How Technology Companies Can Securely Adopt AI Agents
Last updated: June 15, 2026
Technology companies hit the AI agent security problem first and hardest. They run agents internally across engineering, support, and operations, and they ship agents inside the products customers buy, which means those agents sit directly on source code, secrets, and multi-tenant customer data. The result is a structurally harder governance problem than most industries face, and inadequate governance is the leading reason Gartner expects more than 40% of agentic AI projects to be canceled by the end of 2027 (Gartner, 2025).
That gap is not theoretical. Cisco’s 2025 AI Readiness Index found 83% of companies plan to deploy AI agents, yet only 31% say they are fully equipped to control and secure agentic AI systems (Cisco, 2025). Standard identity and network controls cannot close that distance, because agent risk lives in two channels those tools were never built to read.
Technology Companies Carry the Hardest AI Agent Security Problem
Technology companies face a harder agent security problem than any other industry because they sit on both sides of the question at once. They use agents internally and ship them in products, and in both roles the agents connect directly to source code, secrets, API keys, and multi-tenant customer data. Among the 13% of organizations Cisco rates as fully AI-ready Pacesetters, only 75% are fully equipped to control and secure AI agents, versus 31% overall (Cisco, 2025).
The crown jewels in a software business are exactly what agents reach. An agent wired into a continuous integration and continuous delivery (CI/CD) pipeline acts at machine speed, and a single over-permissioned machine identity can move data across systems that were never meant to be linked. The same autonomy that makes an agent useful is what makes a compromised one expensive.
This dual role doubles the surface to secure. An internal coding agent with repository access can exfiltrate proprietary code through an external model. A product agent embedded in a customer-facing feature can be hijacked by malicious input in user content. Both failures route through paths that authentication and firewalls do not inspect.
The Two Channels Every Agent Security Program Must Govern
Every AI agent operates across two channels, and a security program has to govern both: the agent-to-model intelligence channel and the agent-to-tool execution channel. The intelligence channel carries prompts and responses between an agent and its model, where prompt injection and sensitive-data exposure happen. The tool-execution channel carries the agent’s actions through tools and the Model Context Protocol (MCP), where an agent reads a repository, queries a database, or changes code.
Governing only one channel leaves the other open. A control that inspects prompts but not tool calls cannot stop an agent from writing to production; a control that gates tool calls but not model context cannot catch source code leaving in a prompt. MCP is one mechanism within the tool-execution channel, not the whole of it, and Censys observed more than 12,520 internet-accessible MCP services as of April 2026, most of them unauthenticated by default (Censys, 2026).
These two channels map to three stages of agent risk that technology teams should not collapse together. Human-to-AI usage is an employee prompting a model. Human-to-agent delegation is an employee handing a task to an agent that then acts on its own. Agent-to-agent execution is one agent invoking another. Each stage widens the tool-execution channel, and each adds machine identities that standing access controls were never sized for.
Top AI Agent Risks Specific to Technology Companies
The top risks center on what agents can reach and do inside a software business: source code and secret exposure, coding agents with write access to production, shadow MCP servers, over-permissioned machine identities, and cross-tenant data leakage. The Cloud Security Alliance found 82% of organizations have unknown AI agents operating in their environment, and 61% reported agent-related data exposure (CSA, 2026).
Prompt injection sits behind many of these failures. OWASP ranks Prompt Injection as LLM01, the top risk in its Top 10 for LLM Applications, with Sensitive Information Disclosure at LLM02 and Excessive Agency at LLM06 (OWASP, 2025). Indirect prompt injection, where malicious instructions hide inside third-party content an agent ingests, is the class most frequently cited in real-world exploit disclosures. The GitHub Copilot flaw CVE-2025-53773, patched in August 2025, let instructions hidden in a README or a GitHub issue flip Copilot into an auto-approve mode that runs shell commands, a direct line from ordinary developer content to local code execution.
