A Dark Reading readership poll closing out 2025 asked security professionals to pick the dominant attack vector heading into the new year. Forty-eight percent chose agentic AI, beating advanced deepfakes, board-level cyber recognition, and passwordless adoption — the latter dead last, a quiet vote of no confidence in the industry’s ability to retire passwords any time soon. Nearly half of respondents now believe autonomous AI systems will be the leading source of cybercrime and nation-state activity by year-end.
The number itself is less interesting than what’s driving it. Agents aren’t a single product, a single vendor, or a single technique. They’re a category of software that holds credentials, makes decisions, and chains tool calls at machine speed — and most enterprises deployed them faster than they secured them. The poll captures a recognition that’s been building across CISO desks for twelve months: the attack surface didn’t grow, it changed shape.
What Agentic AI Actually Is — and Why It Breaks Old Models
An agentic AI system is software that uses a large language model to plan multi-step tasks, select tools, and execute actions with limited human oversight. Where a traditional AI assistant generates text, an agent reads an email, queries a database, calls an API, writes a file, and decides what to do next based on the result. The autonomy is the feature. It’s also the problem.
Three architectural shifts make these systems hard to secure with existing controls. First, agents act rather than recommend — every output can be a real-world side effect. Second, agents chain tools dynamically, picking APIs and plugins on the fly, which makes static policy enforcement insufficient. Third, agents retain memory and context, often through retrieval-augmented generation (RAG) stores that an attacker can poison once and influence indefinitely.
Mike Gozzo, Chief Product and Technology Officer at Ada, framed the shift in conversation with Bessemer Venture Partners: AI agents aren’t tools, they’re actors that make decisions and interact with systems on behalf of customers, and securing an actor is a fundamentally different problem than securing a tool. Most of the industry’s stack — endpoint detection, perimeter firewalls, even LLM guardrails — was built for the tool model.
The Numbers Behind the 48%
The Dark Reading finding doesn’t sit alone. Cisco’s State of AI Security 2026 report found that 83% of organizations planned to deploy agentic AI capabilities, but only 29% felt ready to do so securely. Palo Alto Networks estimates that machines and agents now outnumber human employees by 82 to 1 in many enterprises. IBM’s 2025 Cost of a Data Breach Report put the average cost of a shadow AI breach at $4.63 million — roughly $670,000 above a standard breach. And IBM’s 2026 X-Force Threat Intelligence Index documented a 44% surge in attacks exploiting public-facing applications, accelerated by AI-enabled vulnerability scanning.
The pattern across these data points is consistent: adoption is outrunning capability. Gartner projects 40% of enterprise applications will embed task-specific AI agents by year-end, up from less than 5% a year ago, while Palo Alto Networks estimates only 6% of organizations have an advanced AI security strategy in place.
How Agents Get Compromised
Three practical attack classes drive the concern. Each maps to a documented vulnerability category in the OWASP Top 10 for Agentic Applications 2026, released in December 2025 by the OWASP GenAI Security Project after review by more than 100 contributors.
Goal hijacking is the agentic descendant of prompt injection. An attacker plants instructions inside data the agent processes — a calendar invite, a poisoned RAG document, a web page the agent browses — and the agent, unable to cleanly separate instructions from content, follows them. The OWASP project cites EchoLeak as a real-world reference case for this pattern (cataloged as ASI01). The agent still looks like it’s on task. It’s just serving a different task.
Tool misuse and identity abuse follow once the goal is bent. Agents typically inherit credentials with broad scope: database access, email send, cloud APIs, code execution. Legitimate authorization plus manipulated intent equals destructive action through approved channels. CyberArk has summarized the structural problem: every AI agent is an identity that needs credentials to access databases, cloud services, and code repositories, and the more tasks it gets, the more entitlements it accumulates. The OWASP framework tracks this as ASI02 (tool misuse) and ASI03 (identity and privilege abuse), with the Amazon Q incident referenced as an example of legitimate tools being bent into destructive outputs.
