Agentic AI attack surface: are your identity controls keeping up?

TL;DR: Anthropic’s disclosure of an AI-driven espionage campaign showed an autonomous system carrying out 80 to 90 percent of the operation across roughly 30 targets, with only four to six human intervention points per target, according to Anthropic. Access review processes assume privilege persists long enough to be reviewed; autonomous agents can consume, combine, and exhaust privileges before that cycle ever starts.

NHIMG editorial — based on content published by Aembit: Anthropic’s AI-driven espionage campaign and the agentic AI attack surface

By the numbers:

• The activity was directed at roughly 30 organizations, including large technology companies, financial institutions, chemical manufacturers and several government agencies.
• The AI performed 80 to 90 percent of the operation, with humans stepping in at only four to six critical decision points per target.
• Only 21 percent of executives reported complete visibility into agent permissions, tool usage or data access patterns.

Questions worth separating out

Q: How should security teams govern AI agents that can act on developer tools and credentials?

A: Treat each agent as a distinct non-human identity with its own policy, logging and runtime verification.

Q: Why do autonomous agents increase identity risk even when they use legitimate access?

A: Because legitimate access is enough when the actor can make continuous runtime decisions faster than a human can intervene.

Q: What do security teams get wrong about agentic AI monitoring?

A: They often compare agent behaviour to human baselines and miss that high-volume tool use may be normal for the system.

Practitioner guidance

• Separate agent identity from human identity Do not let autonomous systems borrow a developer token or inherit a person’s full credential set.
• Force runtime policy checks at each connection point Move beyond session-start authorisation and evaluate every consequential request against posture, environment and declared task.
• Remove static secrets from agent execution paths Replace long-lived credentials with short-lived, task-scoped access brokering so the agent cannot keep using the same secret across reconnaissance, escalation and exfiltration.

What's in the full article

Aembit's full article covers the operational detail this post intentionally leaves for the source:

• The full task-by-task walkthrough of how Claude Code was used to chain reconnaissance, exploit development and credential collection.
• Specific examples of the policy-based access model and cryptographic attestation approach the vendor describes for agent identity.
• Implementation detail on how short-lived credentials are brokered for workloads and agents across connected environments.
• The article's commentary on integrating the controls with tools such as CrowdStrike or Wiz for posture-aware access decisions.

👉 Read Aembit’s analysis of the agentic AI attack surface and identity controls →

Agentic AI attack surface: are your identity controls keeping up?

Explore further

View Full Forum →  |  NHI Foundation Course →