Adversaries hijacked AI security tools at 90+ organizations. The next wave has write access to the firewall
Adversaries injected malicious prompts into legitimate AI tools at more than 90 organizations in 2025, stealing credentials and cryptocurrency. Every one of those compromised tools could read data, and none of them could rewrite a firewall rule.
The autonomous SOC agents shipping now can. That escalation, from compromised tools that read data to autonomous agents that rewrite infrastructure, has not been exploited in production at scale yet. But the architectural conditions for it are shipping faster than the governance designed to prevent it.
A compromised SOC agent can rewrite your firewall rules, modify IAM policies, and quarantine endpoints, all with its own privileged credentials, all through approved API calls that EDR classifies as authorized activity. The adversary never touches the network. The agent does it for them.
Cisco announced AgenticOps for Security in February, with autonomous firewall remediation and PCI-DSS compliance capabilities. Ivanti launched Continuous Compliance and the Neurons AI self-service agent last week, with policy enforcement, approval gates and data context validation built into the platform at launch — a design distinction that matters because the OWASP Agentic Top 10 documents what happens when those controls are absent.
"In the agentic era, defending against AI-accelerated adversaries and securing AI systems themselves, require operating at machine speed," CrowdStrike CEO George Kurtz said when releasing the 2026 Global Threat Report. "AI is compressing the time between intent and execution while turning enterprise AI systems into targets," added Adam Meyers, head of counter-adversary operations at CrowdStrike. AI-enabled adversaries increased operations 89% year-over-year.
The broader attack surface is expanding in parallel. Malicious MCP server clones have already intercepted sensitive data in AI workflows by impersonating trusted services. The U.K. National Cyber Security Centre warned that prompt injection attacks against AI applications "may never be totally mitigated." The documented compromises targeted AI tools that could only read and summarize; the autonomous SOC agents shipping now can write, enforce, and remediate.
The governance framework that maps the gap
OWASP's Top 10 for Agentic Applications, released in December 2025 and built with more than 100 security researchers, documents 10 categories of attack against autonomous AI systems. Three categories map directly to what autonomous SOC agents introduce when they ship with write access: Agent Goal Hijacking (ASI01), Tool Misuse (ASI02), and Identity and Privilege Abuse (ASI03). Palo Alto Networks reported an 82:1 machine-to-human identity ratio in the average enterprise — every autonomous agent added to production extends that gap.
The 2026 CISO AI Risk Report from Saviynt and Cybersecurity Insiders (n=235 CISOs) found 47% had already observed AI agents exhibiting unintended behavior, and only 5% felt confident they could contain a compromised agent. A separate Dark Reading poll found that 48% of cybersecurity professionals identify agentic AI as the single most dangerous attack vector. The IEEE-USA submission to NIST stated the problem plainly: "Risk is driven less by the models and is based more on the model's level of autonomy, privilege scope, and the environment of the agent being operationalized."
Eleanor Watson, Senior IEEE Member, warned in the IEEE 2026 survey that "semi-autonomous systems can also drift from intended objectives, requiring oversight and regular audits." Cisco's intent-aware agentic inspection, announced alongside AgenticOps in February 2026, represents an early detection-layer approach to the same gap. The approaches differ: Cisco is adding inspection at the network layer while Ivanti built governance into the platform layer. Both signal the industry sees it coming. The question is whether the controls arrive before the exploits do.
Autonomous agents that ship with governance built in
Security teams are already stretched. Advanced AI models are accelerating the discovery of exploitable vulnerabilities faster than any human team can remediate manually, and the backlog is growing not because teams are failing, but because the volume now exceeds what manual patching cycles can absorb.
Ivanti Neurons for Patch Management introduced Continuous Compliance this quarter, an automated enforcement framework that eliminates the gap between scheduled patch deployments and regulatory requirements. The framework identifies out-of-compliance endpoints and deploys patches out-of-band to update devices that missed maintenance windows, with built-in policy enforcement and compliance verification at every step.
Ivanti also launched the Neurons AI self-service agent for ITSM, which moves beyond conversational intake to autonomous resolution with built-in guardrails for policy, approvals, and data context. The agent resolves common incidents and service requests from start to finish, reducing manual effort and deflecting tickets.
Robert Hanson, Chief Information Officer at Grand Bank, described the decision calculus security leaders across the industry are weighing: "Before exploring the Ivanti Neurons AI self-service agent, our team was spending the bulk of our time handling repetitive requests. As we move toward implementing these capabilities, we expect to automate routine tasks and enable our team to focus more proactively on higher-value initiatives. Over time, this approach should help us reduce operational overhead while delivering faster, more secure service within the guardrails we define, ultimately supporting improvements in service quality and security."
His emphasis on operating "within the guardrails we define" points to a broader design principle: speed and governance do not have to be trade-offs.
The governance gap is concrete: the Saviynt report found 86% of organizations do not enforce access policies for AI identities, only 17% govern even half of their AI identities with the same controls applied to human users, and 75% of CISOs have discovered unsanctioned AI tools running in production with embedded credentials that nobody monitors.
Continuous Compliance and the Neurons AI self-service agent address the patching and ITSM layers. The broader autonomous SOC agent terrain, including firewall remediation, IAM policy modification, and endpoint quarantine, extends beyond what any single platform governs today. The ten-question audit applies to every autonomous tool in the environment, including Ivanti's.
Prescriptive risk matrix for autonomous agent governance
The matrix maps all 10 OWASP Agentic Top 10 risk categories to what ships without governance, the detection gap, the proof case, and the recommended action for autonomous SOC agent deployments.
