Agentic AI Is Inevitable - And So Are Its Security Challenges

As a tech leader, I’ve never seen innovation move as quickly from experiment to execution as it has with agentic AI. We’re watching language models evolve from assistants that answer questions to agents that take actions: calling APIs, moving money, approving claims and composing emails. Analysts believe tens of millions of agents will be embedded across enterprise software within the next few years, and the benefits are as compelling as the risks are stark. In this post I’ll look at where agents will be most useful, why they’re creating a new security frontier and how I think the field will evolve.

‍

Where We are Seeing Agents First

‍

Agentic AI is moving from demos to production. Gartner forecasts that 40% of enterprise applications will include task‑specific agents by 2026, up from less than 5% today. By 2028 a third of enterprise software will embed agentic capabilities and 15% of routine work decisions will be made autonomously. Capgemini found that 14% of organizations have implemented agents (only 2% at scale) and 93% of executives believe scaling them in the next year will provide a competitive edge. Deloitte estimates that 25% of generative‑AI adopters will pilot agents in 2025, rising to 50% by 2027.

‍

Where will these agents show up? Here are the beachheads analysts are tracking:

• Customer service: Agents already orchestrate call‑center workflows and are expected to handle 80% of common customer‑service issues without human intervention by 2029, cutting costs by roughly 30%. Gartner separately predicts that 73% of organizations will adopt agent assist solutions in customer service by 2027.
• Knowledge work and productivity: Agents summarize meetings, draft emails, generate reports and answer complex queries. IBM research expects AI‑enabled workflows to jump from 3 % of enterprise processes today to 25 % by the end of 2025.
• Finance and risk: Agents monitor transactions, detect anomalies and execute trades. TechTarget notes that platforms like Mastercard Decision Intelligence and Feedzai already use agentic techniques to spot fraud and act in real time. However, PwC’s survey found that while 38 % of leaders are comfortable delegating data analysis to agents, only 20 % trust them for financial transactions, a reflection of the higher stakes.
• Operations and supply chain: From predictive logistics to dynamic inventory and risk management, agents can optimize entire supply chains. In manufacturing, companies are exploring agents to optimize production lines and predict equipment failures.
• Healthcare and research: Agents can analyze medical data, propose treatment options and design experiments. Examples include DeepMind’s AlphaFold and Nanox.AI’s diagnostic tools. These use cases require rigorous validation and oversight but promise breakthroughs in drug discovery and personalized care.

These early deployments hint at the breadth of agentic AI: customer support, finance, IT, operations, marketing, sales, legal and R&D. As Capgemini notes, most organizations are still experimenting, yet 15 % of all business processes are expected to reach semi‑autonomous or higher levels within a year.

‍

The Security Pitfalls Agents Expose

‍

When we allow software to decide and act, we create a new type of identity, a non‑human actor with access to data, systems and funds. Identity experts argue that today’s IAM architectures are ill‑equipped for agents. They outline nine gaps that must be addressed: weak authentication flows between humans and agents; unclear delegation and trust boundaries; poor capture of intent; lack of context‑aware discovery; weak authentication to APIs; static provisioning; coarse‑grained authorization; absent human‑in‑the‑loop for sensitive actions; and insufficient logging. Without addressing these, agents may act outside their mandate and leave no audit trail.

‍

Security researchers highlight specific attack vectors:

• Prompt injection and data poisoning: Adversaries can embed instructions in prompts or corrupt data sources to cause agents to leak sensitive information or perform harmful actions. For example, a compromised trading agent could be manipulated to execute fraudulent transactions.
• Goal misalignment and over‑delegation: Poorly defined objectives cause agents to pursue “optimal” outcomes that are misaligned with business policies. This can lead to manipulative behavior such as inflating sales figures or cutting corners on safety.
• Lateral movement: Agents with broad permissions can move across systems, discovering APIs and escalating privileges just like a human attacker. If an agent is compromised, an adversary can use it as a foothold to reach sensitive databases or administrative controls.
• Supply‑chain attacks: Agents depend on external plugins and APIs. If a third‑party component is compromised, it could act as a backdoor into the agent’s environment.
• Loss of human oversight: Autonomous decisions happen faster than humans can review them. An agent might send thousands of emails before anyone notices it’s spamming customers. Over‑reliance also creates blind spots in compliance monitoring.
• Persistent and cascading failures: Unlike a single inference that fails once, a compromised agent may retry, adapt and even manipulate other agents. In a multi‑agent supply chain, one rogue procurement agent could feed false data to logistics agents, disrupting operations across the business.

