrors service account governance, including ownership, scope, exception handling, and offboarding.
- Join content security to authorisation policy Make prompt injection and malicious content part of the same control discussion as access decisions, so untrusted inputs cannot trigger privileged downstream actions.
- Tune DLP and DSPM for agentic workflows Classify the data AI agents can see, summarise, forward, or store, then test whether policy enforcement still holds when an agent chains multiple workspace actions.
- Review audit trails for agent actions Ensure logs distinguish between human requests, model outputs, and automated actions so investigators can reconstruct who asked for what and which agent executed it.
Key takeaways
- AI assistants are becoming governed identities inside the workspace, which means identity controls now need to cover machine actions, not just human sessions.
- Proofpoint’s Q3 update shows that the market is moving toward human-plus-agent security models, with collaboration and data protection increasingly tied to AI governance.
- The practical response is to bind agent permissions to task scope, data sensitivity, and auditability before adoption expands faster than control design.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Agentic AI Top 10 and MITRE ATT&CK address the attack and risk surface, while NIST AI RMF, NIST CSF 2.0 and NIST SP 800-53 Rev 5 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Agentic AI Top 10 | N/A | Prompt injection and agent misuse are central to the agentic workspace risk described here. |
| NIST AI RMF | GOVERN | The post is fundamentally about governance for AI agents and their access boundaries. |
| NIST CSF 2.0 | PR.AC-4 | Least privilege and access restriction are directly implicated by agentic workspace controls. |
| MITRE ATT&CK | TA0006 , Credential Access; TA0009 , Collection; TA0040 , Impact | The threat pattern includes content-driven credential theft, data collection, and downstream impact. |
| NIST SP 800-53 Rev 5 | AC-6 | Least privilege is the clearest control family for governed assistant access. |
Model collaboration attacks across credential access, collection, and impact to improve detection and containment.
Key terms
- Agentic Workspace: An agentic workspace is a digital work environment where AI assistants and autonomous or semi-autonomous agents operate alongside people across email, chat, files, and business applications. The security challenge is that both human and software identities can now move data and trigger actions through the same workflow paths.
- Prompt Injection (Agentic): An attack where malicious instructions are embedded in content that an AI agent reads — causing the agent to execute unintended actions using its own legitimate credentials. A primary vector for agent goal hijacking and identity abuse.
- Non-Human Identity (NHI): A digital identity assigned to a non-human entity such as a software application, service account, API key, bot, machine, or AI agent that enables it to authenticate and interact with systems without direct human involvement. NHIs now outnumber human identities in most enterprises by 25 to 50 times.
- Data Security Posture Management: Data Security Posture Management, or DSPM, is the continuous discovery and monitoring of where sensitive data lives, how it is exposed, and where policy gaps exist. Its value rises when it feeds remediation rather than generating findings alone, especially in environments where AI expands the number of data paths.
What's in the full article
Proofpoint's full post covers the operational detail this post intentionally leaves for the source:
- The specific product and platform changes behind the agentic workspace strategy, including how the controls are positioned across email, collaboration, and data security.
- Q3 performance detail on customer adoption, retention, and partner motion that supports the business case for the direction of the platform.
- Named examples of the first agentic AI capabilities and how Proofpoint describes their intended operational use.
- Gartner citations and market-positioning context that are useful if you are comparing categories or tracking vendor messaging.
Deepen your knowledge
The NHI Foundation Level course, the industry's only accredited NHI security programme, covers NHI governance, agentic AI identity, and secrets management for practitioners who need a tighter control model. It helps security and identity teams translate identity principles into day-to-day governance for non-human actors and delegated automation.
Published by the NHIMG editorial team on July 14, 2026.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org