AI agents are all the rage – in fact, a recent study confirmed 96% of European businesses reported using or planning to use AI agents by 2026.
AI agents inherently need a whole host of permissions to be able to act on a user’s behalf; everything from your calendar to payment details, and even potentially sensitive company information.
That leaves the potential for that access to fall into the wrong hands, or even for an AI agent to ‘go rogue’ and carry out tasks you didn’t approve of. There’s a lot of pressure all round to adopt AI agents as companies across the globe bid to become more productive – but many are doing so before putting proper guard rails in place.
What are AI agents?
At the recent Oktane 2025 event, we heard all about the importance of securing AI – but what exactly does this mean, and how can you do it?
We spoke to Okta’s EMEA CISO Stephen McDermid and Auth0 President Shiv Ramji to find out just how important it is to secure these Non-Human Identities (NHIs).
Artificial intelligence agents are pretty self explanatory – they’re software systems which autonomously perform tasks on behalf of a user. They leverage generative AI models, and can simultaneously process information, whether it be voice, text, video, or code.
They’re a shiny new type of technology that a lot of people are using both in their personal and private lives. But, as with all technology, cybersecurity experts warn these agents need to be used with caution.
In order to carry out tasks on your behalf, the AI agent must have access to your systems, like your calendar, email, loyalty schemes, and even credit card information in many cases.
It’s inevitable that people will use the technology, but this needs to be done carefully, McDermid says.
“That’s why it’s so important because the reality is people will go and play with it,” he notes.
“They’ll go and try to be innovative, as you’ve heard, everybody’s under pressure to do more with less – AI is a very quick way of doing that, but it’s also a very quick way of opening up some risks, exposing data, exposing your users potentially as well. I think that’s why it is a growing concern.”
What are the risks?
This, of course, represents significant risks if the agent isn’t properly secured. AI is gullible, and it can easily be manipulated.
Whilst this is great when you want it to prioritize your work, it means cybercriminals are equally able to trick the models into working for them.
If your AI is compromised, that could leave you exposed on a number of levels.
“It’s sensitive data leakage, your private information is exposed and the risk is everything from legal to financial, to even running afoul of regulations in different countries,” Ramji warns.
It’s not just theoretical, either. The risks are well illustrated by the recent issues with the McDonald’s AI recruiting platform that was tasked with recruitment – although the weak link in this case was an incredibly basic password (123456), the AI agent had access to all the data it had harvested, including personal information – and in total, 64 million records were exposed, highlighting the dangers of asking an AI agent to handle information.
How can you secure them?
Unfortunately, securing these NHIs isn’t a simple task; “With AI, there’s a bigger pressure to implement that change. I think it’s probably harder because AI is moving so fast that it doesn’t have the [same level of] governance,” McDermid says.
Okta is on a mission to secure AI by bringing agents into your identity security fabric. Their platform helps identify risky configurations and manage agent permissions to ensure your agent only has access to what’s necessary – not for any longer than it needs.
“Everybody has to start putting the security in place before they start playing with AI because unfortunately, you’ve seen the headlines, there’s already been some examples of [breaches] going on,” McDermid points out.
Okta also helps maintain continuous security for active agents by detecting and responding to anomalous or high-risk behaviour – meaning you’ll be alerted if your agent looks like it might be going rogue.
Least-privilege access is standardized to secure the authentication process for agents, and a clear audit trail helps keep track of each agent to ensure you stay compliant and on top of each agent acting on your behalf.
A gap in the regulations?
Okta has also introduced a new set of standards, Cross App Access (XAA). These look to help the whole industry protect itself, establishing protocols to help security teams stay one step ahead of threat actors.
“It’s not going to be the silver bullet,” McDermid warns. “It’s not going to stop all of these attacks in future, but certainly it gives us the best opportunity to make sure we get technical capabilities there and within the products and within the services we’re offering.”
These standards being adopted across the board are part of a wider effort for security teams to work together to protect themself and their colleagues. As McDermid points out, threat actors are already collaborating, which gives them an upper hand with new practices and attacks;
“Threat actors are actually sharing techniques, they’re sharing platforms. They’re working together as a cohort and customers and organizations don’t. I think that’s where we need to improve.”
Learning from one another is a crucial part of protecting the industry, McDermid argues. It’s easy to get intimidated or overwhelmed by the seemingly constant string of attacks we see in the headlines, but to really address the risks, teams need to learn from these incidents and measure up their own security tools against these attacks.
“You have to keep trying and keeping governance over these controls and maintaining that cyber hygiene because I think if you’re not aware of what the attacks look like then you’re not assessing your own exposure against them.”
He doesn’t warn people away from using the technology – quite the opposite. AI agents will be used whether companies approve or not, so it’s important to put policies in place to ensure that use is safe – sooner, rather than later.
You might also like
The post “Everybody’s under pressure to do more with less” – Why Okta says you need an AI agent governance strategy, and sooner rather than later first appeared on TechToday.
This post originally appeared on TechToday.