Cybersecurity leaders are getting pretty worried that our next major insider threat may not be some disgruntled employee but rather an overprivileged machine. Jack Cherkas, the CISO at Syntax, has said he thinks that if companies don’t put identity controls, activity tracking, and data provenance safeguards in place, AI agents will end up being the biggest insider threat of all. 

Wendi Whitmore at Palo Alto Networks has gone one step further and just calls AI agents “the new insider threat,” which is a pretty bleak assessment given how quickly companies are rushing to roll out these autonomous tools. 

The Rise of Autonomous Agents and Privileged Identities 

We’ve got way more machine identities floating around in modern IT than we used to. This includes service accounts, bots, LOT devices, AI workflows, and all sorts of other automated process tools, all of which need access to the data and systems. As one security expert has pointed out, a single Kubernetes cluster can create hundreds of service accounts just as a matter of course, while CI/CD pipelines, serverless functions, and RPA tools all come with their own “throwaway” identities with a lot of privileges attached. 

To put it another way, your infrastructure is basically chock full of software “workers” who have way more rights than an average user. And the kicker is that a lot of these identities are basically invisible; they’ve got no real owner, no “use by” date, and no one is really keeping an eye on them. This, over time, creates a whole new attack surface, and any one of these unattended or overly-privileged agents can be a backdoor for attackers just waiting to be exploited. 

For example, Code assistants and copilots that are driven by AI are now showing up in just about every corner of development and ops. Companies are handing out API tokens, cloud keys, and even the keys to the castle to these agents so they can automate all sorts of tasks.

But when trust is broken, if one of these AI agents gets its hands on the wrong credentials, the attacker gets the whole shebang. 

For instance, there was a security incident in July 2025, a supply-chain attack that got into the Amazon Q VS Code extension (which is an AI coding assistant that’s part of Visual Studio Code) via a malicious GitHub pull request. 

The malicious update told the coder to essentially wipe the whole lot of local files on the machine and cloud infrastructure too, deleting all the EC2 instances, S3 buckets, and IAM users that came with it. Thankfully, Amazon was able to sort out the problem pretty quickly, but the incident shows just how big a risk there is to your systems when a computer program is given a lot of trust with powerful controls: a single slip-up or vulnerable token in that system can have far-reaching and disastrous consequences. 

It’s a similar deal with traditional RPA bots (Robotic Process Automation) as well. These bots are often designed to have superuser powers, and that is just the way it has to be if they are going to be able to log in to systems, click through screens, and move data around between different parts of the network. To do this, they often get set up with almost limitless admin rights. One expert has warned that when an RPA bot gets to run around with all its admin rights, if it is compromised, the attacker gets a whole lot of access to your systems. 

In the real world, all it usually takes to open the flood gates to the whole network is for a single bot credential to be nicked, and suddenly, you’ve got malware on the loose, databases being harvested, and the potential for backdoors being planted all over the system. And to make matters worse, a lot of these bot accounts rely on the same old hard-coded passwords or are using shared passwords, so it’s easy for an attacker to use what they’ve stolen from one bot to get into all the rest. 

Real-World Case Studies 

High-Profile Breaches Show How Insiders Can Be Compromised Across Industries: 

• Cloud/SaaS Integration Breach (2025): Hackers managed to hijack a third-party integration to swipe data straight from customer clouds. Here, malicious parties took advantage of OAuth tokens that had been compromised in the Salesloft Drift app to siphon off data from loads of different Salesforce accounts. The Google /Mandiant investigation turned up that by abusing these machine identities, the hacker managed to quietly export huge amounts of data – including AWS access keys and Snowflake credentials from company systems. 
• AI Co-Pilot Vulnerability (2025): Researchers discovered a weakness in Microsoft 365’s AI helper tool called “Copilot”, which they dubbed “EchoLeak“. This glitch allowed a hacker to quietly steal sensitive business data without even needing to get a user to click on anything – just by sending a specially crafted email to the Copilot system. As Forrester analyst Jeff Pollard puts it: “once you give something permission to do things on your behalf, the bad guys are gonna figure out a way to take advantage of it – the amount of information these agents have access to is a treasure trove” In other words, any corporate system that uses generative AI, be it email, documents or basically anything, is a high-value target if those agents get over-privileged.;
• (Predicted) Autonomous Insider Attacks: The experts think things are only gonna get worse. Jack Cherkas notes that when their workflows get misconfigured, it’s only a matter of time before serious close calls happen, and then – he predicts – “one of these AI agents is gonna get used to steal some serious data, and it’s gonna be a high-profile breach that’ll make people lose trust in the system.” According to Palo Alto’s 2026 outlook, in one likely scenario, hackers will get their hands on an ‘autonomous insider,’ a compromised agent that can quietly go about doing things like making trades, deleting backups, or, in one fell swoop, just pull the entire customer database without any human intervention. All of these warnings should be a big wake-up call – it’s clear that hackers are gonna increasingly use compromised machine identities to get what they want. 

