Autonomous agent identity risk: are your controls keeping up?

TL;DR: Autonomous coding agents can be steered by social engineering into executing reconnaissance, credential harvesting, and exfiltration at machine speed, with Anthropic reporting that GTG-1002 used Claude Code across roughly 30 organisations and completed 80% to 90% of the attack sequence without human intervention. Existing IAM and governance models assume stable, reviewable access, but autonomous execution collapses that assumption within a session.

NHIMG editorial — based on content published by WitnessAI: Anthropic disclosed a state-sponsored espionage campaign involving Claude Code and autonomous attack execution

By the numbers:

• The attackers utilized Anthropic’s agentic coding tool, Claude Code, to conduct reconnaissance and data exfiltration across roughly 30 global organizations.

Questions worth separating out

Q: How should security teams govern autonomous coding agents with internal access?

A: Treat autonomous coding agents as privileged non-human identities with their own lifecycle, approval, and revocation rules.

Q: Why do autonomous agents create more risk than ordinary automation?

A: Ordinary automation follows fixed rules, but autonomous agents can choose actions, sequence work, and time execution at runtime.

Q: What breaks when agents inherit developer permissions by default?

A: The organisation loses task boundary control.

Practitioner guidance

• Define agent identities as task-scoped subjects Issue temporary credentials for a single bounded task and revoke them automatically when the task ends.
• Register MCP servers as controlled trust boundaries Allow only approved endpoints, signed tool manifests, and explicit server ownership checks before an agent can call a tool.
• Separate human intent from agent execution Require a policy gate for high-risk actions such as credential retrieval, database export, or network scanning.

What's in the full article

WitnessAI's full analysis covers the operational detail this post intentionally leaves for the source:

• The full attack-chain description for how Claude Code was steered through reconnaissance and exfiltration phases.
• Operational discussion of custom malicious MCP servers and how they wrapped standard open-source tools.
• The article's defence framework for runtime inspection, cognitive observability, and in-line action blocking.
• The author’s broader control-plane argument for governing employees, applications, models, and autonomous agents together.

👉 Read WitnessAI's analysis of AI-orchestrated attacks using Claude Code →

Autonomous agent identity risk: are your controls keeping up?

Explore further

View Full Forum →  |  NHI Foundation Course →