COMMENTARY: Everyone uses AI today.A recent McKinsey report found that 78% of organizations now use AI in at least one business function—up from 72% in early 2024 and 55% the year before.But it’s not just enterprises accelerating adoption—adversaries are, too. Malicious operators now use AI to craft convincing phishing emails, fake websites, and deepfake voice or video calls. They use AI to write malicious code faster and uncover defensive gaps more easily.As enterprise adoption climbs, so does attacker sophistication—and the next wave has already formed: Agentic AI.The outcome creates a defense-in-depth system tuned for the small screen: faster containment, real-time visibility into agentic activity, more intelligent controls, and better human decisions.Security and executive teams must stop treating Agentic AI as just another attacker tool and start recognizing it as a living, adaptive force in the modern threat landscape. These agents don’t merely execute commands: they learn, reason, and act autonomously, blending into human-like social and behavioral patterns.It's now possible to instruct an agent to breach a system and leave it to iterate until it succeeds. The threat isn’t superior intelligence—it’s relentless efficiency and persistence.The future isn’t coming—it’s here. Time to make sure the team’s defenses can keep up.Jim Dolce, chief executive officer, LookoutSC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.
Content creation vs. decision making
For those using AI today, it’s probably Generative AI, with ChatGPT being the most recognizable example. Trained on massive text datasets and powered by large language models (LLMs), it produces responses by predicting likely next words based on patterns. It doesn’t reason like a human or “create” in the human sense. Instead, it produces pattern-based suggestions.[SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Read more Perspectives here.]Agentic AI, by contrast, acts. Given an objective, it gathers inputs, evaluates options, and takes action autonomously—whether scheduling meetings, executing trades, or driving a vehicle. While Generative AI was optimized for content creation, agentic AI has been optimized for goal completion.Now, imagine an Agentic AI trained to infiltrate networks, steal credentials, and pivot until it succeeds. This isn’t hypothetical, it’s already happening.Agentic AI credential theft campaign
Consider a credential-theft campaign. In credential theft, attackers harvest usernames, passwords, and tokens from large numbers of victims to gain unauthorized access to accounts and networks. Once inside, attackers blend in with normal user activity, bypass controls, and move laterally undetected.An Agentic AI–driven campaign isn’t a one-off scam—it’s a continuous, multichannel influence operation. It autonomously selects targets, crafts personalized messages, times delivery, and adapts follow-ups based on response data. Successes and failures become inputs for optimization.For example, an agent could impersonate an executive, compose persuasive SMS messages using public social data, and send a link to a realistic login page. When a recipient taps the link, credentials are captured. Within minutes, the agent tests those credentials, escalates access, and expands to new targets—guided by real-time telemetry and adaptive reasoning.The result: higher fidelity impersonations and a dramatically greater likelihood of successful account takeover or fraud—unless organizations deploy layered defenses that address mobile, identity, and human-layer threats together.Agentic AI meets the mobile device
Mobile isn’t just another endpoint. It’s the natural habitat for Agentic AI attacks. Always on, always connected, and deeply personal, the mobile device sits at the intersection of human behavior and digital access, the exact conditions agentic AI exploits best.Malicious agentic apps and services amplify classic social-engineering tactics such as smishing and vishing, turning what were once isolated scams into scalable, adaptive campaigns. These agents can read behavioral cues, time messages for maximum engagement, and modify tone or urgency in real time based on user response. Unlike traditional phishing, which relies on static templates, agentic AI personalizes persuasion by learning how an individual communicates, reacts, and trusts.Mobile channels—SMS, iMessage, WhatsApp, social DMs, and voice—are inherently human-facing and largely outside traditional security perimeters. A convincing message or deepfake call on a small screen is far harder to scrutinize than an email on a large monitor. Limited telemetry and privacy constraints compound the problem: defenders can’t easily see the interactions where manipulation happens.The result has been a new breed of human-factor threat—one where Agentic AI weaponizes mobile intimacy. Every buzz, ping, and notification becomes a potential trigger for exploitation. And because these agents learn and iterate autonomously, they don’t just trick users once, they refine and repeat until they win.Strategies to defend against Agentic AI attacks
The modern kill chain hasn’t changed and Agentic AI hasn’t invented new attack tricks: it’s simply industrializing existing social engineering tactics, techniques, and procedures such as smishing and vishing. Defending against this convergence of autonomy and mobility requires treating the mobile endpoint not as a peripheral risk, but as the front line of modern threats—where human trust meets machine intelligence. This means adopting a layered approach:- Start with visibility: When Agentic AI turns malicious on mobile, it does so through an app, the core delivery mechanism of the mobile ecosystem. Discover and monitor apps that exhibit agentic signals so it’s possible to separate harmless helpers from autonomous threats. This involves tracking permissions, API calls, data flows, and data destinations, as well as watching for any unusual automation sequences. By combining these analysis points into an actionable risk score, security teams gain the visibility needed to intervene before agentic behavior evolves into a compromise.
- Harden systems the team can control: Hardening the endpoint requires securing the physical device, its operating system, and installed apps against technical compromise. Start by deploying mobile endpoint security to detect malware and exploits, monitor network activity, check for jailbreak or root status, and enforce security policies. It’s also essential to deploy vulnerability management, which includes scanning devices for outdated OS versions and unpatched vulnerabilities, tracking CVEs, prioritizing fixes, and implementing updates.
- Safeguard human-facing channels: By safeguarding the human-facing channels, teams can defend the person behind the phone from the social engineering tactics that exploit trust and urgency to manipulate them into revealing sensitive information or credentials. Important threats include phishing, delivered via email and browsers; smishing, conducted via SMS and messaging platforms; and voice-based scams, such as vishing or deepfake audio, which impersonate trusted individuals. We need to prevent users from being manipulated into granting access, installing malicious apps, or disclosing sensitive information—even when the device itself is technically secure.
- Automated detection, containment, and remediation: SOC operations increasingly hinge on automation across detection, containment, and remediation—so start by leveraging mobile-capable endpoint detection and response (EDR) to coordinate that workflow. EDR offers crucial forensic data collection for SIEM integration. This rich mobile and agent telemetry then gets fed into SIEM/SOAR platforms for correlation and to initiate automated playbooks. These automated response actions can include isolating devices, revoking tokens, rotating keys, suspending accounts, and automatically opening incidents.
