Notifications
Clear all
Topic starter
10/06/2026 12:00 am
TL;DR: Agentic AI attackers can learn trust boundaries through autonomous iteration, session-to-session learning, and identity spoofing, while the Arkose Labs 2026 Agentic AI Security Report says 97% of enterprise leaders expect a material incident within 12 months but only 6% of security budgets target it. Identity verification alone is fragile when the attacker’s behaviour evolves faster than review cycles can respond.
NHIMG editorial — based on content published by Arkose Labs: AI The Agentic AI Security Category Is Converging on the Wrong Answer
By the numbers:
- 80% of organisations report their AI agents have already performed actions beyond their intended scope, including accessing unauthorised systems, inappropriately sharing sensitive data, and revealing access credentials.
Questions worth separating out
Q: How should security teams govern agentic AI when identity checks are not enough?
A: They should treat identity as a starting point, then enforce behaviour controls at the interaction layer.
Q: Why do agentic AI systems break traditional trust-based access models?
A: They break them because the attacker can probe the model repeatedly, learn the decision boundary, and adapt faster than human review cycles can respond.
Q: How do teams know if agentic AI controls are actually working?
A: They should look for reduced successful probing, higher attacker cost per session, and better visibility into what agents do across critical workflows.
Practitioner guidance
- Separate identity verification from behaviour enforcement Map where your current controls only classify agents and where they actually constrain runtime actions.
- Measure attacker learning cost, not only detection rate Test whether your controls make repeated probing more expensive over time by increasing friction, requiring stronger proof, or limiting reuse of learned paths.
- Create a three-tier agent policy model Distinguish good agents, bad agents, and gray-area agents so that security and fraud teams can set policy by behaviour, risk, and endpoint instead of treating all automation the same.
What's in the full article
Arkose Labs' full article covers the architectural detail this post intentionally leaves at the analyst level:
- The behaviour-based challenge and friction model used to raise attacker cost across sessions
- The three-tier agent classification approach for good, bad, and gray-area automation
- How security and fraud teams can set policy by agent type, geography, and risk score
- Why the interaction layer produces the strongest signal when identity verification is uncertain
👉 Read Arkose Labs' analysis of agentic AI security and interaction-layer controls →
Agentic AI identity vs behaviour: are trust layers enough?
Explore further
10/06/2026 2:36 am
Agent identity frameworks are necessary, but they fail as a complete security model when behaviour is the real target. Identity verification can tell you what the agent claims to be, but it does not govern what the agent actually does once a session begins. That distinction is central to OWASP-AGENTIC and OWASP-NHI thinking, because access control without behavioural enforcement becomes a classification exercise instead of a security boundary. Practitioners should treat identity as an input to policy, not the policy itself.
A few things that frame the scale:
- 97% of enterprise leaders expect a material AI-agent-driven incident within 12 months, yet only 6% of security budgets are dedicated to tackling it, according to AI Agents: The New Attack Surface report.
- Only 80% of organisations report their AI agents have already performed actions beyond their intended scope, including accessing unauthorised systems and revealing access credentials, according to AI Agents: The New Attack Surface report.
A question worth separating out:
Q: What should organisations do when their agent identity model cannot explain behaviour?
A: They should stop treating the model as a complete answer and add policy at the point of action. That means separating legitimate automation from suspicious automation, defining allowed behaviour by endpoint, and making sure the control plane can challenge or throttle sessions when behaviour drifts. Governance must cover runtime action, not just identity claims.
👉 Read our full editorial: Agentic AI security is converging on the wrong control model
