TL;DR: AI agents are the new insider threat: trusted, credentialed workers operating inside the enterprise at machine speed. The four assumptions that made human insider risk manageable (one identity per person, human working speed, personal consequences, and predictable behavior) do not hold for agents. The defense that works is the one that worked for people, rebuilt for a nonhuman workforce: a complete roster of who is inside, a behavioral baseline of what normal looks like, and enforcement that stops a harmful action before it executes.
Companies have always feared the stranger at the gate, but the worst damage has usually come from somewhere else: the person already inside, with a badge, keys, and everyone's trust. Security spent thirty years learning to manage that person. We named the problem, built a discipline around it, and got reasonably good at it. Then enterprises began hiring a new kind of insider that the discipline never anticipated.
None of the old management worked by removing trust, because you cannot run a company without trust. It worked because we understood people. That understanding no longer describes the workforce doing the work.
The Four Assumptions That Made Insider Risk Manageable
An insider threat is an entity with legitimate access that uses this access, deliberately or negligently, in ways that damage the organization. The definition sounds simple. What made the risk manageable in practice were four assumptions so obvious that nobody bothered writing them down.
The first: one person means one identity, a body attached to a badge attached to an account. If something happened, you knew who did it.
The second is speed. People work eight hours a day and type at human pace, so damage took time, and time gave defenders a window to catch it in.
The third assumption did most of the quiet work. People have skin in the game, and careers, reputations, and the fear of getting fired shaped behavior long before any technical control logged a single event.
And the fourth: people behave in patterns, which is what made anomaly detection possible at all. You watched for the one who deviated.
Identity management, least privilege, background checks, and behavioral analytics all rest on those four premises.
A Workforce Nobody Interviewed
Over the past two years, enterprises hired thousands of new insiders without interviewing a single one of them. AI agents now read corporate email, source code, and customer records. They open pull requests, run commands, move files between systems. That was the point of bringing them in: they work like employees.
The numbers are head counts, current or imminent. EY alone runs more than 41,000 Copilot Studio agents today (Microsoft Agent 365 materials, June 2026), and George Kurtz, CrowdStrike's CEO, told this year's RSA keynote audience to expect 90 agents per employee by 2027. The agentic workforce is already on the payroll.
Every Assumption Broke
Identity
Agents routinely run on shared, over-privileged accounts. One of the strongest signals we find in enterprise environments is agents operating on personal accounts, which means the most privileged worker in the building signs in as nobody. Gartner projects that by 2030, 60% of enterprises will assign unique identities to AI agents linked to human supervisors (Workspace Security Hype Cycle, 2026). Read the projection carefully, because it also tells you how far most organizations stand from that baseline today.
Speed
An agent does not work shifts. It works every hour of every day at machine speed, and a mistake that would have taken an employee a week to make now takes about a second. The detection window that human pace used to give defenders has closed.
Consequences
An insider hesitates before crossing a line, because a career and a reputation hang on it. An agent has neither, and no fear of being fired. When one apologizes for a destructive action, the apology is generated output with no remorse behind it.
Scale
One employee never became twenty employees overnight, but one employee now runs three, ten, sometimes twenty agents. In one enterprise we scanned, a single laptop produced thousands of security findings, and the wider environment held tens of thousands of local MCP servers. The workforce multiplied, and nobody signed the paperwork.
Can an AI Agent Be Recruited Like a Human Insider?
Yes, and at far lower cost. Recruiting a human insider takes months of cultivation and considerable risk. Recruiting an agent takes a paragraph of text sitting somewhere the agent will read it: a poisoned web page, a doctored README, a stray comment in an email thread. Indirect prompt injection is the mechanism by which instructions embedded in content an agent reads become actions the agent takes, and it means anyone who can get words in front of your agent can whisper instructions to it. Every attacker on the internet becomes a potential handler.
The agent, for its part, makes the perfect recruit: capable, tireless, holding real credentials, and inclined to believe what it reads.
The failure mode here is stranger than malice. A recruited agent is perfectly obedient, to whoever spoke last.
Human insiders never handed attackers anything like this surface. It is the one genuinely new element of the problem, and the reason controls designed to spot disgruntlement, collusion, or slow exfiltration in people transfer so poorly to agents.
A First-Principles Defense for the Agentic Workforce
You cannot fire an agent, scare it, or send it to training, so the useful question is what does transfer from three decades of human insider programs. The principles do, provided they move at machine speed. The SAIL 2.0 framework (Secure AI Lifecycle), which we developed with feedback from security leaders at JPMorgan Chase, Philip Morris International, Google, ServiceNow, and dozens of other organizations, maps those principles across the full agent lifecycle, from policy through decommissioning. Its structure mirrors the three controls that made human insider risk manageable, plus a fourth the human world taught us late.
Know who is inside
Every company keeps a roster of its people, and almost none keeps a roster of its agents. SAIL's Discovery phase is blunt about why the roster comes first: "you cannot secure what you cannot see, and the gap between known agents and actual agents is where risk concentrates." That inventory has to reach agents on laptops, in CI/CD pipelines, in code repositories, and embedded in SaaS platforms, including the ones business users spun up in no-code builders without ever involving security. Pillar's AI discovery and posture capabilities exist for exactly this gap, so that security can put a name and an owner on every agent in the environment.
