The Genie Is Out of the Bottle: Why the AI Agent Explosion Is Rewriting Enterprise Security Faster Than Anyone Can Patch
The way enterprises work is shifting in a manner that sounds like cliché until the security implications come into focus. A colleague is no longer reliably a human being. Across organisations of every size, autonomous AI agents are being stood up to handle tasks that once required a person, and they are arriving not through a controlled procurement process but through the same back channels that once delivered shadow IT. James Maude, Field CTO at BeyondTrust, captures both the inevitability and the danger of the phenomenon in a single image. “When it comes to agentic AI, the challenge we’re seeing is the genie’s out of the bottle,” he said, adding that “users are using it whether you like it or not, whether they’re using approved systems or not, and most organisations lack that holistic visibility into where these agent identities are and what privileges and access they have.”
That loss of control begins with a question most organisations cannot answer. Meriam ElOuazzani, Vice President for Middle East, Turkey and Africa at Censys, frames the diagnostic plainly. “How many AI agents now operate inside your environment, and how many were there 12 months ago?” she asked, observing that “most customers across this region cannot answer that question, not because they are unprepared, but because nobody gave them a reliable way to count.” The agents, ElOuazzani explained, “appeared through developer tooling, vendor integrations, SaaS platforms, and shadow IT channels, and the inventory never kept pace.” Her conclusion is unsparing. “That’s not an AI problem. It’s a visibility problem that AI made urgent,” she said, noting that the inability to answer the question is itself information.
The shadow AI workforce is multiplying faster than any visibility framework can track
The scale of the problem is no longer theoretical. BeyondTrust’s Phantom Labs research team recorded a 466.7% increase in enterprise AI agents over the past year, a surge the firm characterises as a shadow AI workforce expanding largely outside the line of sight of the teams meant to govern it. Maude described how the sprawl takes hold without anyone noticing. “Many organisations have hundreds if not thousands of AI agentic identities in their infrastructure that they didn’t realise existed,” he said, “because users have gone along, they’ve gone to Copilot Studio, they’ve created a new agent to do something, and this in the back end creates a new identity, a new part of the attack surface that the organisation didn’t even realise, often granting it privileges and access to systems that are available 24/7.”
Maude reaches for an earlier technology to explain why it is impossible to stop at the perimeter. “AI is the new Wi-Fi,” he said. “When we had the challenge of Wi-Fi coming to market, employees didn’t want to wait for it to deploy, so they could go work from their laptops in the kitchen. They were just going out and buying Wi-Fi routers and plugging them into the network, and IT were then having to catch up afterwards.” The adoption curve driving the agent equivalent sits well beyond pilots, and ElOuazzani anchors it in production reality.
“80% of Fortune 500 companies now run active AI agents in production,” she said. “The harder conversation is about what sits beneath that: credentials, frameworks, APIs, all now priority targets.” Maude was careful, even so, to puncture the assumption that this is a wholly new category of threat. “Agentic AI hasn’t changed the game in the way many people perceive it has,” he said. “What it has done is it’s sped up the gameplay. The rules of physics haven’t been altered.”
Privileged credentials are being granted to agents nobody in the business authorised
The governance gap beneath the adoption figures is where both spokespeople converge most sharply. ElOuazzani describes a recurring failure of ownership. “Most organisations rush to deploy AI agents, and rarely does anybody own the credential question,” she said. “The agent gets stood up by a developer, inherits service account permissions from a project three years old, and the CISO finds out six months later, if at all.” For ElOuazzani, the authorisation chain is the unresolved issue.
“Credentials were involved in nearly a third of breaches last year,” she noted. “When an agent holds privileged access and no human can name who approved it, that gap is already an incident waiting to happen.” She returns to the same evidence when pressed on accountability, pointing out that “the Verizon 2025 DBIR found that identity compromise was the number one breach vector last year,” before delivering the line that frames the whole risk: “AI agents don’t reduce that risk. They multiply it.”
Maude reaches an identical conclusion from the privilege side, describing how access compounds as agents hand off to one another. “One AI agent will chain now to another AI agent and hand over credentials, secrets, tokens, and access,” he said. “The human identity triggers off a workflow that might inherit the human’s privilege. Was that user over-privileged? And has that now handed it over, and there are now 10 agents running around your infrastructure doing different things, all with a huge level of privileged access.”
Both voices reject the instinct to wait for a public identifier before acting. ElOuazzani is emphatic on the point. “An agent that exfiltrates data through a legitimate API call, or one that interprets a prompt in ways its developers never anticipated, will never get a public identifier,” she said. “The vulnerability is the design, not a discrete flaw someone can patch on a Tuesday. The CVE system was built for a different era. Waiting for it to catch up to agentic AI is not a security strategy.”
Microsoft’s vulnerability data shows exactly where the risk is concentrating
If the agent explosion describes the shape of the new attack surface, BeyondTrust’s 13th annual Microsoft Vulnerabilities Report supplies the hard evidence of where the danger is sharpening. The report, drawn from publicly disclosed bulletins across 2025, opens with a figure that invites complacency, as total Microsoft vulnerabilities fell by 6% to 1,273, down from 1,360 the previous year. Beneath that reassuring decline sits the finding that matters. “The biggest thing we saw in the report this year was there’s this mirage that if you look at the overall figures, the total number of vulnerabilities went down slightly,” Maude said, “but the critical vulnerabilities pretty much doubled. We went from 78 to 157.”
