Agentic AI Is Expanding Your Enterprise Attack Surface — And Many Security Teams Can't See It

The Attack Surface You Didn't Know You Were Building

A core concern raised by security practitioners is this: the attack surface of an AI agent may encompass everything it can touch. Every API endpoint it can call, every database it can query, every downstream system it can write to — all of that could be accessible to adversaries who compromise or manipulate the agent. And unlike a human employee or a static application, an agent can traverse that surface at machine speed, at any hour, with no natural pause for reflection.

Some industry observers, including analysts at firms such as Airia, have suggested that many enterprises struggle to enumerate the agents currently running across their environments. Shadow AI — agents spun up by individual teams or third-party integrations without central oversight — is reported to be compounding the problem. As a widely cited security principle holds: you can't protect what you can't see.

Industry analysts have offered projections that underscore the scale of deployment ahead. Deloitte has projected that roughly one-third of enterprise software applications could include agentic capabilities by 2028, while some market research firms have forecast the global agentic AI market may grow substantially through the early 2030s, though specific figures vary across sources and should be treated as indicative rather than definitive. Separately, Gartner has identified agentic AI as a top strategic technology trend for 2025, reflecting broad industry recognition of its rapid adoption.

The specific threat vectors being discussed by security researchers are not entirely theoretical. Prompt injection attacks, for example, can potentially hijack an agent's goal mid-task, redirecting it to exfiltrate data or escalate privileges. Because agents operate through natural language interfaces as much as through structured code, traditional defenses may prove insufficient — the attack surface is fluid and context-dependent. Lateral movement risks are also a concern: an agent with broad permissions could, if compromised, pivot across systems in ways that might be difficult to detect in time.

Why Traditional Security Frameworks May Be the Wrong Tool

Legacy security architectures were designed around a relatively stable cast of characters: human users, known applications, and defined network perimeters. Agentic AI challenges all three assumptions simultaneously. Agents are non-human identities (NHIs) that act like users, behave like applications, and operate across perimeters that no longer meaningfully exist in many enterprise environments.

Security analysts, including those at Zentera, have framed this as fundamentally an identity, access, and execution problem as much as a purely AI-specific one. Traditional identity governance tools were not designed to manage large numbers of ephemeral, task-specific agent identities, each potentially holding elevated permissions for the duration of a workflow. A key governance question — whether an agent's access is revoked when a task completes — is reportedly not consistently addressed in current enterprise practice.

Analysts at firms such as KuppingerCole have suggested that data access control is becoming a new security perimeter in agentic environments — a significant conceptual shift. The governance question is increasingly not just "who can get into the network?" but "what can each agent read, write, modify, or trigger, and under exactly what conditions?" That may demand a fundamentally different governance posture from most organisations.

Zero Trust as a Governance Foundation — With Extensions Required

A growing number of security leaders argue that Zero Trust principles should be extended explicitly to cover agentic AI, and that this extension may require new frameworks rather than simply retrofitting existing ones. The Cloud Security Alliance's Agentic Trust Framework, developed by CSA Zero Trust Working Group contributors, offers one practical starting point, built around four core requirements for deployed agents:

• Least-privilege permissions — agents should hold only the access required for their current task, revoked upon completion where technically feasible.
• Continuous auditability — every action an agent takes should ideally be logged in a tamper-evident, human-readable trail.
• Lateral movement controls — microsegmentation of agents so a compromised agent cannot freely pivot across the enterprise environment.
• NHI identity governance — agent identities should be provisioned, monitored, and deprovisioned with rigour comparable to that applied to human accounts.

Microsoft's security team has advocated for end-to-end secure agent pipelines in which trust is not implicitly granted at any stage — from model invocation through tool calls to output handling. The practical implication for enterprise architects, as several security practitioners have noted, is that agent governance is more effective when designed into workflows from the outset rather than added after deployment.

Analysts examining agentic use cases in financial operations have flagged autonomous agents managing invoice processing or treasury operations as a high-stakes example: an agent that is successfully manipulated via prompt injection could potentially authorise erroneous or fraudulent transactions at a speed that human oversight mechanisms might not catch in time. Security teams are encouraged to assess this risk profile carefully and consult qualified security and legal advisors when deploying agents in sensitive financial workflows. This is an active area of concern, not merely a hypothetical future risk.