TLDR: A recent survey reveals that AI agents are now considered the most significant internal cybersecurity threat by nearly two-thirds of North American security leaders. The concern stems from employees unknowingly exposing sensitive data to AI tools, with half of organizations already experiencing AI-related cyber incidents. A significant lack of visibility and weak governance policies exacerbate the risks posed by these increasingly autonomous systems.
A new survey of 200 North American security leaders, conducted by OpinionRoute on behalf of 1Password, highlights a critical shift in the cybersecurity landscape: Artificial Intelligence (AI) agents are now perceived as the foremost internal security threat. Nearly two-thirds (63%) of respondents believe the biggest risk comes from employees inadvertently granting AI agents access to sensitive corporate data. This concern is not theoretical, as half (50%) of the surveyed organizations reported experiencing a confirmed or suspected cyber incident caused by AI or AI agents within the last six months.
The findings underscore a significant challenge in managing the proliferation of AI tools within enterprises. Only a mere 21% of security leaders claim to have full visibility into all AI tool utilization across their organizations. Furthermore, nearly one-third (32%) suspect that up to half (50%) of their employees are using unauthorized AI tools, creating substantial shadow IT risks. In total, a stark 2.5% of organizations believe they have complete oversight of AI applications and the level of data they can access.
Dave Lewis, Global Advisory CISO for 1Password, emphasized the growing apprehension within the cybersecurity community. ‘Many cybersecurity professionals now recognize it’s only a matter of time before there is a cataclysmic incident involving AI tools, applications and services,’ Lewis stated. He pointed out a common user behavior contributing to the risk: ‘Many end users are now routinely pasting sensitive data into chat interfaces without reading the fine print of the user licensing agreement.’ This practice, he warned, means ‘much of that data will be used to train the next iteration of an AI model, which makes it likely that sensitive data will show up as AI output in ways no one can predict.’
The survey also revealed significant weaknesses in AI governance. Well over half (54%) of organizations describe their enforcement of AI governance policies as weak. A similar percentage (56%) estimates that the gap between governed AI agents and unmanaged ones in their organization ranges from 26% to 50%.
Beyond internal vulnerabilities, the threat landscape is evolving with cybercriminals becoming more sophisticated. Lewis noted that malicious actors are ‘mastering prompt engineering to access data despite whatever guardrails may have been put in place.’ Moreover, cybercriminals are actively targeting the millions of autonomous AI agents that are emerging, recognizing that compromising these agents could allow them to ‘compromise an entire process.’
Also Read:
- The Rise of AI Agents and Escalating Cybersecurity Risks in Cloud Environments
- Enkrypt AI Unveils Comprehensive Agent Risk Taxonomy to Fortify Enterprise Autonomous AI Systems
Additional insights from an international survey indicate that while 82% of companies are already utilizing AI agents, less than half have robust strategies in place to control them responsibly. This lack of control has led to tangible risks, with 23% of companies reporting instances where AI agents were tricked into exposing credentials, and 80% experiencing AI agents inadvertently taking incorrect actions. Experts highlight key cyber risks associated with AI agents, including ‘context corruption,’ where large language models struggle to differentiate legitimate instructions from malicious interventions; ‘dynamic tool sourcing and supply chain risks,’ arising from agents autonomously selecting and combining tools; and complex ‘authentication and authorization’ challenges unique to AI agent systems.
