[{"data":1,"prerenderedAt":169},["ShallowReactive",2],{"blog-article-ai-agent-security-governance-gap":3},{"id":4,"title":5,"body":6,"date":158,"description":159,"extension":160,"image":161,"meta":162,"navigation":163,"path":164,"seo":165,"stem":166,"tags":167,"__hash__":168},"blog/blog/ai-agent-security-governance-gap.md","Your AI Agent Has Admin Access, No Audit Trail, and No Way to Be Stopped",{"type":7,"value":8,"toc":149},"minimark",[9,13,16,19,22,27,30,33,36,39,43,46,49,52,59,65,71,74,78,81,84,87,91,94,97,100,103,106,109,112,116,119,122,125,128,131,134,137],[10,11,12],"p",{},"Something strange is happening in enterprise technology. We're building autonomous software agents, giving them credentials to production databases, API keys to critical systems, and tool belts that let them read, write, and act on real data at machine speed. And then we're securing them like they're a Slack integration.",[10,14,15],{},"Every human employee with privileged access to your production systems goes through onboarding. Background check. Access review. Scoped permissions. A manager who can revoke those permissions. An audit trail that logs what they did, when, and why. Your AI agent, the one running an always-on execution loop against your transaction database at 3am, skipped all of that. It has broader access than most of your engineers, no behavioural baseline for your SOC to monitor against, and in most deployments, no reliable way to be stopped mid-action.",[10,17,18],{},"This is not a theoretical risk. IBM's 2025 Cost of a Data Breach Report found that 13% of organisations had already experienced a security breach involving an AI model or application. Of those that were breached, 97% admitted they lacked proper AI access controls or governance at the time of the incident. And McKinsey's 2025 State of AI survey found that 80% of organisations experimenting with AI agents have already encountered risky behaviours (improper data exposure, unauthorised system access) in their own deployments.",[10,20,21],{},"We are shipping capability faster than we are shipping guardrails. And the gap between those two things is where the next generation of enterprise security incidents lives.",[23,24,26],"h2",{"id":25},"the-attack-surface-nobody-scoped","The attack surface nobody scoped",[10,28,29],{},"The traditional enterprise security model assumes a human in the loop. A person authenticates. A person makes a request. A person's behaviour deviates from a baseline and triggers an alert. The entire detection stack (SIEM, UEBA, PAM, EDR) was engineered around the assumption that privileged activity correlates with human behavioural patterns.",[10,31,32],{},"An autonomous AI agent breaks that assumption at a fundamental level.",[10,34,35],{},"The agent doesn't authenticate like a human. It uses a service account, an API token, or an OAuth flow that was configured during development and never reviewed again. It doesn't generate the kind of telemetry your SOC was trained to read. It makes thousands of API calls per day, each one authorised by the credential it was given, none of them logged in a format your SIEM can ingest. There's no \"unusual login time\" alert because the agent never sleeps. There's no \"anomalous access pattern\" because the agent's entire purpose is to access data at scale.",[10,37,38],{},"Most enterprises don't have an audit schema for agent activity because they didn't think they needed one. Without one, a compromised agent operating with its legitimate credentials, through its authorised API connections, looks identical to an agent operating normally. There is no anomaly to detect because you never defined what normal looks like.",[23,40,42],{"id":41},"prompt-injection-is-not-theoretical-it-has-cves","Prompt injection is not theoretical. It has CVEs.",[10,44,45],{},"There's a persistent narrative in enterprise AI discussions that prompt injection is an academic curiosity, something researchers demonstrate at conferences but that doesn't affect real production systems. That narrative is dangerously wrong.",[10,47,48],{},"OWASP lists prompt injection as the number-one vulnerability in its 2025 Top 10 for Large Language Models. Not a theoretical risk. The top-ranked actual vulnerability.",[10,50,51],{},"EchoLeak: Microsoft 365 Copilot. CVE-2025-32711, severity score 9.3 out of 10. A zero-click indirect prompt injection that enabled data exfiltration from OneDrive, SharePoint, and Teams. No user interaction required. The attacker plants a payload in a document. Copilot processes it. Data leaves the building.",[10,53,54,58],{},[55,56,57],"strong",{},"ForcedLeak - Salesforce Agentforce."," Severity score 9.4. A prompt injection delivered through a standard Web-to-Lead form caused Agentforce to exfiltrate CRM data to an attacker-controlled domain.",[10,60,61,64],{},[55,62,63],{},"Devin AI, Cognition's autonomous coding agent."," Security researcher Johann Rehberger demonstrated full kill-chain exploits: opening internal ports to the public internet, exfiltrating environment variables, and installing malware, all triggered by prompt injection delivered through GitHub issues. Reported in April 2025. Still unpatched after 120 days at the time of publication.",[10,66,67,70],{},[55,68,69],{},"Slack AI."," Indirect prompt injection enabling data exfiltration from private channels the attacker couldn't access. The agent, operating with its legitimate permissions, became the exfiltration mechanism.",[10,72,73],{},"These are CVE-backed vulnerabilities in production enterprise systems. Microsoft 365 Copilot. Salesforce Agentforce. Slack. The tools we're actually deploying. And in every case, the attack vector is the same: the agent processes untrusted input, treats it as instruction, and acts on it with its full set of credentials. The agent doesn't know it's being exploited. It's doing exactly what it was designed to do: follow instructions and use tools. It just can't tell the difference between your instructions and someone else's.",[23,75,77],{"id":76},"the-governance-gap-is-wider-than-you-think","The governance gap is wider than you think",[10,79,80],{},"The security governance frameworks we rely on were not designed for autonomous systems that generate their own API calls and make their own tool-selection decisions. NIST's AI Risk Management Framework makes no explicit mention of AI agents, agent identity, tool-invocation audit trails, or kill-switch mechanisms. The agents are already in production.",[10,82,83],{},"Inside the organisations deploying these agents, the governance picture is worse. A Gartner webinar poll of CIOs found that only 13% strongly agreed they had the right governance structures to manage AI agents. Barely half of deployed