| Risk | What it looks like in a technology company | Why traditional tools miss it |
|---|---|---|
| Source code and IP exposure | A coding assistant with repository access sends proprietary code to an external model | Network tools see encrypted egress, not what the agent sent to the model |
| Coding agents with write access to production | An autonomous agent edits code, runs migrations, or deletes data during a deploy | Identity tools authorize the account; they do not judge the action |
| Shadow MCP servers and tool supply chain | Developers connect agents to unvetted MCP servers, and a poisoned tool gains reach | Tools are not protocol-aware for MCP and cannot read tool-call context |
| Over-permissioned machine identities | Service and agent identities hold broad, standing access to repos, clouds, and databases | Identity governance was built for human joiners and leavers, not machine-speed agents |
| Cross-tenant data leakage in multi-tenant SaaS | An agent returns one customer’s data inside another customer’s context | Data loss prevention is not watching model context |
| Prompt injection in product agents | Malicious input in user content hijacks an agent embedded in your product | Web and application firewalls do not parse model instructions |
Identity and Network Controls Cannot Close the Governance Gap
Identity and network controls cannot govern AI agents on their own because they read the wrong layer. Identity tools authorize who an agent is; they do not judge what it sends to a model or does through a tool. Network tools see encrypted egress to an AI service; they cannot read the prompt inside it. The agent risk lives between those two views, which is why 60% of organizations in Cisco’s index do not know the specific prompts employees send into generative AI tools (Cisco, 2025).
Consider the failure modes side by side:
Identity governance authorizes the account but cannot tell an approved tool call from a destructive one. A service account with deploy rights is authorized to run a migration and authorized to drop a table; the identity layer treats both as the same allowed action.
Network and web controls see traffic leaving for an AI endpoint but stop at the encrypted boundary. They cannot distinguish a benign prompt from one carrying a secret, and they are not protocol-aware for MCP, so a tool call to a poisoned server looks like ordinary traffic.
Data loss prevention is tuned for files, email, and web uploads. It is not watching the model context an agent assembles or the multi-turn conversation where sensitive data accumulates across calls.
This is why Gartner predicts that through 2028 at least 80% of unauthorized AI agent transactions will stem from internal policy violations rather than external attacks (Gartner, 2025). The risk is not primarily malicious outsiders breaking in. It is sanctioned agents, holding standing access, taking actions no control inspected before they executed.
Zero Trust Principles Applied to AI Agents and Machine Identities
Zero trust applied to AI agents means treating every agent as a privileged, untrusted workload: verify each action in context, scope access to the minimum, and assume any tool call could be hijacked. The principle that no human user gets standing trust extends directly to machine identities, and CISA and international partners recommend least privilege and fail-safe defaults as the baseline for agentic AI (CISA, 2026).
Three zero trust principles translate cleanly to the agent problem.
Verify continuously, not once. A human session authenticates at login. An agent makes hundreds of tool calls per task, and each one is a fresh decision point. Context-aware policy evaluates every tool call against the agent’s role, the data sensitivity in play, and the conversation state, rather than trusting a token issued at the start.
Scope access to the minimum and remove standing access. Service and agent identities tend to accumulate broad, permanent permissions because that is what makes them work without friction. Least privilege for machine identities means scoping each agent to the specific repositories, databases, and tools its task requires, and revoking access the moment the task ends.
Authenticate the workload, not just the user behind it. Agents act under machine identities that need their own authentication discipline. Short-lived credentials, workload identity federation, and per-call verification keep an agent’s identity from becoming a standing key an attacker can reuse. The practical move is to issue scoped, expiring credentials per task rather than a long-lived secret an agent carries everywhere.
These principles cover authentication and authorization. They do not, on their own, inspect the intelligence channel or the tool-execution channel, which is why zero trust for agents needs an enforcement point that reads both.
Controls That Work: Discovery, Pre-Deployment Testing, and Runtime Monitoring
Effective agent security programs run in order: discover every agent first, test agent behavior before production, then monitor and enforce at runtime. Discovery has to come first because only 21% of organizations keep a real-time inventory of their active agents, and you cannot scope or inspect what you have not found (CSA, 2026).
Discover every AI agent, including on endpoints. Build a real-time inventory across SaaS, the browser, and developer machines, including agents running locally on laptops and AI embedded inside trusted SaaS apps. Shadow adoption is heaviest in engineering, where developers wire agents to MCP servers without review.
Test agents against prompt injection and policy before deployment. Run adversarial guardrail tests before an agent reaches production. A 2025 benchmark study found a combined defense cut adversarial attack success against retrieval-augmented agents from 73.2% to 8.7% while keeping 94.3% task performance (ArXiv, 2025), evidence that pre-deployment hardening materially changes outcomes.
