Skip to main content
Currently onloravaughn.com→ visit Vaughn Cyber Group
Lora Vaughn

// BLOG POST

You Gave the AI Agent the Keys. That's the Breach.

By · Jul 8, 2026 · 5 min read

Agents don’t make people do stupid things. People already do stupid things. Agents just do them faster, at 2am, with nobody watching.

Most AI agent breaches are a letdown once you read the details. No zero-day. No nation-state. Someone stood up an agent, handed it broad access so it could move fast, and the agent did exactly what it was permitted to do. Someone else pointed it in a bad direction, and it followed instructions all the way to the damage.

That’s the incident. The agent worked as designed. The design was the problem.

The numbers are the setup, not the story

Enterprise agent fleets roughly doubled in four months. Only about one in five companies say every agent is governed before it hits production. One in eight AI breaches now trace back to an agent.

Do the math. Four out of five agents are running loose while someone means to get around to the governance piece. The capability shipped Monday. The guardrails are a ticket sitting in someone’s backlog, unassigned.

I’ve watched this exact gap open before, with cloud, with APIs, with every tool that got adopted faster than anyone could ask “wait, should this thing have access to that?” It never closes on its own. Somebody has to close it, usually after the incident that makes closing it non-optional.

Over-permissioned is the default setting

Here’s how it actually happens. You connect an agent to whatever it needs to be useful. A mailbox. An internal API. A code repo. A database. Maybe an MCP server that quietly fans out to a dozen more services nobody in the room could name.

The fast way to make it work is to hand it a broad token and let it run. Scoping access to one narrow job means more tickets, more testing, more waiting. So the agent gets write where it only needed read. Standing access where it needed access for one task, one time. Nobody decided to be reckless. They decided to ship by Friday.

That token is the attack surface. When the agent gets pointed at a poisoned document or a crafted prompt, it doesn’t get hacked in the movie sense. It gets used. It already had the reach. Someone just handed it a new instruction, and it had no reason to say no. Agents don’t have judgment. They have permissions.

The boring failure mode is the one that gets you

I’ve said this about people for years, and it holds for agents: the disasters never come from the sophisticated attacker in the threat briefing. They come from someone routing around a control because the secure path was slower and there wasn’t time to argue about it.

An agent with write access to production because read-only would have meant two more approvals. A service account with a key that never expires because rotating it broke a workflow once. An agent that can email anyone in the company because scoping the recipient list felt like overkill during the build.

Every one of those is a reasonable shortcut on a Tuesday. Stacked together, they’re the blast radius. The agent didn’t fail. A human granted every one of those permissions, and then handed the whole pile to something that never gets tired, never asks “should I,” and executes at machine speed. That’s not a new risk. That’s the same old bad habit, wearing a faster engine.

Treat the agent like the privileged identity it is

An agent with credentials and autonomy is a privileged non-human identity wearing a friendly chat window. Stop treating it like a feature. Manage it like the identity it is.

Scope the token to the one job it exists to do. Nothing adjacent, nothing “just in case.” Log every action somewhere a human actually reads, not a bucket nobody opens until the postmortem. Put an approval gate in front of anything that writes, sends, moves money, or touches customer data. Assume the incoming prompt is hostile, because eventually it will be, and build so a bad instruction can’t reach a dangerous capability by itself. Have a kill switch, and make sure someone actually knows where it is at 2am, not just that it exists.

None of that slows the useful work. It slows the dangerous work. That’s the point of building it at all.

For a regulated shop, there’s a second reason to care. When an examiner asks what your agent could touch the day it went sideways, “it’s AI, it decided on its own” gets you laughed out of the room. You granted the access. You own the blast radius.

Your agent being smart was never the question. The question is what it’s allowed to touch when someone points it the wrong way. Go pull up what each of your agents can actually reach right now. If that list surprises you, that’s your answer, and your problem.

If you want help sorting which access your agents genuinely need from what they were handed by default, book a call: https://cal.com/vaughn-cyber-group

Lora Vaughn, fractional CISO and cybersecurity speaker

About the Author

Lora Vaughn is a fractional CISO and cybersecurity speaker with 20+ years securing banks, digital payments, and financial products at scale. She is a two-time CISO (MoneyGram, Simmons Bank), a former NSA analyst, a CISSP, and a two-time CISOs Connect A100 honoree. She writes practical, no-buzzword security guidance from Birmingham, Alabama.

Work With Lora

Ready to Secure Your Growth?

Whether you need an executive speaker for your next event or a fractional CISO to build your security roadmap, let's talk.

Consulting services are delivered through Vaughn Cyber Group.