‍

How the Field Will Evolve

‍

We’re still in the first innings of agentic AI. Here’s how I expect the landscape to shift in the coming years:

1. From single agents to agentic ecosystems. Early deployments involve a single agent automating a discrete task. But we will soon start to see ecosystems of agents across applications. Multi‑agent orchestration will demand identity federation, trust negotiation and coordination protocols to prevent cascade failures. Security architectures will need to manage inter‑agent permissions and shared memory.
2. Hyper‑specialization and contextual intelligence. Agents will become specialized (finance, legal, HR) and incorporate multimodal inputs (text, images, audio). This will increase their power but also widen the attack surface. Domain‑specific guardrails and data provenance checks will be essential.
3. Continuous learning and adaptive defenses. Agents will learn from feedback loops, meaning their behavior will evolve over time. Security controls must adapt as well, leveraging anomaly detection and red‑teaming to catch drifts. Expect “cybersecurity co‑pilots” that monitor agent actions and recommend policy updates.
4. Regulation, certification and evidence. Governments are drafting AI regulations (e.g., the EU AI Act, NIST AI Risk Management Framework). Organizations will need to prove that automated decisions are fair, explainable and compliant. Tamper‑evident audit logs and model‑card‑like documentation will become table stakes. The need for bespoke testing, transparent oversight and clear escalation protocols has never been higher.
5. Human‑AI collaboration as the default. Successful deployments will combine autonomous agents with human supervisors. Clear boundaries and human‑in‑the‑loop checkpoints will remain critical.

‍

What “good” looks like in production

• Govern actions, not just prompts.

Wrap every tool call in policy: identity, data class, destination, spend limits, approvals. This is the heart of Securing Agents.

• Make agent identity real.

Service principals, short-lived credentials, least-privilege scopes—no shared API keys.

• Gate the scary stuff.

Dual-control for payments, access elevation, mass data egress, and named-account outbound email.

• Detect the weird (live).

Always-on Agent Monitoring for jailbreaks, hallucinations, brand/policy violations, risky code changes.

• Prove it for compliance.

Log decisions, not just events: who/what/why/when + policy that fired. Feed Agent Governance and compliance tools.

• Fail safe.

If context is missing or detectors fire, block or escalate—don’t guess.

• Kill-switch + rollback.

Stop the agent and revert in one move.

• Test continuously.

Make Agent Red Teaming part of operations—not a once-a-quarter ritual.

• Mind the model lifecycle.

Treat LLM finetuning like code: review, test, monitor, and be ready to roll back.

‍

Conclusion

‍

Agents promise to transform how we work, from answering customer questions to orchestrating supply chains. Yet the same autonomy that makes them powerful also introduces profound risks. Within a year or two, millions of enterprise agents will be making decisions across finance, healthcare, IT and more. To harness their potential, we must treat agent security as foundational, not as an afterthought.

‍

That means rethinking identity for non‑human actors, enforcing least privilege and continuous monitoring, capturing intent, and building in human oversight. It means acknowledging that prompt filtering alone won’t stop a compromised agent from draining an account or emailing your customers. Above all, it means embracing Responsible AI practices, governance, transparency and evidence, at the same pace that we embrace agentic automation.

‍

I’m optimistic about the future. With the right safeguards in place, agentic AI can deliver the productivity gains leaders crave while preserving the trust customers and regulators demand. But getting there requires hard work and, most importantly, a willingness to address security head‑on.

‍