agents are actively monitored or secured. Forrester put a number on the consequence: 75% of firms attempting to build agentic AI architectures on their own will fail, with governance cited as the primary reason.",[10,85,86],{},"The gap between \"we know this matters\" and \"we've actually implemented the controls\" is where incidents happen.",[23,88,90],{"id":89},"what-it-actually-looks-like-when-you-build-it-right","What it actually looks like when you build it right",[10,92,93],{},"A mid-market financial services firm engaged a delivery team to productionise an internal AI agent that automated compliance checks: cross-referencing transaction records against sanctions lists, flagging anomalies, routing escalations to human reviewers. The agent had a working prototype. The board was enthusiastic. The ask was straightforward: ship it in six weeks.",[10,95,96],{},"The prototype had broad database credentials granted during development. Read-write access. Fourteen tables. Including the transaction tables used by the live payment processing system.",[10,98,99],{},"The delivery team proposed a two-week discovery engagement first. The discovery finding justified the delay: the agent's credential model meant a single prompt injection attack could trigger erroneous transaction blocks across live accounts, or unlogged data modifications to the payment processing tables. At machine speed. At 2am. With no one watching and no audit trail to reconstruct what happened.",[10,101,102],{},"Discovery scoped the agent's actual access requirements against its defined functional scope. The result: the agent needed read access to three tables, not fourteen, and zero write access to any production table. All state changes routed through a validated, human-confirmed API endpoint.",[10,104,105],{},"The architecture that shipped included a dedicated service account with tool-level permission bindings enforced at the infrastructure layer. An immutable append-only audit log schema capturing every tool invocation, every data read, every external API call, with the prompt context at the time of each action. A sandboxed execution environment for the reasoning loop, isolated from the production data plane. And a kill-switch endpoint integrated into the firm's existing incident response runbook.",[10,107,108],{},"Delivered on a revised eight-week timeline. Zero production credentials exposed during build or post-deployment. The agent's audit trail passed external compliance review on first submission. The auditor noted it was the first AI system they had reviewed with a complete tool-invocation log.",[10,110,111],{},"Six weeks to production. Eight weeks to production done right. The difference is whether you're one malformed input away from an unlogged modification to live financial data.",[23,113,115],{"id":114},"the-problem-isnt-that-we-dont-care-its-that-the-people-building-it-arent-the-people-who-know-what-breaks","The problem isn't that we don't care. It's that the people building it aren't the people who know what breaks.",[10,117,118],{},"This is where the enterprise AI security conversation keeps getting stuck. KPMG says 75% of leaders cite security as a top priority. The CISOs know. The CTOs know. The board has probably seen a slide about it.",[10,120,121],{},"The structural problem is who owns the delivery. In most organisations, the AI agent is built by a product team or an innovation lab. They are measured on capability, speed, and the demo at the all-hands meeting. Security review (if it happens at all) is performed by a separate team, after the architecture is set, often by people who understand traditional application security but have never designed an agentic workflow. They can tell you whether the API gateway has rate limiting. They cannot tell you whether the agent's credential model survives a compromised prompt context.",[10,123,124],{},"Scoped permissions. Audit infrastructure. Containment mechanisms. Input validation pipelines that reject injection patterns before they reach tool execution. Those are not features you bolt on. They are architectural decisions that have to be made before the first line of production code is written. And they have to be made by people who understand both the agentic workflow and the threat model, not by two separate teams who meet in a review gate that happens too late to change anything structural.",[10,126,127],{},"This is why the problem isn't solvable by adding headcount or buying a tool. It requires a delivery model where security architecture and agent architecture are the same discipline, owned by the same team, from the same starting point. Not a security review after the agents are built. A single delivery lifecycle where the threat model, the permission model, the audit schema, the containment mechanisms, and the agentic workflow are designed together, because they are, architecturally, the same system.",[10,129,130],{},"The organisations that will navigate this successfully are not the ones that care most about security. Everyone cares. They are the ones that refused to separate the question of \"does it work?\" from the question of \"what happens when someone tries to make it work wrong?\" and built both answers into the same architecture, from day one.",[10,132,133],{},"The agents are already in production. The regulatory frameworks are still being written. The detection infrastructure is blind. The workforce to fix it doesn't exist at scale. Whether your deployment is a competitive advantage or an unmonitored liability comes down to one decision you either already made or didn't: who architected the system, and did they build it like someone was going to try to break it?",[135,136],"hr",{},[10,138,139],{},[140,141,142,143,148],"em",{},"Vanrho builds agentic systems where security architecture and agent architecture are the same discipline. From day one. If your agents are in production without governance guardrails, ",[144,145,147],"a",{"href":146},"/#contact","let's scope what it takes to fix that",".",{"title":150,"searchDepth":151,"depth":151,"links":152},"",2,[153,154,155,156,157],{"id":25,"depth":151,"text":26},{"id":41,"depth":151,"text":42},{"id":76,"depth":151,"text":77},{"id":89,"depth":151,"text":90},{"id":114,"depth":151,"text":115},"2025-03-15","We're giving autonomous AI agents production credentials and securing them like Slack integrations. Here's why that's an enterprise security crisis waiting to happen.","md","/images/blog/ai-agent-security-governance-gap.webp",{},true,"/blog/ai-agent-security-governance-gap",{"title":5,"description":159},"blog/ai-agent-security-governance-gap","ai, security, enterprise, governance","7XDa6rjYXuBA2FlGvbTqqW_aTd2wba-3pOCWwpqb5cI",1776068107548]