Shadow AI agents are already here

·4 min read

You'd never give a new hire direct database access on their first day. You'd make them go through onboarding, prove they understand the system, get approval from three people. Maybe give them read-only access first.

But you'll wire an AI agent to production without a second thought.

We keep talking about the coming AI agent security crisis like it's a future problem. Multi-agent coordination risks, swarm attacks, cascading failures across autonomous systems. The coordination risk is real but the bigger issue is what happens before the swarm. Individual agents are already pulling skills from strangers, installing them without review, and running code they don't understand.

We don't need agent-to-agent coordination to have a security disaster. We're already there.

The friction is gone. It takes two minutes to spin up an agent, give it credentials, and point it at whatever system you want it to touch. No approval process. No access request form. No conversation with IT about whether this is a good idea. Just you, a credit card, and a problem you want solved.

I see this constantly. Someone in finance builds an agent that queries the production database for weekly metrics. Works great. Saves them twenty minutes every Monday. They don't think of it as giving unrestricted access to an autonomous system. They think of it as automation.

Three weeks later, they realize the agent has been exfiltrating data to a third-party analytics service. Or making decisions based on incomplete context. Or quietly failing in ways that nobody noticed because there were no alerts configured.

We give agents more permission than humans specifically because the deployment is frictionless. If it required a meeting, a risk assessment, and sign-off from security, we'd think harder about whether this is a good idea.

Instead, it's just another tool.

At the enterprise level, companies build governance frameworks for their official AI deployments. They audit prompts, sandbox environments, control API access. All the right moves. Then someone in operations wires an unmanaged agent to production because it saves them time. No central oversight. No audit logs.

Security is focused on the official deployments. Meanwhile someone just gave an agent direct access to customer data because it makes their job easier.

Shadow IT was annoying. Shadow AI is dangerous.

Agents don't map to our existing mental models for access control. When you give someone database credentials, you know what that means. They can read data, modify data, might make mistakes but they'll probably notice if something goes catastrophically wrong. An agent doesn't have that context. It does exactly what it's told, even if what it's told is subtly wrong. It doesn't get tired. It doesn't second-guess instructions. It doesn't realize that the query it's running every five minutes is hammering the database.

You wouldn't let an intern run unsupervised queries on production. But the agent is faster to set up than filing the paperwork for an intern.

So it gets access the intern never would.

We treat deployment friction as pure overhead. Something to minimize. But friction is where the thinking happens. The conversation about whether someone should have access. The risk assessment. The question of what could go wrong. When deploying something takes three approvals and two weeks, you think about whether it's worth it. When it takes three minutes, you just do it.

The result is an explosion of autonomous systems that nobody's tracking. No central inventory. No visibility into what's accessing what. Most organizations have no idea how many agents are running, what they're connected to, or what permissions they have.

Banning agents is pointless. That ship sailed.

But if your security model assumes agents only exist where IT approved them, you're missing the entire problem. You need visibility. What's running, where it's connected, what it's accessing. Treat agent deployments like device management. Someone spins up an agent, it registers. It touches production data, you get an alert.

Not because agents are inherently untrustworthy. Because anything with that much access deserves that much scrutiny.

The barrier to deploying an autonomous system dropped from needing a team of engineers to needing a credit card and ten minutes. Most breaches don't start with sophisticated attacks. They start with someone taking a shortcut that seemed harmless at the time.

Right now, in every mid-sized company, someone is giving an agent more access than they'd give a new employee, with less oversight than they'd give an intern.

We're trusting systems more because we're thinking about them less.

That's not a future risk. That's this week's incident report waiting to happen.