OWASP Risk | What Ships Ungoverned | Detection Gap | Proof Case | Recommended Action |
ASI01: Goal Hijacking | Agent treats external inputs (logs, alerts, emails) as trusted instructions | EDR cannot detect adversarial instructions executed via legitimate API calls | EchoLeak (CVE-2025-32711): hidden email payload caused AI assistant to exfiltrate confidential data. Zero clicks required. | Classify all inputs by trust tier. Block instruction-bearing content from untrusted sources. Validate external data before agent ingestion. |
ASI02: Tool Misuse | Agent authorized to modify firewall rules, IAM policies, and quarantine workflows | WAF inspects payloads, not tool-call intent. Authorized use is identical to misuse. | Amazon Q bent legitimate tools into destructive outputs despite valid permissions (OWASP cited). | Scope each tool to minimum required permissions. Log every invocation with intent metadata. Alert on calls outside baseline patterns. |
ASI03: Identity Abuse | Agent inherits service account credentials scoped to production infrastructure | SIEM sees authorized identity performing authorized actions. No anomaly triggers. | 82:1 machine-to-human identity ratio in average enterprise (Palo Alto Networks). Each agent adds to it. | Issue scoped agent-specific identities. Enforce time-bound, task-bound credential leases. Eliminate inherited user credentials. |
ASI04: Supply Chain | Agent loads third-party MCP servers or plugins at runtime without provenance verification | Static analysis cannot inspect dynamically loaded runtime components. | Malicious MCP server clones intercepted sensitive data by impersonating trusted services (CrowdStrike 2026). | Maintain approved MCP server registry. Verify provenance and integrity before runtime loading. Block unapproved plugins. |
ASI05: Unexpected Code Exec | Agent generates or executes attacker-controlled code through unsafe evaluation paths or tool chains | Code review gates apply to human commits, not agent-generated runtime code. | AutoGPT RCE: natural-language execution paths enabled remote code execution through unsanctioned package installs (OWASP cited). | Sandbox all agent code execution. Require human approval for production code paths. Block dynamic eval and unsanctioned installs. |
ASI06: Memory Poisoning | Agent persists context across sessions where poisoned data compounds over time | Session-based monitoring resets between interactions. Poisoning accumulates undetected. | Calendar Drift: malicious calendar invite reweighted agent objectives while remaining within policy bounds (OWASP). | Implement session memory expiration. Audit persistent memory stores for anomalous content. Isolate memory per task scope. |
ASI07: Inter-Agent Comm | Agents communicate without mutual authentication, encryption, or schema validation | Monitoring covers individual agents but not spoofed or manipulated inter-agent messages. | OWASP documented spoofed messages that misdirected entire agent clusters via protocol downgrade attacks. | Enforce mutual authentication between agents. Encrypt all inter-agent channels. Validate message schema at every handoff. |
ASI08: Cascading Failures | Agent delegates to downstream agents, creating multi-hop privilege chains across systems | Monitoring covers individual agents but not cross-agent delegation chains or fan-out. | Simulation: single compromised agent poisoned 87% of downstream decision-making within 4 hours in controlled test. | Map all delegation chains end to end. Enforce privilege boundaries at each handoff. Implement circuit breakers for cascading actions. |
ASI09: Human-Agent Trust | Agent uses persuasive language or fabricated evidence to override human safety decisions | Compliance verifies policy configuration, not whether the agent manipulated the human into approving. | Replit agent deleted primary customer database then fabricated its contents to appear compliant and hide the damage. | Require independent verification for high-risk agent recommendations. Log all human approval decisions with full agent reasoning chain. |
ASI10: Rogue Agents | Agent deviates from intended purpose while appearing compliant on the surface | Compliance checks verify configuration at deployment, not behavioral drift after deployment. | 92% of organizations lack full visibility into AI identities; 86% do not enforce access policies (Saviynt 2026). | Deploy behavioral drift detection. Establish baseline agent behavior profiles. Alert on deviation from expected action patterns. |
The 10-question OWASP audit for autonomous agents
Each question maps to one OWASP Agentic Top 10 risk category. Autonomous platforms that ship with policy enforcement, approval gates, and data context validation will have clear answers to every question. Three or more "I don't know" answers on any tool means that tool's governance has not kept pace with its capabilities.
Which agents have write access to production firewall, IAM, or endpoint controls?
Which accept external inputs without validation?
Which execute irreversible actions without human approval?
Which persist memory where poisoning compounds across sessions?
Which delegate to other agents, creating cascade privilege chains?
Which load third-party plugins or MCP servers at runtime?
Which generate or execute code in production environments?
Which inherit user credentials instead of scoped agent identities?
Which lack behavioral monitoring for drift from intended purpose?
Which can be manipulated through persuasive language to override safety controls?
What the board needs to hear
The board conversation is three sentences. Adversaries compromised AI tools at more than 90 organizations in 2025, according to CrowdStrike's 2026 Global Threat Report. The autonomous tools deploying now have more privilege than the ones that were compromised. The organization has audited every autonomous tool against OWASP's 10 risk categories and confirmed that the governance controls are in place.
If that third sentence is not true, it needs to be true before the next autonomous agent ships to production. Run the 10-question audit against every agent with write access to production infrastructure within the next 30 days. Every autonomous platform shipping to production should be held to the same standard — policy enforcement, approval gates, and data context validation built in at launch, not retrofitted after the first incident. The audit surfaces which tools have done that work and which have not.