{"slug": "every-ai-agent-is-an-identity-most-organizations-don-t-treat-them-that-way", "title": "Every AI Agent Is an Identity. Most Organizations Don't Treat Them That Way", "summary": "AI agents are increasingly acting as digital identities within enterprises, yet most organizations lack security and governance models for them. A CSA survey commissioned by Token Security found 82% of organizations discovered at least one AI agent created without security or IT knowledge, and 65% experienced an AI-agent-related security incident in the past year.", "body_md": "For years, security teams built their programs around a simple premise of if you control the identities, you can control the risk. Employees authenticate through identity providers. Service accounts connect systems. API keys let workloads talk to cloud services and databases.\n\nThe actors have been very predictable. And as a result, the identity security and governance model have followed that predictability. Now, this premise is breaking.\n\nAI agents entered the enterprise quietly, summarizing meetings, drafting emails, helping employees find information. Most security teams didn't think hard about them at first. They looked like productivity tools, because that is exactly what they were.\n\nThen, organizations started connecting them to critical business services such as Salesforce, Snowflake, GitHub, Jira, production databases, and cloud environments. Now, they retrieve information, trigger workflows, update records, write and deploy code, and take actions across multiple systems.\n\nSometimes on the behalf of a human, sometimes autonomously, and sometimes in ways where it's genuinely unclear which.\n\nThis makes AI agents more than just tools. It makes them identities and most enterprises have no security and governance models for them.\n\nThe pattern is consistent across organizations. A new identity layer gets built on top of existing infrastructure with almost none of the controls that identity teams spent the last decade putting in place. An agent might be created by one team, used by another, connected to five different applications, and running on credentials that were provisioned for a completely different purpose.\n\nIt got broad access early because someone needed it to work and didn't want to slow things down. The result is a sprawl of high-privilege, low-visibility actors that most security teams can't inventory, let alone govern.\n\n[Don't let fear slow you down. AI at scale with Token Security on your side.](https://www.token.security/book-a-demo?utm_source=bleepingcomputer&utm_medium=3rdparty&utm_campaign=bleepingcomputer&utm_content=june-19)\n\nAI agents create, use, and rotate identities at machine speed, outpacing traditional IAM controls.\n\nToken Security helps teams manage the full lifecycle of AI agent identities, reduce risk with remediation, and maintain governance and audit readiness without sacrificing speed.\n\n[Request a Tech Demo](https://www.token.security/book-a-demo?utm_source=bleepingcomputer&utm_medium=3rdparty&utm_campaign=bleepingcomputer&utm_content=june-19)\n\nAccording to a [2026 CSA survey](https://www.token.security/lp/autonomous-but-not-controlled-ai-security-data-report-csa?utm_source=bleepingcomputer&utm_medium=3rdparty&utm_campaign=bleepingcomputer&utm_content=june-19) commissioned by us here at Token Security, 82% of organizations discovered at least one AI agent created without the knowledge of security, IT, or governance teams in the past year, and 41% found this happening multiple times.\n\nHere's where the security conversation has gone sideways. Most of the attention on AI security has landed on model risk, such as prompt injection, jailbreaks, unsafe outputs. While these are all an important part of the agentic AI ecosystem, they don’t paint the complete picture enterprise security teams require. The most important piece they need must answer what can the agent actually access?\n\nAn agent that summarizes public documentation has limited blast radius. An agent connected to customer records, source code, financial systems, and admin-level cloud credentials is a different problem entirely.\n\nA bad prompt, a compromised session, a malicious plugin, or a misconfigured integration can turn an overprivileged agent into a path for data exfiltration, destructive action, or lateral movement through systems that were never meant to be connected.\n\nThis is no longer theoretical, 65% of organizations experienced a security incident involving an AI agent in the past year, with 61% reporting exposure or mishandling of sensitive data as a result ([source](https://www.token.security/lp/autonomous-but-not-controlled-ai-security-data-report-csa?utm_source=bleepingcomputer&utm_medium=3rdparty&utm_campaign=bleepingcomputer&utm_content=june-19)).