Security teams unprepared for agentic AI in production

Agentic AI is operating in production across many organizations while security teams have limited involvement, making it difficult for those teams to assess agent access, permissions and attack surfaces.

Agentic systems appear in three main forms inside companies. General-purpose coding and productivity assistants such as GitHub Copilot and Claude Code are embedded in developer workflows. Vendor-built agents connect to external services through integration layers like the Model Context Protocol and can read calendars, email and ticketing systems. Custom agents are created by nonprogrammers and can be granted direct access to internal systems without formal review.

Ahmed Abugharbia, a SANS instructor, wrote that many security groups lack the architecture-level fluency required to assess how agents consume inputs, chain tools and obtain privileges. Security practitioners report that when teams cannot explain how an agent operates from an access-control standpoint, they cannot control its permissions or predict likely misuse.

Practitioners have identified concrete attack paths in current deployments. An agent that manages calendars or tickets can interpret embedded instructions in event descriptions or ticket text and act on them. Agents that have broad permissions across email, file stores, code repositories and internal APIs create a large blast radius: manipulation of one channel can prompt actions in another. Agents with both terminal access and messaging access can be used to move laterally inside an environment.

Practitioners also describe a supply-chain style problem: the barrier to building functional agents has fallen. Where custom tooling once required programming skills, marketing, finance and operations can now assemble agents that automate workflows and act on internal systems. Many such agents are deployed without formal security review.

Experts recommend two layers of competency for security teams. The first is practical knowledge of AI application architecture: the components of an AI application, how sessions are established, and how tool chaining and external integrations function. The second is keeping current with vendor controls, open-source frameworks and published threat taxonomies so teams can evaluate new tooling and vendor claims.

Configuration choices can reduce exposure. Limiting an agent’s scope to only required functions, pairing an assistant with a single trusted account rather than a public channel, and scoping write permissions away from code repositories or terminals when not needed are cited as effective controls. Security involvement early in design and deployment is reported as necessary to set boundaries before broad permissions are granted.

Ahmed Abugharbia will teach SEC545: GenAI and LLM Application Security at SANSFIRE 2026 in July. The course description lists hands-on exercises on how agentic systems operate, the attack surfaces to prioritize and techniques such as model scanning to detect compromised models before production use.

Some organizations have started hands-on training and technical reviews for agentic systems, while others continue to deploy agents without security review. Security practitioners warn that differences in organizational readiness affect how agents are configured and the range of permissions granted before controls are applied.