Monitor agent behavior and enforce inline at runtime. Static controls scope access; runtime monitoring catches the anomalous action that scoping did not anticipate. Behavioral analytics across both channels record what an agent actually did, flag deviations from its normal pattern, and let policy block, redact, or coach inline before a tool call reaches an external system. This is also where audit-ready evidence comes from: a decoded record of every prompt, response, and tool call for investigation and compliance.
| Control | What it does | Stage |
|---|---|---|
| Discover every agent, including endpoints | Real-time inventory across SaaS, browser, and developer machines | Discover |
| Test against prompt injection and policy | Adversarial guardrail testing before production | Test |
| Govern the tool-execution channel | Inspect and control every MCP tool call through a gateway | Protect |
| Inspect the intelligence channel | Check prompts and responses for injection and sensitive data | Protect |
| Enforce least privilege on machine identities | Scope agent access to the minimum, remove standing access | Protect |
| Monitor and audit actions at runtime | Record actions across both channels for investigation | Monitor |
How to Start Securing AI Agents at a Technology Company
Start small and govern before you scale: discover, test, enforce, then monitor, in that order. Governance maturity, not model choice, separates the deployments that last from the ones that get pulled, which is the same weakness behind Gartner’s forecast that more than 40% of agentic AI projects will be canceled by the end of 2027 (Gartner, 2025).
A practical sequence runs in four moves.
1. Discover. Find the agents already running across SaaS apps, browsers, and developer laptops, since shadow adoption is common in engineering teams and the CSA found 82% of organizations have unknown agents in their environment (CSA, 2026).
2. Test. Assess agent behavior against prompt injection and policy before anything reaches production, and fix the failures the tests surface.
3. Enforce. Apply least privilege to machine identities, then route agent traffic through a gateway and proxy so tool calls and model context are inspected before they execute.
4. Monitor. Record actions across both channels at runtime, keep an audit trail, and let policy act inline. Only 38% of organizations have a formal, comprehensive AI policy, and 25% have none at all (ISACA, 2026), so writing and enforcing one is often the missing step.
How the Agent Security Approaches Compare
Technology teams evaluating agent security cluster around a few distinct approaches, and the choice hinges on which channels each one can actually read. The table below compares them on agent discovery reach, channel coverage, pre-deployment testing, and runtime enforcement, the dimensions that decide whether a control can govern agent risk or only see its edges.
| Approach | Agent discovery reach | Channel coverage | Runtime enforcement |
|---|---|---|---|
| Aurascape (AI-native) | Network plus employee endpoints, including locally run agents | Inspects both the intelligence channel and the tool-execution channel | Inline block, redact, and coach with audit-ready records |
| Identity governance (e.g. Okta, SailPoint) | Registered accounts and service identities only | Authorizes identity; reads neither channel’s content | Authorizes or revokes access, no action-level judgment |
| Network and SSE/SWG tools | Sanctioned egress to known AI endpoints | Sees encrypted traffic, not model context or tool calls | Allow or block by destination, not by intent |
| Code-scanning tools | Source code repositories under scan | Reviews code security, not agent runtime behavior | Flags vulnerabilities pre-merge, no runtime control |
Aurascape complements identity governance and code-scanning rather than replacing them. Identity tools authorize who an agent is; code scanners review the code; Aurascape inspects what the agent sends to a model and does through a tool.
Frequently Asked Questions
Why is agent security harder for technology companies than for other industries?
Technology companies both use agents internally and ship them in products, and in both roles the agents sit directly on source code, secrets, and multi-tenant customer data. That dual role doubles the surface to secure, which is why Cisco found only 31% of companies overall feel fully equipped to control agentic AI (Cisco, 2025).
What is the difference between the intelligence channel and the tool-execution channel?
The intelligence channel carries prompts and responses between an agent and its model, where prompt injection and data exposure happen; the tool-execution channel carries the agent’s actions through tools and MCP, where it reads repositories or changes code. A program has to govern both, because inspecting one leaves the other open.
Does securing MCP cover the whole agent problem?
No. MCP is one mechanism within the tool-execution channel, not the entire agent story, and it does not touch the intelligence channel at all. Censys observed more than 12,520 internet-accessible MCP services as of April 2026, most unauthenticated by default, which is one reason MCP gateways matter, but they are a part of the answer, not all of it.
