AI agents are entering corporate systems faster than the security frameworks designed to govern them. The result is a gap — not theoretical, but already documented in data breaches and live attack demonstrations — between what autonomous software can do and what enterprises can actually control.
In March 2023, three Samsung engineers uploaded proprietary source code to an external AI service within weeks of its internal approval. None of the company’s existing data loss prevention tools caught it. The traffic looked like routine browsing. The agents, in this case AI-assisted tools operating with broad access and no defined identity boundaries, were invisible to governance. A study by KuppingerCole commissioned by Ping Identity provides valuable insights on this topic.
That incident was not an anomaly. It was a preview. As AI agents move from experimental pilots into operational enterprise systems, they are breaking assumptions that identity and access management frameworks have relied on for two decades. The gap between what these agents can do and what security teams can control is real, measurable, and growing.
A New Kind of Actor
Traditional identity management was built around a simple model: a human being requests access, a system grants or denies it, and a log records what happened. AI agents disrupt all three steps simultaneously.
Unlike conventional software, autonomous agents do not follow fixed instruction sets. They pursue goals through adaptive sequences of API calls, delegate subtasks to other agents, and make probabilistic decisions at runtime. An agent tasked with drafting a contract may access legal databases, query internal records, send draft versions for review, and log its own activity — all without a human authorizing each individual step.
This breaks the consent model that underlies OAuth and OpenID Connect, the protocols governing most enterprise authentication. Those standards require an explicit human authorization step. Agents operating at scale routinely bypass it. The access grants they accumulate are technically valid. The accountability attached to them is not.
IBM’s 2025 Cost of a Data Breach report puts numbers to the risk: 13 percent of organizations had experienced breaches involving AI models or applications in the preceding year. Among those, 97 percent lacked adequate access controls. These are not fringe cases. They represent the leading edge of a structural problem.
Incidents That Defined the Problem
The Samsung leak illustrated one failure mode: an AI tool treated as an internal productivity aid rather than an external system with its own identity and data access boundaries. But the vulnerability landscape extends well beyond accidental disclosure.
At Black Hat 2024, security researcher Michael Bargury demonstrated how Microsoft 365 Copilot could be turned into an exfiltration and phishing tool through a technique called prompt injection. By embedding instructions inside a document or email that Copilot was asked to process, an attacker could redirect the agent to forward emails, search for sensitive files, and generate phishing messages — all using the victim’s own credentials and session. The attack required no access to the agent’s configuration. It required only that the agent be asked to read something the attacker had written.
Prompt injection is not a product flaw. It is a structural weakness in the current generation of autonomous agents: the absence of a trust boundary between the agent’s instruction context and the content it processes. Every autonomous agent that reads external content is exposed to it. Patching individual products does not close the underlying gap.
What a Governance Architecture Looks Like
KuppingerCole analyst Martin Kuppinger has proposed a reference architecture organized around four pillars, each addressing a specific failure in current frameworks.
The first pillar is identity registration. Every AI agent should be assigned a unique, stable identifier in a centralized identity store, with documented ownership, authorized scope, and expected operational lifetime. Without this, agents are shadow resources — active in production systems but invisible to governance. The analogy to privileged service accounts in traditional PAM environments is deliberate: the same discipline that applies to those accounts should apply to agents.
The second pillar is authorization. Static role-based access control is too rigid for agents whose effective permission sets shift with each task. Policy-Based Access Control (PBAC) can incorporate contextual signals — data sensitivity, time of day, current threat level, the nature of the operation being performed — into authorization decisions at runtime. Crucially, PBAC can limit agent permissions to a subset of what the authorizing human would themselves be permitted, preventing the kind of scope inflation that makes agentic deployments difficult to audit.
The third pillar is governance, which operates at two levels. Intra-agent controls define what an agent is authorized to do within its own instruction set — explicit operational boundaries treated as versioned policy artifacts. Extra-agent controls enforce access restrictions at the API and resource level independently of what the agent claims to be authorized to do. The distinction between human-in-the-loop supervision (explicit approval before action) and human-on-the-loop supervision (autonomous operation with monitoring and intervention capability) should be a deliberate governance decision, not a default.
The fourth pillar is auditability. Logs of individual API calls are insufficient for investigating agentic behavior. What is needed are decision traces: records not just of what an agent did, but of what it was instructed to do, under what policy, and how it reasoned to each action. When agents spawn sub-agents, the accountability chain must extend through the entire hierarchy, from the original human authorization to the final system action.
The Roadmap
Not all of this is achievable immediately, and the paper is clear about the distinction. Some actions can be taken now with existing tooling. Others depend on emerging standards that are still being written.
In the near term, the priority is visibility. Registering agents as distinct identity subjects, enforcing explicit authorization boundaries at the resource level, implementing immutable logging, and establishing kill-switch mechanisms — the ability to suspend an agent immediately when something goes wrong — are achievable without waiting for new standards. So is establishing an approval process for new agent deployments, the absence of which is the primary cause of shadow agent proliferation.
In the medium term, organizations should move from static RBAC to dynamic PBAC for agent authorization, integrate agent identities into existing governance review cycles, and include agent activity in security operations monitoring. Regulatory expectations for AI governance are forming; building audit documentation now is less costly than retrofitting controls later.
Longer-term, the industry is developing identity standards for AI agents analogous to those that govern human users: extensions to Verifiable Credentials for agent attestation, workload identity frameworks such as SPIFFE/SPIRE, and OAuth working group proposals for agent-specific flows. Organizations should design current implementations for interoperability, avoiding proprietary dependencies that would make future standard adoption expensive.
Dr. Jakob Jung is Editor-in-Chief of Security Storage and Channel Germany. He has been working in IT journalism for more than 20 years. His career includes Computer Reseller News, Heise Resale, Informationweek, Techtarget (storage and data center) and ChannelBiz. He also freelances for numerous IT publications, including Computerwoche, Channelpartner, IT-Business, Storage-Insider and ZDnet. His main topics are channel, storage, security, data center, ERP and CRM.
Contact via Mail: jakob.jung@security-storage-und-channel-germany.de