Memory and context poisoning is the slowest-burning class. An attacker corrupts an agent’s vector store or long-term context once, and the agent keeps making compromised decisions long after the active intrusion ends. Unlike a phishing email, this attack persists in storage. OWASP catalogs this as ASI06, with the Gemini Memory Attack cited as a documented example.
The connector layer makes all of this worse. Model Context Protocol (MCP) — the standard Anthropic introduced in late 2024 for connecting agents to external tools — has hundreds of servers in production and has become the prevailing way agents reach databases, file systems, and SaaS APIs. Tool poisoning, where malicious instructions are embedded inside the tool descriptions an agent reads before deciding what to invoke, has been documented as the most prevalent client-side MCP vulnerability in peer-reviewed research.
The OWASP Agentic Top 10 — At a Glance
Why the Old Stack Doesn’t Cover This
CrowdStrike’s 2026 Global Threat Report documented the fastest observed eCrime breakout time at 27 seconds, with an average around 29 minutes. A human attacker with stolen credentials still operates inside biological constraints — typing speed, attention, fatigue. An agent with inherited credentials runs at compute speed across every API and downstream agent it can reach until something stops it. The traditional incident response timeline assumes a human on the other end. Agents break that assumption.
Legacy controls fail in specific ways. SIEM rules tuned to user behavior baselines don’t have a baseline for an agent that legitimately calls 400 APIs in a minute. DLP scanners don’t read RAG poisoning. Endpoint detection doesn’t see prompt injection inside a calendar invite. Identity providers issue tokens to agents the same way they issue them to humans, but with broader scope and longer-lived sessions. Non-human identities (NHIs) — service accounts, API keys, OAuth tokens belonging to agents — now dominate enterprise identity surface, and most identity governance platforms weren’t built to enroll, rotate, or scope them at agent speed.
The vendor response is consolidating around runtime governance. Nvidia’s GTC 2026 keynote framed the problem bluntly: agentic systems in the corporate network can access sensitive information, execute code, and communicate externally, and that access can’t go ungoverned. The OpenShell security framework Nvidia announced names CrowdStrike, Palo Alto Networks, Cisco, JFrog, and WWT as collaborators across five governance layers — agent decisions, cloud runtime, supply chain provenance, prompt-layer inspection, and pre-production validation — because no single vendor covers all of them.
What Defenders Are Doing About It
Practical mitigations track the OWASP framework but center on a small number of foundations. Least agency — granting agents the minimum autonomy and tool scope required for the task — is the agentic equivalent of least privilege and the principle most often cited as a baseline. Human-in-the-loop for high-impact actions (payments, data deletion, credential access, production deploys) is showing up as a hard control in early enterprise rollouts, regardless of agent confidence. Behavioral monitoring of agent action patterns, not just output content, is what catches rogue agents and goal drift; static rule sets miss it.
Beyond controls, the labor market is moving. Roles like AI agent security engineer and agentic system threat modeler now appear in postings that didn’t exist eighteen months ago. The skill set — reading tool descriptions, mapping identity scope, threat-modeling MCP-connected agents — is rare enough that any practitioner who can credibly do it is in a small group right now.
The Stance Worth Holding
The 48% figure is a snapshot of professional sentiment, not a prediction. It can be wrong. Surveys overweight what’s loud, and agentic AI has been very loud — vendor briefings, RSAC keynotes, congressional hearings, GitHub blog posts about deliberately vulnerable agent training environments. Some of the concern is signal; some is hype refracting through a poll.
What’s harder to argue with is the structure underneath. Agents hold real credentials. They act faster than humans. They run on a stack — MCP servers, RAG stores, multi-agent orchestration — that wasn’t built with attackers in mind. The OWASP Top 10 for Agentic Applications didn’t invent these risks; it cataloged what was already happening in production. Until enterprises close the gap between deploying agents and securing them — between the 83% planning rollouts and the 29% who feel ready — the 48% answer is going to keep being right for the wrong reason. The work now is making it wrong for the right one.
