800+ risky agents per organization. Here are three steps to secure them

Security teams spent years getting good at something that's quietly become insufficient: auditing what gets deployed. You review the code, check the config, sign off on the integration, move on. The system is static. The risk is bounded.

‍

AI agents broke that model — and most organizations don't know it yet.

‍

Here's the thing about agents: when a user builds one and connects it to their tools, the agent inherits their permissions. It acts with their badge, and it’s how agents get work done. But then the agent gets shared with teammates who have lower privilege levels. Or it gets published with a public URL. Or the person who built it leaves the company, their account gets disabled, and the agent keeps running, unmonitored, high-privileged, owned by no one.

‍

Nobody made a bad decision. The system just evolved faster than anyone was watching.

What this looks like at scale

From production environments: agents granted an average of 43 permissions but actively using 4. 38% carrying medium or high risk. Data moving through agents at 16 times the rate of human users. Over 800 risky agents per organization, most of them built by end users and never reviewed by security. They weren't designed to be threat vectors. They just became ones.

‍

The April breach at Vercel/context.ai made this concrete in a way that's hard to look away from. An infostealer on a developer laptop in February led to compromised AWS access in March, stolen OAuth tokens, and a $2M ransom disclosure in April — with more than eight weeks between initial compromise and detection. One token. Two months of dwell time. The kind of exposure that looks obvious only in retrospect, and only because someone eventually found it.

‍

The problem isn't that agents are risky by nature. It's that the governance frameworks security relies on were built for deterministic systems — same inputs, same outputs, traceable behavior, fixed configurations you audit at deployment and trust until something breaks. Agents aren't deterministic. Their behavior shifts as access changes, as they get shared, as integrations get added. A deployment checklist captures a moment in time. The agent operates indefinitely after that moment.

Proactive solution implementation: Three disciplines

The starting point is a real-time inventory — not a quarterly audit, but something that captures every agent the moment it appears, with ownership, access scope, and integration context. Most teams don't have this yet. The Vercel breach dragged on for eight weeks partly because nobody had a clear picture of what was running or what it could reach. It's the first of three disciplines that make up an effective AI agent security program: continuous discovery, end-to-end governance, and runtime enforcement.

From there, the work is a configuration review against a living map. Risky agent states tend to cluster around a handful of patterns: org-wide sharing with access to sensitive data, publicly accessible agents with embedded credentials, high-privilege agents still running after their owners have left. None of these are subtle — they're just hard to catch without continuous visibility into the full agent inventory.

Runtime enforcement tends to work best when it starts in observation mode. Watch what agents are doing, understand what normal traffic looks like, and flag exceptions before enforcing anything. Moving straight to block mode on day one usually produces friction without much signal. Starting with a narrow, well-defined policy — unauthorized access to a specific class of system, for example — gives you real data on what's actually happening before you expand scope.

The teams making the most progress on this aren't the ones that have it all figured out. They're the ones that answered the inventory question first and built from there.

‍