COMMENTARY: Microsoft unveiled Copilot Tasks earlier this year to help eliminate busywork and supercharge productivity. There’s some real promise here, and especially for Copilot users, there’s certainly cause for excitement.But there’s a serious catch that’s eluding headlines: that’s when agentic AI outpaces the security guardrails that businesses have in place.[SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Read more Perspectives here.]Look no further than Amazon's Kiro, the company’s new AI‑powered developer environment and coding assistant. At the end of 2025, Kiro triggered AWS service disruptions following a misconfiguration that allowed it to bypass normal approval requirements. Kiro did exactly what it was designed to do. Only AWS lacked the necessary guardrails. Another more recent incident occurred at Meta, where an engineer submitted a technical question to an internal forum. Next, a colleague sent the question to an internal AI agent, which reviewed the query and posted an autonomous reply that sidestepped human reviewIt turned out that the AI agent’s advice was wrong. Exacerbating matters, another employee acted on it, triggering an ev-1 security incident and exposing company and user data for two hours. These examples are not edge cases. They represent a warning about what can happen when AI agents are permitted to act without any human oversight or control. The core problem: identity frameworks built for humansAI agents are attractive yet such a large security concern because they execute instructions literally, without pause or interpretation of intent. The trouble begins when they are given privileged, unmonitored access to sensitive systems. Today, most organizations grant AI agents standing, always-on permissions to keep workflows moving, yet as they do, they create a massive, highly-privileged attack surface that grows with every new deployment.Thousands of model context protocol (MCP) servers are now publicly available, some of which contain credential-stealing malware. And employees are spinning up agents without IT approval. This creates one of the biggest shadow IT risks since BYOD.The fundamental issue here: access models built for humans don't map neatly to AI agents. Traditional approaches to zero standing privilege (ZSP) – the principle that no user has “always on” privileged access – assumes humans are in the driver's seat and making deliberate decisions. But agents are not like humans. They don't act predictably, which can result in the exposure of security gaps in the environment or taking actions with unexpected consequences.This has prompted the industry to rethink identity and access. For example, Aragon Research introduced the concept of agentic identity and security platforms (AISP). AISP consists of a set of capabilities that ensures that AI agents are held to the same ZSP standard as humans and traditional NHIs. What zero-trust looks like for AI agentsAgentic AI has delivered on automation. But without runtime identity enforcement and the ability to achieve ZSPs, all the efficiency gains of agentic AI are offset by a largely invisible attack surface. Businesses must begin treating human, AI, and machine identities with equal rigor, leaving nothing to exploit.This requires teams to take four steps:The broader lessonPwC's AI Agent Survey found that 88% of 300 senior executives say their team or business function plans to increase AI-related budgets in the next 12 months because of agentic AI. And there’s little chance of this slowing down any time soon.In fact, Microsoft's Copilot Tasks will likely be one of the factors accelerating adoption further, putting agentic AI in the hands of mainstream enterprise users at scale.The Replit and Kiro incidents show us that identity’s no longer about humans alone: It includes machines, APIs, and AI agents that we cannot contain by rules designed for people. The organizations that recognize this now and build their governance frameworks accordingly will capture the productivity gains without paying the security price.The agents are already here. The guardrails need to catch up.Art Poghosyan, co-founder and CEO, BritiveSC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.
- Enforce least privilege and just-in-time access: Under no circumstances should a company give an agent broad, persistent permissions across cloud or on-premises systems. Teams need to make access short-lived, tightly scoped, and granted only for a specific task.
- Segment environments automatically: Never give agents a path into the production environment. Instead, isolate development, staging, and production environments, with no crossover permitted unless explicitly approved by a human.
- Sandbox and test behavior before deployment: Commands like "code freeze" work with humans because we recognize the term as a binding rule. Don’t assume AI agents will interpret this the same way and pay the consequences later. Put in place an enforced environment where teams can test constraints before any access to live data is granted.
- Embed identity governance into AI workflows: Businesses maintain governance practices for human employees, including privacy policies, least privilege access, and audit trails. Now apply these to AI agents. That means monitoring and logging all actions and setting up automated alerts when anomalies occur.
