Your AI Agents Already Have Identities. Does Your Security Stack Know That?
- Ryan Rowcliffe
- 4 minutes ago
- 7 min read
Ahead of the Breach | Part 3 of 3: The Identity Imperative
Parts 1 and 2 of this series established the threat arc. Frontier AI has crossed a new capability threshold in cyber offense: autonomous zero-day discovery, working exploit development, end-to-end network attacks. That capability will democratize through open-weight models to nation-states, hacktivists, and mid-tier threat actors who won't ask permission and won't sign terms of service. This post is about what you build in response. And the answer starts with a number that should stop any security team in its tracks.
According to Microsoft's February 2026 security report, 80% of Fortune 500 companies now have active AI agents operating within their environments. The average enterprise has approximately 1,200 unofficial AI applications in use. And 86% of organizations report no visibility into their AI data flows.
Read that last number again. 86%. No visibility. Not limited visibility. Not partial visibility. None.
We have spent the better part of a decade arguing that identity is the new perimeter. Attackers don't break in, they log in. The industry has generally accepted that framing. Now we have a new class of actor operating inside enterprise environments, authenticating to systems, accessing resources, generating outputs, and moving data. This actor isn't a human employee. It isn't a traditional service account. It's an AI agent, and in the vast majority of organizations, no one is watching what it does.
The Scope of the Problem
AI agents are non-human identities. Full stop. When an agentic system authenticates to your Salesforce instance, pulls records from SharePoint, writes to a database, or calls an external API, it is performing the same actions that a compromised credential performs when an attacker moves laterally through your environment. The difference is that the AI agent is authorized to do those things. The problem is that nobody is verifying whether what it's doing on any given session reflects the scope of what it was authorized to do.
This distinction matters more now than it did eighteen months ago. The Claude Mythos Preview System Card, published by Anthropic in April 2026, documents something that deserves more attention than its received in the identity security community: a frontier AI model capable of autonomous zero-day discovery, working exploit development, and end-to-end corporate network attacks is already being evaluated and deployed (in restricted form) for defensive purposes. The same capabilities that make such a model valuable for defense make it dangerous in the hands of adversaries. And those adversaries are increasingly targeting the AI agents operating inside enterprise environments as vectors for initial access and lateral movement.
The prompt injection data in the Mythos System Card is instructive. A prompt injection attack hides malicious instructions inside content that an agent processes on the user's behalf: a website it visits, an email it summarizes, a document it reads. When the agent encounters those instructions, it may interpret them as legitimate commands and act accordingly. Against Claude Mythos Preview, the attack success rate in browser environments dropped to 0.68% under red-team testing. That's a genuine improvement. But 0.68% across the millions of agentic interactions happening daily in enterprise environments is not zero. And that number reflects the most safety-trained frontier model available. The average enterprise isn't running the most safety-trained frontier model. Most are running a mix of commercial AI tools, internally built agents, and shadow AI applications that nobody in security has evaluated.
The vulnerability isn't theoretical. It's already present.
The Identity Observability Gap
The fundamental issue is that most identity security programs were built to monitor human-to-application access patterns. The models they use to define normal behavior, the alerting thresholds they've tuned, the investigation workflows they've developed: all of it reflects assumptions about how human users interact with systems. AI agents break those assumptions.
An AI agent accessing ten different systems in a two-minute window isn't anomalous for an AI agent. It may be exactly how the agent is designed to work. But that same access pattern from a human user at 2 AM is a high-priority incident. Threat detection systems without the context layer that distinguishes AI agent behavior from human behavior will produce one of two outcomes: a flood of false positives that burns out the SOC, or a deliberate decision to exclude agent traffic from detection scope entirely. Neither is acceptable.
CyberArk's 2026 analysis of AI agent identity risks notes that AI agents routinely hold 10 times more privileges than required for their designated function, with 90% of agents operating in an over-permissioned state. That's not an architecture problem unique to poorly designed systems. It reflects the way agents are typically deployed: scoped for potential use cases rather than current use cases, provisioned once and rarely reviewed. The same principle that applies to orphaned human accounts: unused, over-permissioned access is a liability. It applies with equal force to AI agents. The difference is that nobody is running quarterly access reviews on AI agents in most organizations.
A growing category of Non-Human Identity (NHI) security platforms has emerged to address part of this. NHI tools help organizations discover service accounts, rotate API credentials, enforce least-privilege scoping, and decommission access when agents are decommissioned. That work matters and organizations should be doing it. But NHI platforms solve an access governance problem. They tell you what an agent is permitted to do. They don't tell you what it's actually doing.
