AI agents aren’t just smarter chatbots; they operate with distinct identities and degrees of autonomy that let them act on infrastructure and data. That identity-plus-autonomy combo requires enterprises to move security from conversational filters to identity governance, least-privilege controls, and operational checkpoints.

Three agent types and why identity changes the problem

Enterprises now deploy three common agent classes: agentic chatbots embedded in managed platforms (limited autonomy and platform-scoped tools), local agents running on employee devices (they inherit user-level permissions and often use third-party plugins), and production agents—continuous services given dedicated machine identities and API-level access to systems. Surveys in 2023–24 reported adoption of agentic capabilities across a majority of organizations, but risk rises dramatically as you move from embedded chatbots to local and then production agents.

That progression matters because risk shifts from “what a user types” to “what an identity can do.” Production agents with machine identities can trigger workflows, move credentials, or call APIs without human prompts; local agents broaden the perimeter by turning each endpoint user into a potential privileged point. Treating these as extensions of chatbot security misses the operational reality: identity and access scope now determine damage potential more than conversational fidelity.

How deployment patterns widen the attack surface

Recommended Reading

March 13, 2026 — Microsoft issues KB5084597 hotpatch for RRAS RCEs: no-restart fix only for hotpatch‑enrolled Windows 11 Enterprise

Microsoft released out-of-band hotpatch KB5084597 on March 13, 2026, to fix three critical RRAS remote‑code‑execution flaws. The patch can install without rebooting, but only on enterprise devices that meet specific hotpatch enrollment and configuration requirements. Details of the March 13 hotpatch and the vulnerabilities it fixes KB5084597 addresses CVE-2026-25172, CVE-2026-25173, and CVE-2026-26111—integer overflow and heap […]

March 13, 2026 — Microsoft issues KB5084597 hotpatch for RRAS RCEs: no-restart fix only for hotpatch‑enrolled Windows 11 Enterprise

Local agents create a fast-growing, least-governed surface: they inherit the running user’s permissions, install plugins from third parties, and frequently run on laptops and desktops that security teams struggle to inventory. Production agents create a different bottleneck—machine identities with broad scopes that, if compromised, enable cascading automation failures across services.

Prompt injection now includes silent, data-driven compromises

Prompt injection remains the leading attack vector, but it splits into two operationally different threats. Direct prompt injection is malicious input during an interaction; it’s noisy and often detectable by conversational filters. Indirect prompt injection—poisoned data sources such as emails, documents, or third-party knowledge bases—operates quietly: agents ingest that data and, without human review, execute instructions or alter workflows. Indirect attacks can therefore compromise entire agent environments before defenders notice.

Supply-chain and memory poisoning magnify this risk. An attacker who controls a data feed or a plugin repository can seed instructions that production agents with machine identities follow automatically. Because most language models do not reliably distinguish instruction from factual content, the attack surface is fundamentally semantic: it’s not just about blocking inputs, it’s about validating provenance, context, and intent across pipelines.

Concrete controls: identity-first governance and operational checkpoints

Shift defenses from conversational hygiene to identity and execution controls. Start by scoping tool permissions tightly and enforcing least privilege: give agents only the API scopes they need and rotate those credentials with just-in-time provisioning. Sandboxing and isolated memory contexts reduce the blast radius of poisoned plugins or data; ephemeral runtime environments limit persistent state an attacker can exploit.

Human-in-the-loop controls and auditable approval gates are now regulatory expectations as well as practical safeguards. The EU AI Act, for example, includes requirements for human oversight in high-risk AI applications—healthcare, finance, and other regulated settings should treat agents as digital insiders requiring explicit approval, logging, and continuous monitoring. The next operational checkpoint for security teams is implementing dynamic, context-aware governance: can your identity systems revoke an agent’s privileges automatically when its behavior or data context changes?

Quick Q&A

When must you apply human oversight? For any agent performing transactions, accessing regulated data, or changing production state—healthcare, finance, admin APIs.

Which agents need the strictest controls? Production agents with machine identities first; local agents come second because of decentralization and plugin risk.

Early warning signals to watch: sudden requests for expanded scopes, unknown third-party plugins installing on endpoints, and unusual outbound API calls from machine identities.