Maude has watched that trend run the other way for years, which is what makes the reversal alarming. “We’ve had this long-term downward trend in critical vulnerabilities where people have been getting more confidence that the ones that cause phone calls in the middle of the night, and wake IT managers up to do emergency patching, are reducing,” he said, “but suddenly they’ve jumped up.”
Elevation of Privilege vulnerabilities again accounted for 40% of all flaws in the report, roughly 509 in total, and Maude was clear about why that category endures. “Elevation of Privilege made up 40% of all vulnerabilities again this year,” he said, “because that is exactly what attackers need to reach critical systems.” The concentration is most acute in the cloud, where critical vulnerabilities across Azure and Dynamics 365 rose ninefold from four to 37, and in Microsoft Office, where total flaws more than tripled to 157 and critical bugs within the suite climbed roughly tenfold.
A single cloud flaw can expose an entire estate, and the agent era widens that blast radius
The cloud figures matter beyond their arithmetic because of what a single critical flaw in a control plane can unlock. Maude pointed to one disclosure as the warning sign above all others. “There was one CVE, I think it was 55241, and that to me was the canary in the coal mine,” he said, “because that was a case where an attacker was able to impersonate any user in a tenant, including the global administrator, and basically walk straight through that trust boundary.” The consequences cascade from there.
“They impersonate a global admin and now they’ve got the keys to that tenant,” Maude explained. “Every service account, every piece of customer data sitting in that tenant is reachable. That one bug, and the entire cloud estate is exposed.” The deeper failing he identified was cultural rather than technical, the assumption “as people have migrated things into cloud that the cloud is secure by default.”
That cloud control plane is precisely where AI services authenticate and interact with enterprise data, which is what makes the convergence so dangerous, and ElOuazzani’s external-exposure lens sharpens the same point. “Every agent you deploy leaves infrastructure footprints,” she said. “Most security teams have no visibility into those. That’s information too.” Her guidance is to adopt the adversary’s vantage point.
“You need to know what every agent can reach, from the outside, the same way an attacker would see it,” she said, urging security leaders to “monitor what the agent does, not what it’s supposed to do,” through behavioural baselines, access pattern analysis and output auditing. The same legacy exposure runs through Office, where Maude noted attackers have moved beyond macros to quieter vectors. “We’ve seen a lot of attacks via the preview pane,” he said, “so rather than having to load up a document and enable a macro to run, they’re looking for exploits where just a preview that gets generated in Explorer or Outlook can be used to trigger an exploit.”
AI has collapsed the patching window, making least privilege the only durable control
The most consequential change Maude described is not any single vulnerability class but the collapse of the time defenders have to respond. “With AI tooling, AI-augmented attackers, the window in which you have to patch to get that secured is shrinking,” he said, “and that’s making some of the other traditional controls like least privilege actually become much more load-bearing.” He reasons that no patching cadence can outrun a weaponised exploit indefinitely.
“Whether it’s a zero day or a new patch that’s out, you’ve got a smaller time frame to do it,” Maude said, “and the only durable thing is to limit what the attacker can reach if they successfully exploit that vulnerability. Limit the blast radius.” The industry, in his telling, had drifted away from exactly these foundations. “We got very into the idea that everything’s about detection, and we’ve got to assume breach,” he said, “but there’s a lot of things in that proactive, foundational security that people are starting to come back to very quickly.”
Those foundations are tested most severely by the unpredictability of agents themselves. “We could be relatively sure that a human with a high level of privilege would stay within the lane,” Maude said, “but less so with the AIs coming out there, and to make them useful a lot of the time they need access to a lot of data and a lot of systems.” He recalled how badly that can go. “We’ve seen examples where people have turned on an AI agent, pointed it at a database, and it’s hallucinated something and accidentally wiped the production database,” he said.
The humans behind the tools, Maude stressed, do not get to outsource responsibility. “Those humans who are using the AI agents are still responsible for every pull request they put in, every piece of code that gets shipped,” he said. ElOuazzani extends the accountability question into governance, insisting the work must happen before deployment. “Before you deploy an agent, someone needs to answer three questions,” she said. “Who authorised its access, what it is permitted to do, and how you will reconstruct its actions after the fact.”
The discipline that survives the agent era is mapping paths to privilege, not policing silos
The instinct Maude warned against most firmly is the temptation to treat agentic AI as another silo. “We’re still in the age where we have teams thinking about Active Directory, teams thinking about cloud, teams thinking about IAM and PAM, and now agentic AI is in the mix,” he said. “The danger is, as an industry, we start building out new teams that just look at the AI agents and their identities, and then we’re missing those valuable connections where it can inherit privilege from a human, or a human can inherit privilege from an AI.” That web of inheritance is what makes a user’s true reach so much greater than it appears. “It’s those paths to privilege that make a user’s true privilege, the actual access they have, far greater, and that blast radius far greater,” Maude said.
Both spokespeople land on ownership as the unresolved question. ElOuazzani poses the test that most organisations still cannot pass. “If an agent acted maliciously tomorrow, who in your organisation would be accountable, and could you prove what it did?” she asked, observing that “the governance structures they built were designed for humans making decisions, not autonomous systems acting on their behalf.” Maude’s prescription returns repeatedly to the basics the industry mistook for solved problems. “The more we can think about reducing our identity attack surface alongside patch management, the more secure we’ll be,” he said, “no matter what the vulnerability classification is.” Whether the steep upward line in critical flaws continues through 2026 is the trajectory he will be watching above all others. “If they are struggling to get on top of it in 2026,” Maude said of Microsoft, which he called a transparent bellwether for the wider industry, “that means broader across the industry we’re going to start seeing some significant challenges, and organisations really having to rethink their approach to security.”
