For years, corporate cybersecurity was fundamentally about people. Stop employees from clicking the wrong link. Keep hackers from exploiting software flaws. Make sure sensitive data stayed inside the organisation. The tools built for that job — from network monitoring software to login analysis and malware detection — were designed around human behaviour, whether the threat came from inside the company or outside it.
Now, a different kind of actor is spreading across corporate networks. AI agents are software programmes that can be assigned a goal and left to pursue it autonomously, querying databases, drafting and sending communications, and carrying out multi-step workflows without a human directing every action. Companies across industries are deploying them to automate operations from customer service to financial analysis.
The problem is that the cybersecurity systems overseeing those networks were never built to monitor software that behaves like an employee but is not one. “Today's security tools don't look at [AI] behaviour. But we've gone from malware and running software and patching to one or more AI agents doing all sorts of activities,” Mandy Andress, chief information security officer at Elastic, tells DigitalEdge on the sidelines of the ElasticON conference in Singapore earlier this week.
Frontier AI model companies, she adds, have already observed AI agents attempting to compromise other AI agents and grant themselves elevated access. In simple terms, AI software is trying to hack other AI software to expand what it is allowed to do.
A blind spot by design
The cybersecurity industry has dealt with blind spots before. A decade ago, the concern was shadow software-as-a-service (SaaS). Employees were signing up for unauthorised cloud tools, routing company data through services the IT department did not know existed and could not monitor. The response was a generation of products designed to restore visibility, including systems that routed staff through a single corporate gateway, monitored web traffic and tracked which cloud applications were being used and by whom. By most measures, that problem was eventually brought under control.
See also: Bain and IBM to offer post-quantum cryptography assessments to private equity and corporate clients
Shadow AI is proving harder to contain. The way AI agents communicate — such as the protocols they use to send and receive instructions, query data sources and report results — differs enough from conventional software that the existing monitoring toolkit offers only a partial picture. With most existing cybersecurity solutions, a cybersecurity team may be able to see that an employee opened a particular AI development tool. However, they typically cannot see what the tool was built for, what company data it accessed, or where the resulting application is running.
The rise of so-called “vibe coding” makes that harder. AI-assisted tools now allow people with no programming background to build functional software applications in hours simply by describing in plain language what they want and without the IT department’s knowledge.
From a cybersecurity perspective, that leaves companies with a growing inventory of applications that no one is fully tracking. “One of the hardest parts about vibe coding, if you just enable it, is understanding what's being created, where it's running, what applications you have,” says Andress.
See also: Cyber extortion shifts to data theft as CISOs face rising personal liability: reports
The identity problem no one has solved
Beyond visibility lies a more basic question of accountability. When an AI agent takes an action, sending a message, approving a transaction or modifying a file, who is responsible for it?
At most companies Andress has spoken with, responsibility still sits with the employee who launched the agent. That raises legal questions that have yet to be fully tested.
A widely cited case is Air Canada, whose automated customer service chatbot provided a passenger with incorrect information about bereavement fares. British Columbia's Civil Resolution Tribunal found the airline liable for its chatbot's misinformation and ordered it to pay C$812 ($759) in damages, rejecting Air Canada's argument that the chatbot was a separate legal entity responsible for its own actions. As AI agents take on more consequential tasks, disputes of this kind will arise more frequently and with considerably higher stakes.
For now, the most common safeguard is a human checkpoint. No automated action is carried out without a person reviewing and approving it first. While that is a sensible precaution for an early-stage technology, it is unlikely to be a lasting answer. “We'll collectively be moving into a world where we're managing populations of AI agents,” states Andress.
The future demands a rethink of identity infrastructure from the ground up. Every agent, she argues, should carry its own credentials (just like a human employee) so that specific actions can be attributed to specific systems. Yet, most enterprises have not yet applied this basic principle of cybersecurity accountability to their AI deployments.
The attack surface is changing, too
To stay ahead of the latest tech trends, click here for DigitalEdge Section
While defenders are still adjusting, attackers are already benefiting from the same shift. Access to AI has lowered the barrier to entry for cybercrime. Tasks that once demanded years of specialist expertise – such as writing persuasive phishing messages in multiple languages, identifying software vulnerabilities and designing attack sequences – can now be done with far less skill.
The impact is changing the tempo of attacks. For much of the past decade, the most sophisticated intrusions were defined by patience. Well-resourced attackers, including those linked to nation-states, could spend weeks or months inside a corporate network, moving carefully to avoid detection while extracting data or setting up a larger strike. That model is giving way to something faster.
“Cyber attackers are coming in very quick, getting what they need and getting out within seconds or minutes. The biggest change from a cybersecurity analyst perspective is, how do we change our approaches to be able to respond much more quickly?” asks Andress.
Security systems that rely on recognising the known fingerprints of previous attacks struggle in that environment. This is why Andress believes behavioural monitoring will be key. Instead of searching for known threats, cybersecurity teams look for activity that deviates from the norm. If a system suddenly starts doing something it has never done before, that is reason to investigate, even if no one yet knows what type of attack it may be.
To help organisations do so, Elastic is developing a capability called entity analytics that would establish a baseline of normal behaviour for every entity in a network — a human employee, a device, an application programming interface (API) key, or an AI agent — and flag deviations.
Elastic is also building an attack-discovery capability to address alert overload. In a large enterprise security operations centre, teams can start the day with hundreds or even thousands of alerts waiting for review, far more than they can realistically assess one by one. Attack discovery is designed to automatically group related alerts and reconstruct the likely sequence of an attack, reducing the flood of warnings to a smaller set of genuine incidents.
Despite the number of unresolved issues, Andress believes that AI can ultimately tilt the balance toward cyber defenders, but only for organisations willing to do the underlying work.
“If we implement AI properly within our organisations, we'll have a full contextual picture of our environment, and we'll be able to very quickly react and respond,” she reasons. “Maybe as we start to see an attacker trying something, we can recognise that and have actions automatically taken to close that down.”
That optimism comes with a large condition. Companies need to treat AI security as a strategic issue rather than an IT housekeeping task. That means building the visibility, governance and machine identity infrastructure that most have barely begun to put in place.
