All Articles
>
Runtime Truth
Access & Permissions
Threat Explainer
Ai Agent Toxic Combination

AI Agent Toxic Combinations: When Risk Stacks Reach Critical Severity

Most AI agents running in enterprise SaaS environments hold more permissions than their workflows require. That single finding rates as medium severity. Add an orphaned creator account and a public-facing deployment, and you no longer have a medium-severity finding. You have a critical incident waiting for a trigger. That is the core problem with how most teams score <a href="https://www.obsidiansecurity.com/blog/ai-agent-security-risks">AI agent risk</a> today: they evaluate each factor in isolation and miss the compound severity that combinations create.

Aman A.
SEO Manager
·
Obsidian Security
·
May 15, 2026
May 15, 2026
Key Takeaways
  • Standard CVSS-style scoring evaluates risk factors individually and systematically underscores agentic AI threats.
  • An AI agent toxic combination occurs when two or more medium-severity factors appear simultaneously on the same agent, compounding to high or critical severity.
  • The five most common toxic combinations share a structural pattern: broad access plus missing accountability plus active exposure.
  • Public accessibility is the single most common risk amplifier. Combined with maker mode credentials, it creates the confused deputy attack pattern at scale.
  • Detection requires a combination scoring layer on top of individual factor detection. Inventory comes first. Scoring comes second. Triage comes third.

Why Single-Factor Risk Scoring Fails for AI Agents

Security teams inherit CVSS-style scoring from vulnerability management. That model works for discrete software flaws. A buffer overflow has a severity score. A misconfigured S3 bucket has a severity score. Each finding is evaluated on its own technical merit.

Agentic AI risk does not work that way.

When a security team asks "how risky is this agent," the answer is never a single number derived from a single property. The agent's risk profile is the product of every factor present simultaneously: its access scope, its credential model, its ownership state, its deployment surface, and its connection topology. Remove any one factor and the severity drops. Add one factor and it can jump two severity levels.

This is the difference between additive risk and compound risk. Traditional scoring adds factors: medium plus medium equals medium-high. Compound risk multiplies them: medium times medium equals critical, because each factor enables the next one to cause harm.

Consider a concrete example. An agent configured as org-wide accessible rates as medium severity. An agent running on maker mode credentials rates as medium severity. But an agent that is both org-wide accessible and running on maker mode admin credentials is not a medium-high finding. It is a critical finding, because any user in the organization can now invoke an agent that executes with administrator-level permissions they were never granted. Your IAM controls were bypassed by design.

The question standard scoring tools never ask is: what is the worst combination of factors present on this agent right now? That is the question an AI agent toxic combination framework is built to answer. You can read more about the foundational patterns in Obsidian's prior analysis of toxic risk combinations. This article goes deeper on the scoring methodology and operationalization.

The Five Most Common AI Agent Toxic Combinations

These five patterns appear consistently across enterprise environments. Each one has been observed in real deployments. None of them would surface as critical in a single-factor scan.

1. Public Access + Sensitive Data Access + Maker Mode Admin Credentials

This is the highest-volume critical combination. The agent is reachable by anyone with the URL, it has access to sensitive records or files, and it runs on the agent creator's admin credentials. Any anonymous or low-privilege user can extract data the creator could access. The blast radius is the creator's entire permission scope.

2. Orphaned Creator Account + Admin Credentials + Active Agent

The agent's creator account has been disabled, typically because the employee left the organization. The agent continues running. It still holds the creator's embedded credentials. No one owns it. No one can modify it. No one is watching it. This is the machine insider equivalent of a zombie service account with admin rights. Orphaned AI agents represent one of the most common gaps in enterprise AI governance programs.

3. Shadow Agent + Unsanctioned MCP Connection + External Domain Access

The agent was deployed without IT or security review. It connects to an MCP server that is not in your approved inventory. That MCP server communicates with an external domain your team has never evaluated. Three factors, each individually medium severity. Together, they describe a data path from your SaaS environment to an unknown external destination, with no owner and no oversight.

4. Cross-Platform Action Chain + Hardcoded Secrets + No Declared Owner

The agent sequences tool calls across multiple SaaS applications. It carries hardcoded credentials embedded in its configuration. No owner is declared. Action chaining compounds the blast radius with every step: the agent's access in application A enables access in application B, which enables access in application C. Hardcoded secrets mean credential rotation does not reach this agent. No owner means no one remediates it when the chain is discovered.

