IdentityMesh in agentic systems: what IAM teams need to know

TL;DR: A single innocent request can enable agentic AI to merge multiple authenticated contexts into one operational identity, allowing cross-system lateral movement, data exfiltration, phishing, or malware distribution, according to Lasso Security's IdentityMesh research. The finding makes clear that existing MCP and browser-based controls assume boundaries the agent does not preserve.

NHIMG editorial — based on content published by Lasso Security: IdentityMesh: Exploiting Lateral Movement in Agentic Systems

By the numbers:

• When AWS credentials are exposed publicly, attackers attempt access within an average of 17 minutes, and as quickly as 9 minutes in some cases.
• 96% of technology professionals identify AI agents as a growing security threat, and 66% believe this risk is immediate.

Questions worth separating out

Q: How should security teams stop AI agents from moving data between trusted systems without approval?

A: Security teams should treat each system boundary as a separate trust decision, even when one agent handles the workflow.

Q: Why do agentic systems create a bigger lateral movement risk than ordinary automation?

A: Agentic systems create bigger lateral movement risk because they can combine read, reasoning, and write actions inside one runtime context.

Q: What do security teams get wrong about browser-based AI assistants?

A: They often treat browser-based assistants as user interfaces when they are really cross-origin identity mediators.

Practitioner guidance

• Map cross-system identity fusion paths Identify where a single agent can read from one system and write to another using the same user or service context.
• Disable unrestricted agent autonomy for cross-origin actions Require explicit approval before an agent moves information from one authenticated system into a different system, especially when the destination is public, shared, or externally reachable.
• Separate read and write privileges by workflow Limit agents so they can collect context from a source system but cannot write to another system unless the destination action is separately authorised.

What's in the full report

Lasso Security's full research covers the operational detail this post intentionally leaves for the source:

• Scenario-by-scenario exploit flow across MCP, custom agents, and AI browsers so practitioners can compare attack paths.
• Step-by-step examples of how read tools, write tools, and injected instructions combine into one cross-system chain.
• Practical mitigations for disabling unrestricted agent behaviour, including approval prompts and boundary enforcement patterns.
• Detailed explanation of the 'YOLO mode' browser risk and why cross-origin sessions are especially exposed.

👉 Read Lasso Security's research on IdentityMesh and agentic lateral movement →

IdentityMesh in agentic systems: what IAM teams need to know?

Explore further

View Full Forum →  |  NHI Foundation Course →