Key Takeaways
-
AI adoption is no longer the primary challenge. Organizations have largely moved beyond access and awareness issues. AI is already being used in the workplace, shifting the focus from adoption to effective execution and business outcomes.
-
Employee AI usage is widespread and growing. According to the blog, 50% of U.S. employees are already using AI at work, indicating that AI has become a mainstream workplace tool rather than an emerging technology.
-
Many organizations are struggling to realize measurable ROI. Despite significant AI investments, more than half of CEOs report not yet seeing measurable cost benefits, suggesting that successful implementation, governance, and project execution are now the critical factors for achieving value.
|
Security leaders know AI facilitates the evolution of attacker tradecraft, rapidly exposing new and undiscovered vulnerabilities, and repurposing older vulnerabilities. Every attack surface has unrecognized risks in the form of unknown relationships and dependencies. While AI awareness is improving, few fully understand how pervasive AI is in their environment. At Arctiq, our cybersecurity team works alongside our clients to navigate these threats in real time. We help our clients understand where AI lives in their environments and help them define their locus of control and how to include AI in its various forms, in a secure framework that works for them.
The AI Your Security Team Didn't Review
The copilots and summarization tools that most enterprises evaluated over the past few years share one important characteristic: they respond to a prompt and then stop. They are deterministic and the interaction is bounded.
Agentic AI is fundamentally different. When an agentic system is given a task, it works dynamically and autonomously across multiple steps, using tools in and occasionally out of your control, often without a human in the loop. That autonomy changes the risk profile dramatically. When an agent with API access is implemented in production systems without guardrails or a lasso, it has access to your entire estate. And if unrestrained, it will act on that access without a human to approve each step.
ProTip: Ask your IT and dev leads this week whether any of their automation tools use AI with API access to production systems. The answer may surprise you.
Four Ways Agents Get Exploited
There are four major vectors security teams deal with right now when directly handling AI:
- Prompt injection is the most common attack vector. An attacker embeds hidden instructions in content that an agent reads, a vendor webpage, a support ticket, a shared document, and the agent executes them. This bypasses firewall alert fires and avoids DLP triggers because the attack lives at the semantic layer, where your existing stack has no visibility.
- Privilege escalation is a growing problem. Agents are routinely provisioned with broad permissions because it's faster and easier than precisely scoping them. The result is that a manipulated agent has the same blast radius as a compromised admin account. Least-privilege access isn't optional here.
- Data exfiltration through agents can be difficult to detect because the action appears legitimate on the surface. An agent that summarizes documents and routes them is doing exactly what it was built to do. Whether it routed the right document to the right recipient is a question your existing controls weren't designed to answer.
- Multi-agent impersonation is an emerging problem. In architectures where agents communicate with each other, there's currently no reliable standard for agent-to-agent authentication. Rogue agents can impersonate orchestrators, and most organizations are blind to it and don’t know it’s happening. Identity and Access Management is no longer a luxury. It’s now mandatory. Org Charts need to be updated to include non-human identities. This is why behavioral analysis is no longer a nice-to-have in your security apparatus.
This in not conjecture…This already happened, on a Nation-State Scale
In September 2025, Anthropic documented the first confirmed AI-orchestrated espionage campaign. A Chinese state-sponsored group, designated GTG-1002, ran a campaign using Claude Code to run reconnaissance, generate exploit code, harvest credentials, and extract data from roughly 30 organizations across tech, finance, chemicals, and government. The AI handled 80 to 90 percent of the tactical work autonomously. Human operators were needed at only four to six decision points across the entire campaign.
The attackers bypassed safety controls by convincing Claude that it was being used for legitimate defensive security testing, essentially social engineering the AI itself. The breach happened at the semantic layer, so existing DLP and network monitoring completely missed it.
Unfortunately, this wasn’t a one-off. According to Unit 42's 2025 Global Incident Response Report, the median time from initial compromise to data exfiltration is now about two days, and nearly one in five cases, exfiltration happens within the first hour. Their 2026 report shows the fastest quartile of intrusions reaching exfiltration in 72 minutes, down from nearly five hours just a year earlier. Agentic AI is the catalyst of that acceleration.
In response to ongoing change and growing threats, the EU AI Act officially took effect. GDPR already applies to how agents process personal data. SOC 2 auditors are beginning to ask about AI controls, and that scrutiny will only increase. In finance and healthcare, regulators aren't waiting for a major incident before they start asking questions. Every month without an AI governance program is a month of compounding liability, one unreviewed deployment at a time.
The good news is that getting ahead of this doesn't require building a new security program from scratch.
Extending the Controls You Already Have
The right approach isn't to build a new security program for AI, but rather to extend the one you have. At a glance, your IAM team already manages identity, your SOC monitors behavior, and your change management team governs deployments. The question is whether those teams have explicitly added AI agents to their scope. In most organizations, they haven't.
To make extended AI a safe reality, four areas need to be addressed:
- Agents need their own non-human identities with least-privilege scoping, not broad access to reduce friction.
- Input and output filtering needs to be deployed so prompt injection is caught before execution, and data exfiltration attempts can be stopped.
- Reasoning chain logging needs to flow into your SIEM, not just API call logs. Knowing what an agent decided and why matters will help with forensic investigations.
- Human approval gates need to be designed into high-stakes workflows before deployment. Retrofitting authentication/approval workflows after the fact is painful and expensive.
Pro Tip: The first step is cooperation and gaining visibility. Talk to your IT and Dev leads directly to find out which agents are deployed, which systems they can reach, and who owns them. Identify your highest-risk gaps based on access and blast radius. Step 1:The first 90 days are about standing up foundational controls: agent identities, input and output filtering, SIEM integration, and a basic policy framework. Step 2: 90-180 days will focus on hardening, least-privilege enforcement, human-in-the-loop gates for irreversible actions, and a red-team exercise against your own agents.
Taking the Next Step
Agentic AI is already inside your environment. The only question is whether your security program knows it. If you want to talk through where you stand, reach out to us here. The cybersecurity team at Arctiq is ready to support you wherever you are on your AI journey.