5. High-Privilege Service Account + Shared Across Multiple Agents + No Rotation Policy

A single high-privilege service account is used as the credential base for multiple agents. Compromise of any one agent exposes the credential used by all of them. No rotation policy means the exposure window is indefinite. This pattern is especially common in Salesforce Agentforce and n8n workflow environments where shared connector credentials are a default configuration pattern.

The Risk Scoring Math: How Combinations Compound to Critical

The compounding logic follows a consistent structure. A single factor creates a theoretical risk. A second factor creates a viable attack path. A third factor removes the last control that might have caught it.

Factor A alone: the risk could happen. Factor A plus Factor B: the risk can now be executed. Factor A plus Factor B plus Factor C: the risk can be executed and will not be detected.

That three-stage escalation is why combination scoring matters. The third factor is almost always an accountability gap: no owner, no rotation, no sanctioned status. That gap is what converts a detectable incident into a silent one.

Toxic Combination Scoring Framework

Combination NameFactor 1Factor 2Factor 3Individual SeveritiesCombined SeverityPrevalence
Public Maker Mode AdminPublic/org-wide accessMaker mode credentialsSensitive data accessMed / Med / MedCriticalVery High
Zombie Admin AgentOrphaned creator accountAdmin-level credentialsAgent still activeMed / High / MedCriticalHigh
Shadow MCP Exfil PathShadow/unsanctioned agentUnregistered MCP serverExternal domain connectionMed / Med / MedCriticalHigh
Chainsaw Action AgentCross-platform action chainHardcoded secretsNo declared ownerHigh / High / MedCriticalMedium
Shared Credential ClusterHigh-privilege service accountShared across agentsNo rotation policyHigh / Med / MedCriticalMedium
Confused Deputy EscalationMaker mode connectorLow-privilege invoker accessNo invoker permission checkMed / Med / HighCriticalHigh
Public Shadow AgentShadow agent (unmanaged)Org-wide unrestricted accessSensitive data in scopeMed / Med / MedCriticalVery High

Why this math is not speculative: Real-world incidents almost always involve multiple contributing factors. The 2025 Salesloft-Drift compromise affected 700+ Salesforce environments not because of one misconfiguration, but because a bearer token compromise combined with broad OAuth scopes and no runtime anomaly detection created a silent exfiltration path. Single-factor scoring would have rated each element as medium. The combination was catastrophic.

AI Agent with Public Access Risk: The Most Common Critical Combination

Public accessibility is the single most common risk amplifier in enterprise AI agent deployments. An agent configured as org-wide accessible or publicly reachable via URL is not inherently critical. It becomes critical when combined with any one of three co-occurring factors: maker mode credentials, sensitive data access, or an orphaned owner.

Here is why the AI agent with public access risk pattern is so dangerous at scale.

When an agent is publicly accessible, the invoker population is unbounded. You cannot predict who will interact with it, what they will ask, or what data they will attempt to extract. Standard IAM assumes a known invoker population. Public agents remove that assumption entirely.

Layer maker mode credentials onto public accessibility and you have the confused deputy attack pattern. The agent executes using its creator's permissions, not the invoker's. A user with no Salesforce access invokes the agent. The agent queries Salesforce using the creator's admin credentials. The user receives data they were never authorized to see. The agent did exactly what it was configured to do. Nothing in your IAM flagged it. This is the agentic confused deputy attack: the agent is a trusted deputy that can be directed by anyone to act with authority it should not be delegating.

Consider a composite scenario. A Microsoft Copilot Studio agent is built by a Salesforce administrator to summarize pipeline reports. The creator configures it in maker mode, using their own admin credentials as the connector authentication. The agent is published org-wide for convenience. Six months later, the creator leaves the company. Their account is disabled. The agent keeps running. A contractor with no Salesforce license asks the agent for a full pipeline summary. The agent returns it, authenticated as the former admin. Three toxic combination factors are present: public access, maker mode admin credentials, and an orphaned creator. The individual severity of each factor is medium. The combined severity is critical.

Securing Microsoft Copilot requires detecting this specific pattern, not just flagging public agents in isolation.

Building a Toxic Combination Detection Program

Most teams do not have a combination scoring layer. They have a list of individual findings. The gap between those two things is where critical risks stay invisible.

Here is a four-step program to close that gap.

Step 1: Build a Complete Agent Inventory

You cannot score what you cannot see. The prerequisite for any combination detection program is a complete, current inventory of every agent in your environment: who built it, what platforms it runs on, what credentials it uses, and what data it can access. Enterprise inventories routinely surface hundreds of Copilot agents that no one had catalogued and thousands of agents created before any inventory existed. Start with AI agent visibility as the foundation. Without it, combination scoring is ghost chasing.