\n\nGetting control starts with visibility. Security teams need AI agent discovery and inventory that extends beyond just names and platforms to answer questions that actually matter.\n\nWho owns this agent? Who can invoke it? What systems is it connected to? What credentials does it use? What can it read, write, delete, or execute in each target application?\n\nThis is harder than it sounds, because the surface isn't obvious. A security team might know a sales assistant exists in an AI platform without knowing it runs on a Snowflake service account with admin privileges. They might know a coding agent is installed on developer endpoints without knowing which secrets, repositories, and CI/CD pipelines it can reach.\n\nThe agent itself is only part of the picture. Everything the agent's identities can touch is the actual exposure surface.\n\nThe second piece is purpose. Security and governance can't be purely permission-based with AI agents. It has to account for the agent’s intent. A sales prep agent only needs read access to CRM records. It doesn't need to delete database tables.\n\nA finance workflow agent should only read invoices. It shouldn't be able to create new privileged users. When you understand what an agent is supposed to do, you can evaluate whether its permissions match that scope. And, in practice today, they rarely do and that gap is where the real risk lives and it only widens over time through [least privilege policy drift](https://www.token.security/blog/least-privilege-policy-drift-and-runtime-risk?utm_source=bleepingcomputer&utm_medium=3rdparty&utm_campaign=bleepingcomputer&utm_content=june-19).\n\nOnce intent is understood, enforcement becomes possible. Permissions can be trimmed to match the agent’s actual purpose, overprivileged service accounts remediated, unused credentials rotated or removed, and risky connections caught before they turn into incidents.\n\nThe part that trips up most teams is that none of this is a one-time exercise. An access review or an audit may feel like progress, but they just provide a point-in-time checkbox and a false sense of security. The reason is that agents change, instructions update, user bases shift, and integrations expand.\n\nAn agent that started as a narrow internal tool can quietly end up connected to systems it was never designed to touch, not because anyone made a bad decision, but because nobody was watching when the scope crept.\n\nThat's why [governance needs to be continuous](https://www.token.security/enzo?utm_source=bleepingcomputer&utm_medium=3rdparty&utm_campaign=bleepingcomputer&utm_content=june-19) to catch agents that start accessing applications outside their normal pattern, use unexpected credentials, or take actions that don't fit their stated purpose.\n\nThe enterprises that succeed with AI will not be the ones that block agents entirely. They will be the ones that make agents governable and promote secure AI innovation. This means treating them as first-class identities with owners, access, behavior, risk, and lifecycle controls.\n\nAI agents are becoming privileged insiders. Security and identity programs must now catch up before those insiders become invisible attack paths.\n\n**We’d love to show you how we’re tackling this at Token Security, book a demo to chat with our technical team so you can scale without sacrificing safety.**\n\n*Sponsored and written by Token Security.*", "url": "https://wpnews.pro/news/every-ai-agent-is-an-identity-most-organizations-don-t-treat-them-that-way", "canonical_source": "https://www.bleepingcomputer.com/news/security/every-ai-agent-is-an-identity-most-organizations-dont-treat-them-that-way/", "published_at": "2026-06-19 13:23:13+00:00", "updated_at": "2026-06-19 13:37:30.289325+00:00", "lang": "en", "topics": ["ai-agents", "ai-safety", "ai-policy", "ai-infrastructure", "ai-ethics"], "entities": ["Token Security", "CSA", "Salesforce", "Snowflake", "GitHub", "Jira"], "alternates": {"html": "https://wpnews.pro/news/every-ai-agent-is-an-identity-most-organizations-don-t-treat-them-that-way", "markdown": "https://wpnews.pro/news/every-ai-agent-is-an-identity-most-organizations-don-t-treat-them-that-way.md", "text": "https://wpnews.pro/news/every-ai-agent-is-an-identity-most-organizations-don-t-treat-them-that-way.txt", "jsonld": "https://wpnews.pro/news/every-ai-agent-is-an-identity-most-organizations-don-t-treat-them-that-way.jsonld"}}