That distinction is where real risk lives. An AI agent operating entirely within its provisioned permissions can still be the vehicle for a breach if those permissions were over-scoped from the start, or if a prompt injection attack redirects the agent's behavior mid-session. The credential doesn't change. The behavior does. Without session-level telemetry that captures what the agent actually touched, in what sequence, from what context, you cannot distinguish a normal agent session from one that has been compromised or manipulated. NHI governance tells you the policy. Identity observability tells you whether the policy held, in real time, at the session level, across every identity in your environment.
Most organizations have invested in the first. Almost none have the second.
Without that visibility, you cannot answer the question that matters most: if a threat actor compromised one of your AI agents through a prompt injection attack right now, how long would it take you to know?
For most organizations, the honest answer is: long after the damage was done.
Building the Foundation
The solution isn't to stop deploying AI agents. The productivity gains are real, and organizations that avoid agents entirely will compete at a disadvantage against those that don't. The solution is to instrument identity infrastructure to treat AI agents as a first-class identity category, with the visibility, governance, and behavioral monitoring that implies.
Start with a complete inventory. You cannot monitor what you haven't identified, and shadow agents (the 1,200 unofficial applications the average enterprise is running) are invisible in most identity governance programs. Most NHI tools only see the agents that were formally provisioned through managed channels. The others, the ones built by a business unit, deployed through a third-party integration, or spun up without a ticket, don't exist in the catalog. Discovering them requires instrumentation at the authentication layer, not just at the provisioning layer. If your visibility starts and ends with what was officially approved, you've already accepted a blind spot that covers the majority of your actual agent population.
This is where I've seen organizations consistently underestimate the scope of the problem. They deploy an NHI governance tool, get a clean dashboard of managed agents, and conclude they have the situation covered. They don't. What they have is governance over the agents they knew about. The rest are operating without oversight, often with permissive credentials that nobody scoped carefully because nobody expected them to persist as long as they have (this was framed as a temporary integration six months ago, and now it's running against your production database every four hours).
NIST SP 800-63's digital identity guidelines and the emerging NIST AI Risk Management Framework both point toward what a complete solution requires: human and non-human identities need consistent lifecycle management, continuous verification, and behavioral monitoring aligned to defined access scopes. Getting there requires a platform built around a different question than traditional IAM or NHI tools ask.
That's the problem AuthMind was built to solve. The core design principle is that identity observability has to cover the full ecosystem: every identity, human or non-human, whether it was provisioned through your official IAM workflow or discovered by instrumenting authentication telemetry directly. Where IAM tools manage the provisioning lifecycle and NHI platforms govern credential hygiene, AuthMind provides the behavioral visibility layer that neither was designed to deliver. It instruments the authentication layer across your full environment, builds behavioral baselines for each identity, and surfaces deviations at session level in real time.
The practical output is the ability to answer questions that most organizations currently can't: which agents accessed sensitive resources in the last 24 hours, what did those sessions look like compared to established baselines, and did any of them include access patterns that fall outside normal operating scope? When the answer deviates, the detection workflow fires. Whether the actor is a human employee, a compromised service account, or an AI agent that was manipulated through a prompt injection attack, the response process is the same. The difference is whether you built the instrumentation to see it in the first place.
The Moment We're In
The Mythos System Card captures something important about where AI capabilities are heading. The models that will be broadly deployed as agents inside enterprise environments over the next two to three years will be substantially more capable than the models enterprises are deploying today. More capable means more access, more autonomy, more complex behaviors, and a correspondingly larger attack surface if those identities aren't being monitored.
Attackers understand this. They were using commercial AI tools to run influence operations and data exfiltration campaigns before frontier models demonstrated autonomous exploit development. The threat actor community adapts quickly. The question is whether enterprise identity security programs adapt at the same pace.
The organizations that will be best positioned in this environment aren't the ones that responded to AI agent proliferation by restricting adoption. They're the ones that instrumented their identity infrastructure to see every agent, govern every access scope, and detect anomalous behavior at session level, before the first incident forced the issue.
Visibility is not the whole answer. But across this three-part series, one principle holds constant: the organizations that navigate this shift successfully are the ones that can see what's happening in their environments in real time, across every identity, human or machine. AI capability is advancing on both sides. The gap between attackers and defenders won't be determined by who has the better model. It will be determined by who has the better instrumentation.
That's the prerequisite for every other answer. Without it, you're not managing risk. You're hoping nothing goes wrong.
Part 1 - When a Lab Withholds Its Best Model: What the Claude Mythos System Card Signals for Cybersecurity