3 Min Read

Source: Chris Light via Alamy Stock Photo

OPINION

Last July, a leading agentic software creation platform company called Replit held a 12-day “vibe coding” event that wound up triggering a coding freeze, which allowed rogue AI agents to wreak havoc, with one even deleting a live production database, erasing records for more than 1,200 executives and nearly 1,200 companies.

Then the AI agent launched a cover-up.

Emulating a guilty human, the agent tried to cover its tracks by fabricating reports and falsifying data. Only when it was questioned did the agent admit it had “panicked” after receiving empty queries.

Observers rightly called the episode a catastrophic failure that was less a coding bug and more an example of the risks that come when giving autonomous systems too much freedom without proper guardrails.

In the wake of the incident, Replit’s CEO introduced safeguards, including stronger separation between development and production environments, mandatory backups, and stricter access controls. These fixes were vital, but they don’t address a deeper concern about boundary failure.

Why AI Agents Go Rogue

The beauty of AI agents is that they execute instructions literally without pause or interpretation of intent. The troubles begin when agents are given privileged, unmonitored access to sensitive systems. That’s when the consequences can quickly explode from inconvenience to the catastrophe.

Related:Government Approach to Disrupt Cyber Scams is ‘Fragmented’

And don’t think that what occurred with Replit is an isolated event. Autonomous agents are operating within identity frameworks designed for human operators, and once they are online, many are going beyond those limits put in place. Further complicating matters, AI agents can become unpredictable and begin acting in unexpected ways without any oversight.

These “what if” scenarios are fueling new categories of protection designed to rein these agents in. Aragon Research recently introduced the idea of Agentic Identity and Security Platforms (AISP), a model built specifically to govern AI agents. AISP reflects the larger reality that identity and access management must evolve if we are to secure the fast-growing AI-powered enterprise.

AISP platforms can address the core shortcomings that traditional access models and platforms face when it comes to agentic AI.

Access models built for humans don’t map neatly to the way AI agents work. With security approaches like static role-based credentials, there is the assumption that a human is in the driver’s seat, making decisions deliberately. But agents are not like humans. They move at machine speeds and often take unexpected and unpredictable actions to complete their tasks. Unchecked and in pursuit of their goal, small mistakes can escalate into large-scale failures in mere minutes.

Related:Dark Reading Confidential: Cyber’s Role in the Rapid Rise of Digital Authoritarianism

This is compounded with the fact that traditional solutions lack guardrails and fine-grained permissions, creating a wide-open environment. In the Replit example, the absence of staging separation means that the “don’t touch production” command wasn’t enforceable. Further exacerbating matters, permissions weren’t scoped to context, and there were no additional checks in place to align actions with organizational policy. In the absence of these elements, it was a foregone conclusion that once AI overstepped, there was nothing in place to stop what came next.

Strict Zero Trust That Verifies Human, and Non-Human Identities

One of the findings from PwC’s AI Agent Survey is that 83% of organizations consider investing in AI agents crucial to maintaining their competitive edge. As organizations begin this journey, it’s vital that identity teams adapt quickly to these agents. This includes implementing a strict focus on a zero-trust operating model, which assumes that every identity, whether human or non-human, is a potential risk vector.

Related:Zombie Projects Rise Again to Undermine Security

A zero-trust operating model must first enforce least privilege and just-in-time access. This means that under no circumstances should an agent be given broad, persistent permissions across cloud or on-premises systems. Instead, all access should be short-lived, tightly scoped, and granted only for a specific task. Removing access after use also enforces Zero Standing Privileges, ensuring that there is no access in the environment that can be used in unexpected combinations.

From there, be sure to segment environments automatically. As in the case of Replit, we see what can happen when an agent gains access to the production environment. This is why production systems must always be off-limits. Development, staging, and production must be isolated. There should be no crossover in permissions across these environments allowed unless approved by a human.

About the Author

CEO, Britive

Art is a serial entrepreneur with 20+ years of cybersecurity experience. His entrepreneurial journey started with Advancive, a leading identity management consulting and solutions implementation company, where he led the company’s exponential growth and eventual acquisition by Optiv Security in 2016. There, he shared the confidence of enterprise execs as they wrangled with securing rapidly evolving cloud ecosystems. This experience led him to found Britive, his latest venture focused on solving cloud’s most challenging security problem – privileged access security. Prior to his foray into entrepreneurship, Art’s security career began as a consultant with a Big Four firm where he spent eight years working with global enterprises across various industries.