Skip to content

Is your AI agent safe enough to act on its own? The numbers suggest otherwise

Is your AI agent safe enough to act on its own? The numbers suggest otherwise
Share this article

Proofpoint warned that enterprises adopting AI agents are entering a new phase of cybersecurity risk, as autonomous systems move beyond answering prompts and begin accessing data, invoking tools and taking action across business workflows.

In a new guide for cybersecurity professionals, the company said AI agents are changing the security equation because they can plan, decide and execute multi-step tasks with limited human supervision, often while connected to sensitive company systems, software tools and data repositories.

Unlike earlier generative AI assistants that mainly responded to user requests, agents can retrieve context, call APIs, update records, trigger workflows and interact with other platforms as part of a single task.

That shift is turning AI security from a content and data-governance problem into a broader operational risk, as an agent that misunderstands a request, accepts a malicious instruction or uses valid access in the wrong way may not merely produce a bad answer, but take real action inside the business.

When AI stops advising and starts acting, mistakes carry consequences

The report frames AI agents as a sharper challenge than chatbots or copilots because they combine reasoning, access and execution. A chatbot may summarize a document or draft an email, while an agent can gather information, interpret it, select a tool, pass parameters to another system and complete a task with little or no human input.

That capability is increasingly attractive to companies looking to automate customer support, internal research, software operations, sales workflows and routine business processes.

Proofpoint said 76% of organizations are already piloting or rolling out autonomous agents, underscoring how quickly the technology is moving into enterprise environments.

Is your AI agent safe enough to act on its own? The numbers suggest otherwise

However, the same autonomy that makes agents useful also raises the stakes when something goes wrong.

Traditional software usually follows structured inputs and predictable execution paths, while AI agents operate differently by interpreting natural-language requests, pulling information from changing sources and deciding which tools or systems to use next.

For security teams, the risk is no longer just whether a user or application has permission, but whether the action an agent is about to take truly reflects what the user intended.

The gap between access and intent

One of the most important warnings in the guide is the rise of what Proofpoint calls semantic privilege escalation. This happens when an agent uses legitimate permissions to perform an action that falls outside the intended scope of the task.

In that scenario, the security failure is not a classic access-control breach, because the agent may be allowed to access a system or trigger a workflow but still misread the business meaning of the request. A user may ask an agent to prepare a contract renewal, for example, while the agent interprets that as permission to submit the renewal into an approval system.

That distinction matters because many existing cybersecurity models are built around whether an action is allowed, not whether it is appropriate in context. Proofpoint argues that agent security will require intent-based access control, a validation layer that evaluates whether a proposed action aligns with the original request before execution.

The report also highlights indirect prompt injection as a major threat. In these attacks, harmful instructions are hidden inside content that an agent may read, including documents, emails, tickets or web pages. If the agent treats that material as trustworthy, it could be manipulated into ignoring rules, exposing information or misusing connected tools.

APIs and connectors become the new weak point

The most consequential difference between AI assistants and AI agents may be tool use, with agents able to connect to APIs, SaaS platforms, application connectors and Model Context Protocol servers to request information, transfer context and trigger actions across business systems.

Without strong validation, those connections can become weak points. A compromised or misdirected agent could send messages, update records, delete content or run workflows based on flawed reasoning or manipulated inputs.

In multi-agent environments, the problem becomes even more complex, as one agent may delegate work to another while trust, identity and intent pass through several systems.

Proofpoint said organizations need detailed transaction forensics to understand what happened after an agent acts. That includes the original request, the context retrieved, the tools used, the parameters passed, any approvals triggered or bypassed, and the final changes made in connected systems.

This kind of visibility is becoming central to what the report calls agent integrity: the ability to verify that an agent stayed within its intended boundaries across every interaction, tool call, data access and handoff.

Shadow AI turns free tools into business risk

The guide also points to a more familiar but still urgent problem: shadow AI.

Many employees and teams experiment first with free, personal or consumer-grade AI tools outside official enterprise controls. That creates gaps around prompts, data flows, identity enforcement, retention rules and vendor obligations.

Those gaps become more serious as AI use shifts from simple prompting to agentic workflows, because an unmanaged chatbot may create data leakage risk, while an unmanaged agent may create data leakage and operational risk at the same time, especially if it can connect to business systems or move information across platforms.

Proofpoint said 70% of organizations lack optimized AI governance, suggesting that adoption is outpacing the controls needed to manage it.

Is your AI agent safe enough to act on its own? The numbers suggest otherwise

The report recommends that companies begin by cataloging agents, models and use cases across the enterprise, including approved deployments, internally built systems and shadow AI. Security teams should document each agent’s creator, users, service tier, connected tools, model type, deployment model and data access.

Is your AI agent safe enough to act on its own? The numbers suggest otherwise
Classifying AI agents helps prioritize controls based on enterprise risk.

Human approval remains the strongest checkpoint

While the report does not argue against agent adoption, it makes clear that autonomy should not be treated as an all-or-nothing choice.

Low-risk read and retrieval tasks may be allowed to run automatically, but sensitive actions should require step-up approval, and destructive or business-critical decisions should require explicit human review.

That model gives companies a practical middle ground, allowing agents to accelerate routine work while keeping humans in the loop when actions involve sensitive data, irreversible changes or major business consequences.

Proofpoint also urges organizations to extend data security controls across the full agent workflow, including prompts, context retrieval, tool responses, intermediate outputs, final outputs and downstream sharing, because agents can not only consume data but also transform, move and recreate it outside the original system boundary.

AI agent adoption is outpacing control

The challenge now is turning that rapid adoption into something companies can actually govern, as many are moving quickly to put AI agents to work while still relying on security models built for older software and simpler AI tools.

That gap will become increasingly critical as agents become part of everyday business operations, and the companies most prepared to manage the shift will be those that can track what agents are doing, limit what they can access, confirm why they are acting and stop them when their behavior moves beyond the original intent.

For cybersecurity teams, the next phase of AI risk is not just about protecting data from the model, but protecting the business from what the model may be allowed to do.

About The Coin Headlines

The Coin Headlines strives to bring trust into crypto media. At a time when every soundbite and headline can move the markets from red to green and vice-versa, The Coin Headlines promises to bring verified, credible and timely news and analysis from the world of crypto, blockchain, Web3, tech and markets. Founded in 2026, The Coin Headlines is based in the UAE with a team of experienced journalists and editors covering breaking news and updates from around the world.

From covering the biggest events to interviewing some of the most popular KOLs in the industry, The Coin Headlines keeps you informed of the latest trends and insights.

At The Coin Headlines our focus is clear: Real-time news updates, market movements, whale transfers, macroeconomic trends, tech and AI and geopolitical breaking news. The news we report goes through a strict editorial audit before its published to ensure the readers only get verified and credible information. We realize the world of crypto is dynamic, volatile, and many times, confusing. At The Coin Headlines we break down these complex issues into simple articles which cater to not just the experienced trader but also the student and first-time investor who wants to understand the space before committing to it.