Why can identity tools not secure AI agents on their own?
Identity tools authorize who an agent is, but they do not read what it sends to a model or what it does through a tool, so they cannot tell an approved tool call from a destructive one. Gartner expects at least 80% of unauthorized agent transactions through 2028 to be internal policy violations, the exact gap identity authorization does not close (Gartner, 2025).
How does zero trust apply to AI agents specifically?
Zero trust treats every agent as a privileged, untrusted workload: verify each tool call in context, scope access to the minimum, and authenticate the machine identity with short-lived credentials rather than standing keys. CISA recommends least privilege and fail-safe defaults as the baseline for agentic AI adoption (CISA, 2026).
What authentication should machine and agent identities use?
Agent identities should use short-lived, scoped credentials and workload identity federation rather than long-lived secrets, so a compromised identity cannot be reused after a task ends. Per-call verification against role and context replaces the single login a human session relies on.
Where should a technology company start if agents are already running?
Start with discovery, since the CSA found 82% of organizations have unknown agents in their environment and only 21% keep a real-time inventory (CSA, 2026). Once you know what is running, test those agents against prompt injection and policy, enforce least privilege, then monitor at runtime.
How do continuous monitoring and behavioral analytics fit into agent security?
Static controls scope access; runtime monitoring catches the anomalous action that scoping did not anticipate by recording agent behavior across both channels and flagging deviations from normal patterns. It is also where audit-ready evidence comes from, a decoded record of every prompt, response, and tool call for compliance and investigation.
Why Agent Adoption Fails Without Governance
Technology companies will not slow down agent adoption, and they should not. They adopt agents the fastest and connect them to the most sensitive systems they own, which is precisely why the governance gap costs them the most. The deployments that get pulled are not the ones with the wrong model. They are the ones where agents held standing access to source code, secrets, and customer data, and no control read the intelligence channel or the tool-execution channel before an action executed.
The fix is not to lock agents out. It is to make every agent a governed, inspected, reversible workload, discovered before it acts, tested before it ships, and monitored every time it runs. Agent security at a technology company is not a brake on adoption. It is the thing that lets adoption last past the pilot Gartner expects 40% of teams to cancel.
How Aurascape Governs Both Agent Channels Across Network and Endpoints
Securing agents at a technology company means reading the two channels identity and network tools cannot, and that is the gap Aurascape is built for. The AI Proxy inspects the intelligence channel for prompt injection and sensitive data such as source code and secrets, while the Zero-Bypass MCP Gateway inspects, verifies, and cryptographically signs every MCP tool call in the tool-execution channel, so an agent cannot reach an external tool or server without passing policy. Aurascape discovers agents across the network and on employee endpoints, including agents running locally on developer machines, a plane network-only and identity-only tools miss (Aurascape, 2026).
Aurascape covers the full agent lifecycle, from pre-deployment adversarial testing through runtime Safe Output Governance that applies data controls to agent actions and model context. It works alongside identity providers that authorize who an agent is and code-scanning tools that review code security, sitting as an additive layer rather than a rip-and-replace. In one Aurascape deployment at a Fortune 100 insurance and financial enterprise, the platform tripled AI agent integrations with no unauthorized data access while protecting more than 20,000 users (Aurascape, 2026). For coding agents specifically, see securing AI coding assistants in technology companies.
Discovery comes first, enforcement follows: Aurascape requires agent traffic to pass through the AI Proxy, which is how it inspects intent that encrypted network tools cannot read and governs tool calls that identity tools cannot judge. Related reading: How to Securely Adopt AI Agents, the AI security landscape in 2026, what is prompt injection, and AI data leakage.
Aurascape closes the gap between how fast technology teams adopt AI agents and how well they can govern the intelligence and tool-execution channels where agent risk actually lives. See it discover and govern agents on your own environment in a tailored demo.
Aurascape Solutions
- Discover and monitor AI Get a clear picture of all AI activity.
- Safeguard AI use Secure data and compliancy in AI usage.
- Secure Agentic AI Secure how your teams use AI and build AI agents.
- Copilot readiness Prepare for and monitor AI Copilot use.
- Coding assistant guardrails Accelerate development, safely.
- Frictionless AI security Keep users and admins moving.