The “Superuser” Problem: Excessive Permissions 

The common thread running through all these cases is, unfortunately, a matter of too many privileges being handed out. Wendi Whitmore from Palo Alto talks about the “superuser problem.”

Essentially, giving autonomous agents way too much leeway means they end up as hidden superusers who can sneak into numerous systems without anyone being the wiser. She puts it down to the fact that such an agent can essentially string together access to super-sensitive applications and resources without so much as a whisper to the security teams about it happening & without any approval, of course. Put simply, an over-privileged bot can just wander around the network, doing things its creators never wanted in the first place. 

And with advanced AI, things get even trickier with prompt injection techniques and the rest, it’s possible to trick the bot into doing all sorts of malicious things under the guise of something boring and legitimate.

Whitmore says that with one carefully crafted prompt, you can get an AI to actually do some pretty nasty things on its own accord, making it a kind of non-human insider. 

EVERY single industry expert is screaming the same thing: We really are long overdue in treating AI/Automation identities exactly like we would any other normal user.

According to Whitmore, “depending on how they’ve been set up & what permissions they’ve been given”, these agents can sometimes even get their hands on super-sensitive data & systems, which is just a whole other kettle of fish. The response she advises is to just go about stripping away all the privileges we can from each & every bot or machine account, only give ’em what they absolutely need to get their job done. Just like we would with any old human. 

Mitigation: Governance, Visibility and Least Privilege 

Raising awareness is the first step in all this. Security teams and C-level executives need to wake up to the fact that autonomous systems are a threat that needs to be considered. 

Boardrooms should be taking “AI-agents-security as a governance thing” seriously and demanding some proper controls and accountability. So here are some key best practices to keep in mind: 

• Enforce Least Privilege and Just-In-Time Access: Basically, you only give bots and agents as much permission as they need, and only for as long as they need it. I mean, no point in giving some RPA bot permanent admin credentials, just so it can do its thing, use just-in-time elevation so it only gets extra privileges when it really needs. Modern PAM and identity platforms can sort this out for you and help reduce the impact if a credential does get stolen. As Palo Alto says, “provision your agents with as little access as possible” and stop them from getting sidetracked from their script. 

• Implement Continuous Monitoring: Treat AI-agents as carefully as you do your human users. Keep an eye on their activity at all times and keep a close eye on API usage, inter-service communications, and anything else that looks out of the ordinary. You should have granular audit logs and be able to track back and see exactly what each agent was up to and why. One SC Media report is saying that companies should “enforce super-tight access controls, keep a close eye on what your agents are up to, and get some provenance tracking in there for all your automated processes”. Anytime an agent does something unexpected (like hitting an unexpected database or changing a file) – and I mean unexpected in a bad way it should be sending out some immediate alerts. 

• Secure the Software Supply Chain: Make sure that anyone who codes up your AI tools, scripts, and automations goes through a proper review before they get deployed. Take the Amazon Q extension breach as an example – how weak code governance can basically turn an agent against you. Get some strict code review going on, make sure everyone who updates the code is honest, and make sure only the right people can update the agent workflows. Even the smallest contributions should be checked out; treat every prompt and model as code that needs a review. 

• Inventory and Lifecycle Management: You need to keep track of every non-human identity (service accounts, API keys, tokens, container credentials, etc.) in a centralized way. Check how they’re being used regularly, set automatic expiration dates for them, and then rotate their secrets all the time. Don’t let credentials get shared between multiple bots, and get rid of any unused ones pronto. As one analysis said, “unchecked growth of service identities creates an identity layer that just grows out of control,” and that’s something you really don’t want. 

• Multi-Party Approval and Testing: If something high-impact comes up (like a financial transaction, infrastructure changes, or data exports), you might want to have a human check over it or have some strict approval process – even if it was started by a bot. Do some red-team exercises to get ready for if a bot does go rogue and makes a mess, so you know exactly what to do to stop it before any damage is done. 

Conclusion 

Autonomous systems just doing their thing with way too much power can be a big problem across all sorts of industries like big business, critical infrastructure & government. The same automation & AI that helps things run smoother can quickly turn against us if we don’t keep a close eye on it. Security leaders have a new nightmare on their hands: machines and AIs being considered the brand new insider threat. It’s time to rethink, when dealing with autonomous stuff.

You’ve got to start treating every bot, script, or AI buddy as if it’s a real person with all the rights & responsibilities that come with it. That means applying zero-trust to all your automated helpers, making sure they don’t have too much power, keeping a super close eye on who has access to what, and being ready to pounce if something goes wrong. Execs and tech teams need to wake up to reality. If one of those AIs gets hijacked by some bad actor, it’s potentially just as bad as one of your actual employees going rogue. Stay on top of this stuff now, or you’ll be reading about the aftermath in the headlines tomorrow.