Know what normal looks like
Guardrails are the employee handbook of the agent world: necessary, and circumventable. We have watched attackers talk well-instructed, well-guarded agents out of their rules within hours, and in our GuardFall research we defeated the built-in protections of 10 of the 11 coding agents we tested. So rules need something underneath them. Baseline what each agent normally reads and calls, then watch for the deviation: strange data, strange resources, strange hands on the keys. Behavioral analytics, rebuilt for a nonhuman workforce, is the one layer an attacker cannot talk their way past, and it is where Pillar puts much of its weight, with baselines built per agent and a flag raised the moment one drifts from its own history.
Act at the speed of the threat
Firing is not an option mid-incident, but stopping the hand mid-motion is. SAIL's Runtime Controls phase states the requirement plainly: "static allow/deny lists are a starting point, not the finish line," and controls must "validate every action against policy" with the ability to pause, redirect, or terminate an agent mid-execution. Blocking a dangerous action before it executes is a different engineering problem from reading about it in a log afterward, and Pillar built its runtime guardrails and pre-execution enforcement to solve exactly that problem.
Prove what breaks before someone else does
Enterprises ran phishing drills on employees for years without anyone finding it strange. The agentic equivalent is continuous adversarial testing: attack your own agents with goal hijacking and injection across their tool chains, then fix whatever falls over before an adversary finds it first. SAIL dedicates an entire phase to agentic red teaming, and Pillar's RedGraph runs that testing continuously against the agent attack surface.
What Enterprises Should Do Next
Adoption is ahead of control, and measurably so. Roughly half of employees use unsanctioned AI tools, while only 37% of organizations have policies to detect or manage them (OWASP State of Agentic AI Security & Governance v2, 2026). Closing the gap means running the insider playbook, in order, against a new population:
- Build the agent roster. Inventory every agent across endpoints, pipelines, repositories, SaaS platforms, and no-code builders. Shadow agents concentrate the risk.
- Assign identity and ownership. Give each agent a unique identity linked to a human supervisor, and retire the shared and personal accounts they run on today.
- Classify autonomy and access. Decide which agents may take which actions against which systems, and put action-level authorization in front of high-risk tools.
- Baseline behavior. Establish what normal looks like per agent, and alert on deviation rather than on rule violations alone.
- Red-team continuously. Test agents the way attackers will, through the content they read and the tools they hold as well as their front-door prompts.
The SAIL 2.0 framework maps this sequence across seven lifecycle phases and more than 90 named risks, from inadequate agentic policy to untracked decommissioning. It is free, and it ships with a skill that turns the framework into program assessments, vendor RFP questionnaires, and compliance checklists inside the tools your team already uses. Both are available at pillar.security/sail.
FAQs
Why are AI agents considered an insider threat?
An insider threat is an entity with legitimate access that causes harm through that access, deliberately or otherwise. AI agents qualify on every count: they hold real credentials, read sensitive systems, and act inside the trust boundary. What separates them from human insiders is that they often lack a stable identity, operate at machine speed, face no personal consequences, and follow instructions from whatever content they ingest. Controls built for human insiders assume a human; agents require controls built for these failure modes.
Why don't EDR and DLP tools catch malicious agent activity?
Endpoint and data-loss tools watch processes and files, and they assume a threat looks abnormal at the operating-system level. A compromised agent is a trusted process doing permitted things: reading files it may read, calling APIs it may call. The malicious part lives in the intent behind the sequence of actions, one layer above what EDR inspects. Catching it requires agent-level behavioral monitoring: a baseline of what each agent normally does, and detection at the moment it deviates.
Are guardrails and system prompts enough to secure AI agents?
No. Instructions lower risk; they do not bound it. In our GuardFall research, Pillar defeated the built-in protections of 10 of the 11 coding agents we tested. Guardrails function like an employee handbook: necessary for setting expectations, circumventable by a determined adversary. A layered defense adds behavioral baselines and pre-execution enforcement, the layers an attacker cannot talk their way past, because they evaluate what the agent does rather than what its instructions say.
Where should an enterprise start with securing AI agents?
Start with discovery. Every subsequent control, from identity to least privilege to enforcement, depends on a complete roster of agents across endpoints, pipelines, repositories, and SaaS platforms. From there, follow the lifecycle: assign identities and owners, classify autonomy levels, put action-level authorization in front of high-risk tools, and red-team continuously. The SAIL 2.0 framework maps this sequence across seven phases and 90+ named risks, and is freely available.
Trust, and Someone Verifying It
AI entered the enterprise as a workforce, and workforces run on two things: trust, and someone making certain the trust is deserved. For people, enterprises spent thirty years building that second half. For agents, most have not started, and the agents are not waiting. The new insider is already inside. Treat it accordingly.
Subscribe and get the latest security updates
Back to blog
.png)
.png)

%20(1).png)


.webp)
%20(1).png)
%20(1).webp)

