Agentic AI security risks: are traditional controls keeping up?

TL;DR: Agentic AI systems can call APIs, query databases, and modify production systems without human approval, creating eight risks that traditional tools often miss because the dangerous action happens inside authorized workflows, according to WitnessAI. The control problem is not just visibility but assumption collapse: review-based governance cannot reliably contain actors that decide, act, and chain tools in one session.

NHIMG editorial — based on content published by WitnessAI: Agentic AI systems and the eight cybersecurity risks they introduce

By the numbers:

• Anthropic's internal red team showed how far that goes: a crafted prompt exfiltrated AWS credentials in 24 out of 25 attempts against its own agent, a 96% success rate.
• Gartner’s 2026 coverage says identity is becoming more operational, distributed, and intertwined with software delivery, agents, infrastructure, and AI governance.

Questions worth separating out

Q: What breaks when AI agents can act inside business systems without human approval?

A: What breaks is the assumption that authorised access is also safe to use.

Q: Why do AI agents complicate IAM and NHI governance?

A: AI agents complicate IAM and NHI governance because they reuse legitimate credentials while making independent choices about when and how to use them.

Q: How do security teams know if agentic AI controls are actually working?

A: They know the controls are working when unsafe tool calls are blocked before execution, the audit trail shows which human initiated each action, and delegated workflows cannot silently expand their own scope.

Practitioner guidance

• Classify every agentic session before it runs Separate chat sessions from tool-using agent sessions so policies can reflect whether the system may call APIs, read files, or modify production systems.
• Separate high-impact actions from ordinary tool calls Require an approval boundary for irreversible operations such as database deletion, privilege changes, or external data transfer.
• Trace every agent action back to a human originator Preserve an audit chain from the initiating user to the specific agent session, tool invocation, and downstream system action.

What's in the full article

WitnessAI's full research covers the operational detail this post intentionally leaves for the source:

• Detailed breakdown of the eight agentic AI risk classes and how each one appears in production workflows.
• Examples of runtime inspection points for prompts, tool calls, and agent responses before execution.
• The distinction between discoverable agent activity and actions that only appear safe in network logs.
• Guidance on preserving attribution from the human initiator to the downstream agent action.

👉 Read WitnessAI's analysis of eight cybersecurity risks in agentic AI →

Agentic AI security risks: are traditional controls keeping up?

Explore further

View Full Forum →  |  NHI Foundation Course →