Step 2: Map Risk Factors Per Agent

For each agent in your inventory, identify which risk factors are present. The key factors to track are: public or org-wide accessibility, maker mode credential configuration, orphaned or disabled creator account, shadow or unsanctioned status, hardcoded secrets, cross-platform action chains, unsanctioned MCP connections, shared service account credentials, and sensitive data access scope.

This is where effective authority matters. Theoretical configuration tells you what the agent is set up to do. Effective authority tells you what it can actually execute inside each connected SaaS application. Those two things are often not the same.

Step 3: Apply Combination Scoring

Wire combination rules on top of individual factor detection. The scoring table in the previous section gives you the starting framework. Flag any agent where two or more factors combine to reach critical. Prioritize triage by combination severity, not individual factor severity. A single high-severity finding may be less urgent than three medium-severity findings on the same agent.

Step 4: Triage and Communicate

When you surface a critical combination, the remediation path is usually one of three actions: restrict the deployment surface (remove public access), rotate the credential model (replace maker mode with per-user authentication), or disable the agent pending ownership reassignment.

For non-security stakeholders, frame combination severity in operational terms. "This agent can be used by anyone in the company to access data only your CRM admin should see, and the admin who built it left six months ago" communicates the risk more effectively than a severity score. The AI agent governance framework gives you the policy structure to back those conversations with documented standards.

Where to start this quarter: Run your first combination scan against agents that are already flagged as public or org-wide accessible. That population contains the highest concentration of critical combinations. Resolve maker mode configurations in that group first. That single action reduces your most common critical pattern immediately. Then use the AI agent risk assessment process to extend coverage across your full agent inventory. Runtime guardrail enforcement is generally available on Microsoft Copilot today, with expanded platform coverage on the roadmap.

The Most Dangerous Risks Are Compound, Not Individual

Single-factor risk scoring is not wrong. It is incomplete. In agentic AI environments, the critical risks are compound events: two or three medium-severity factors appearing simultaneously on the same agent, each one enabling the next to cause real harm. Standard tooling rates each factor in isolation and produces a list of medium findings that no one prioritizes.

The AI agent toxic combination framework changes the question from "how risky is this factor" to "what is the worst combination of factors present on this agent right now." That question produces a fundamentally different triage list, one where the most urgent items are not the loudest individual alerts but the quietest compound configurations.

Runtime truth is what makes combination scoring possible. Theoretical configuration tells you what factors exist on paper. Effective authority tells you what those factors enable in practice. The gap between those two views is where the most dangerous combinations live.

Inventory your agents. Map their factors. Score their combinations. Start with the public-facing population. That is where the critical combinations are most concentrated, and that is where deterministic guardrails for probabilistic agents will have the most immediate impact.

Frequently Asked Questions

What is an AI agent toxic combination?

An AI agent toxic combination is a security condition where two or more individually medium-severity risk factors appear simultaneously on the same agent, compounding to high or critical severity. No single factor triggers a critical alert on its own. The combination of factors creates a viable, often undetected attack path.

Why does standard risk scoring miss toxic combinations?

Standard scoring frameworks like CVSS evaluate each finding in isolation. They are designed for discrete vulnerabilities with self-contained impact. Agentic AI risk is compound: each factor enables the next one. A scoring model that does not evaluate factors in combination will consistently underrate the most dangerous agent configurations.

What is the most common critical combination in enterprise environments?

The most common critical combination is public or org-wide accessibility combined with maker mode admin credentials. This pattern enables the confused deputy attack: any user can invoke the agent and receive data at the creator's permission level, bypassing all IAM controls. It is very common in Microsoft Copilot Studio and ChatGPT Enterprise deployments.

What is a confused deputy attack in the context of AI agents?

A confused deputy attack occurs when an agent with elevated permissions is invoked by a user who does not hold those permissions. The agent acts as a trusted deputy, executing the invoker's request using credentials the invoker was never granted. The agent behaves exactly as configured. No access control was technically violated. But the user extracted data they had no right to see.

How do I start a toxic combination detection program if I have no agent inventory?

Start with inventory. You cannot score combinations you cannot see. Use a platform that provides a single pane of glass across your AI agent builders, including Copilot Studio, Agentforce, Bedrock, Vertex, and n8n. Once you have an inventory, map risk factors per agent. Then apply combination scoring rules. The public-facing agent population is the highest-priority starting point because it contains the highest concentration of critical combinations.