Autonomous and credentialed: AI agents are the next cloud risk

In April, Anthropic’s CISO made an eye-opening prediction: within the next year, AI-powered virtual employees with corporate credentials will begin operating across the enterprise. These agents won’t just support workflows — they’ll become part of the workforce.

The business case is obvious: AI agents promise scalable automation, reduced overhead, and tireless productivity. Salesforce is already making this a reality, recently introducing AI “digital teammates.” AI agent deployments are expected to grow 327% during the next two years, but from the vantage point of cybersecurity, this evolution introduces a volatile mix of innovation and risk. We’re not just giving software system access — we’re giving identity, autonomy, and decision-making capabilities. That changes how organizations approach security entirely.

Autonomous, credentialed, and vulnerable

Let’s be clear: These AI agents are not tools in the traditional sense. Unlike conventional automation or service accounts, these agents act as authenticated users operating under corporate credentials, making decisions, interacting with systems and data, and in some cases, executing sensitive tasks. That means they will have the same access and arguably pose the same risks as a human employee.

But unlike humans, AI agents don’t understand context, intent, or consequences the way we do. They can be tricked, manipulated, or coerced through techniques like prompt injection or adversarial inputs. We’ve long accepted that humans are the weakest link in security—phishing and social-engineering schemes prey on our psychology—but AI agents introduce an even softer target: They take things at face value, don’t call the help desk, and operate at machine speed. Once compromised, they could serve as a persistent, high-bandwidth attack surface buried deep inside an organization’s environment.

Rethinking security in the AI age

Traditional security tools have been designed around human behavior: logins, passwords, and access/privilege levels. AI employees break these assumptions. Non-human identities, which already far outnumber human users, are becoming the dominant force in cloud environments.

As cloud investments continue to skyrocket, citing AI as the top driver, and more AI agents are deployed in the cloud, organizations must turn towards a new age of AI security tools that can properly secure all that AI has to offer, specifically questions around:

• What level of autonomy and authority will AI agents have inside the enterprise?
• How do you monitor privilege activity and detect deviations?
• Can these agents be exploited or jailbroken via prompt injection or adversarial inputs?
• What data are these agents being trained on?

The next insider threat

AI introduces new, unproven components to your application stack – infrastructure, models, datasets, tools and plugins. And now, AI innovation is accelerating even faster with the introduction of agents. Unlike LLMs, agents reason, act autonomously, and coordinate with other agents. AI agents will have continuous access, won’t sleep or take vacations, and can be deployed at scale across multiple departments. This is bringing new complexity to organizations’ environments and introduces new security risks. One compromised agent could potentially do more damage in minutes than a malicious insider might accomplish in months.

AI employees may soon rival, or exceed, insiders as the most dangerous threat vector. OWASP recently published its Agentic AI Threats and Mitigation highlighting emerging threats such as prompt injection, tool misuse, identity spoofing and more. Even more so, recent research from Unit 42 found prompt injection remains one of the most potent and versatile attack vectors, capable of leaking data, misusing tools, or subverting agent behavior.

We’ve spent years building defenses around the human element. Now we must turn that same, or even fiercer, rigor toward the machines acting in our name.

Taking action

Palo Alto Networks recently introduced Prisma AI Runtime Security (AIRS) designed to help organizations discover, assess, and protect every AI app, model, dataset, and agent in their environment. With Prisma AIRS, organizations receive a comprehensive platform that provides:

• AI Model Scanning – Safely adopt AI models by scanning them for vulnerabilities. Secure your AI ecosystem against risks, such as model tampering, malicious scripts, and deserialization attacks.
• AI-Security Posture Management – Gain insight into security posture risks associated with your AI ecosystem, such as excessive permissions, sensitive data exposure, platform misconfigurations, access misconfigurations, and more.
• AI Red Teaming – Uncover potential exposure and lurking risks before bad actors do. Perform automated penetration tests on your AI apps and models using our Red Teaming agent that stress tests your AI deployments, learning and adapting like a real attacker.
• Runtime Security – Protect LLM-powered AI apps, models, and data against runtime threats, such as prompt injection, malicious code, toxic content, sensitive data leak, resource overload, hallucination, and more.
• AI Agent Security – Secure agents (including those built on no-code/low-code platforms) against new agentic threats, such as identity impersonation, memory manipulation, and tool misuse.

As AI reshapes how enterprises operate and how attacks unfold, Prisma AIRS moves just as fast. Enterprises can confidently embrace the future of AI with Prisma AIRS.

Read here how Palo Alto Networks Prisma AIRS, the world’s most comprehensive AI security platform is helping organizations secure all AI apps, agents, models and data.