Your AI Agents Hold Credentials. You Don’t Know How Many. Attackers Do.
June 13, 2026 — 7 min read — Pedro Jose
A year ago, enterprise AI answered questions. Now it acts. AI agents read inboxes, query databases, call APIs, and hold live credentials. Some make decisions that no human signs off on.
That independence is the point of an agent. It is also the problem.
Security teams spent two decades building controls around human users and the apps they run. Agents fit neither. They behave like users but multiply like software. Many teams cannot even count how many agents are running, let alone say what each one can reach.
⚡ THE HARD TRUTH
Researchers have already turned agent‑to‑agent communication into self‑spreading attacks that move from agent to agent with no human in the loop. The autonomy that makes agents useful is now the attack surface.
Researchers have already turned agent‑to‑agent communication into self‑spreading attacks that move from agent to agent with no human in the loop. The autonomy that makes agents useful is now the attack surface.
Five Attack Vectors — All Real, All Ignored
- Prompt injection. Hidden instructions in an email, a web page, or a document get treated as commands. The agent does what the attacker wrote instead of what you asked.
- Tool poisoning. Agents lean on connectors and MCP‑based tools. A poisoned tool can feed false data or quietly pull data out.
- Excessive agency. Agents are often handed more access than the task needs. If an attacker takes over one agent, they reach everything that agent could.
- Memory poisoning. One bad instruction planted once can shape every decision the agent makes later. Memory makes the attack persistent.
- Agent‑to‑agent spread. Agents increasingly call other agents. Trust chains. One compromised agent becomes the way into the next. Self‑spreading attacks already exist.
🔐 THE IDENTITY PROBLEM
Every agent needs an account. That account is a machine identity, not a person. These pile up faster than human accounts. They outlast the projects that created them. Most identity tools were built for employees who log in and off, not for software that logs in constantly and has no clear owner.
That gap is where much of the real agent risk lives.
Every agent needs an account. That account is a machine identity, not a person. These pile up faster than human accounts. They outlast the projects that created them. Most identity tools were built for employees who log in and off, not for software that logs in constantly and has no clear owner.
That gap is where much of the real agent risk lives.
What the Market Is Building — And What’s Still Missing
Vendors are scrambling to close these gaps. The 2026 Cybersecurity Stars Awards recognized companies working on agent security:
- Lasso Security & Trent AI — limit what an agent can reach and do, so a hijacked agent can only go so far.
- Token Security — locks down the machine accounts agents use, tracking sprawl that older identity tools were not built for.
- eSentire — security operations built around agent autonomy: let the system act, but keep monitoring and human oversight.
- Reclaim Security & Akto — hunt for agents that are reachable, over‑permissioned, or exposed through the systems around them.
- Bonfy.AI — data protection for AI systems: what data moved, where it went, and whether it should have moved at all.
- Twine Security — AI digital employees that do security work themselves rather than only assist an analyst.
But here’s what none of these tools replace: a human pentester who thinks like an attacker.
🧠 THE GAP VENDORS WON’T TELL YOU
Visibility tools tell you how many agents are running. Monitoring tools tell you what they’re doing. Neither tells you if the agent is already compromised.
Prompt injection isn’t detected by a scanner. Tool poisoning isn’t caught by a dashboard. Excessive agency isn’t flagged by an alert. These are design failures, not configuration errors.
You need someone who thinks like an attacker — and breaks the agent before it breaks you.
Visibility tools tell you how many agents are running. Monitoring tools tell you what they’re doing. Neither tells you if the agent is already compromised.
Prompt injection isn’t detected by a scanner. Tool poisoning isn’t caught by a dashboard. Excessive agency isn’t flagged by an alert. These are design failures, not configuration errors.
You need someone who thinks like an attacker — and breaks the agent before it breaks you.
What You Should Do This Week
- ✅ Inventory your agents. Count every active agent that holds credentials. Most teams can’t. Start there.
- ✅ Scope each agent to the least access it needs. If an agent can do more than the job requires, it’s a liability.
- ✅ Treat anything an agent reads as untrusted input. Emails, documents, web pages — all potential attack carriers.
- ✅ Watch agent behavior continuously. Not just at deployment. Agents change over time. So should your monitoring.
- ✅ Run agent‑specific pentests. Prompt injection, tool poisoning, privilege escalation, agent‑to‑agent spread — test them all.
🔐 THE BOTTOM LINE
AI agents hold live credentials. They act autonomously. They multiply like software. And most security teams can’t even count them.
Vendors are building tools for visibility and monitoring. Those tools help. They don’t replace testing.
The first step is counting. The next step is assuming they’re already compromised — and proving otherwise.
AI agents hold live credentials. They act autonomously. They multiply like software. And most security teams can’t even count them.
Vendors are building tools for visibility and monitoring. Those tools help. They don’t replace testing.
The first step is counting. The next step is assuming they’re already compromised — and proving otherwise.
🦞🔐
You don’t know how many agents are running in your environment. Attackers do.
Full AI Agent Pentest: €3,000. Agent inventory and risk assessment: included. Security retainer: €1,500/month.
📩 DM @StackOfTruths on XFree 15-min consultation. No hard sell. Just honest answers about your agent exposure.
Leave a Reply