AI's New Attack Surface
The AI boom didn't just add capability to enterprises. It added a whole new perimeter that nobody is guarding, and the attackers found it first.
Here is the thing almost nobody buying AI is pricing in: every autonomous agent you deploy is a new employee with credentials, tool access, and no HR file. It never sleeps, it can spawn copies of itself, and it will do what a convincing message tells it to do. The productivity story is real. But the security story underneath it is that enterprises have quietly stood up an entire second workforce that their existing controls were never designed to see, let alone govern. That gap is now the most interesting risk in the AI trade, and it is where I would be paying attention.
My view in one line: the attack surface has moved from the network perimeter to identity and to the AI itself, and the market is only just beginning to reprice who wins and loses from that shift.
The attacker got the upgrade first
The uncomfortable truth about this cycle is that the same agentic coding tools selling to enterprises are selling to criminals, and the criminals moved faster. We now have documented cases of AI running the operational core of an attack rather than sitting quietly in the background. Between December 2025 and February 2026, a single attacker used commercial AI tools to breach nine Mexican government agencies, reaching 195 million taxpayer records, 220 million civil records, and over 150GB of data. The model executed roughly 75% of all remote commands, with 1,088 prompts generating 5,317 AI-executed commands across 34 sessions.
That is one person doing what used to require a well-funded crew. The economics have inverted. In 2025, LLM-backed systems went from error-prone coding assistants to end-to-end coding powerhouses, and several measures of cybercrime frequency and severity roughly doubled: malicious packages in public repositories rose 75%, cloud intrusions rose 35%, and AI-generated phishing began outperforming human red teams entirely.
Speed is the part that should worry any board. Time to exploit has collapsed from over 700 days in 2020 to 44 days in 2025, and Mandiant's M-Trends 2026 report found exploits now routinely arrive before patches, with 28.3% of CVEs exploited within 24 hours of disclosure. Look at the DirtyClone Linux kernel flaw that surfaced in late June, the fourth in a related family in six weeks, letting an unprivileged user quietly escalate to root without touching disk or leaving logs. When defenders are still triaging that, an AI-assisted attacker has already weaponized it. The weekly patch review meeting is now a structural liability.
Identity is the front door, and it is wide open
The old model was breaking in through the network. The new model is logging in. Flashpoint observed over 11.1 million machines infected with infostealers in 2025, generating an inventory of 3.3 billion compromised credentials and cloud tokens, shifting the mechanics of cybercrime from breaking in to logging in as attackers use stolen session cookies and legitimate credentials to bypass perimeters entirely.
Now layer agents on top of that. Every agent needs credentials to be useful, and most of them are handed far more access than the task requires. This is where the numbers get genuinely alarming, because they reveal how blind most organizations are. According to Okta, 88% of organizations report suspected or confirmed AI agent security incidents, yet only 22% treat agents as identity-bearing entities. Put differently, the thing causing incidents is not even on the books as an identity for most companies.
It gets worse the closer you look. A 2026 survey of senior technology leaders found 90% of organizations have no way to govern what agents in production are actually doing, and around 54% have already suffered a security incident related to an agent acting unexpectedly. This is shadow IT with a will of its own. Any employee can now spin up a digital worker, wire it into enterprise systems, and set it loose, with no provisioning workflow and no owner. The scale problem is structural: organizations now commonly manage at least 45 machine identities for every human user, and AI agents are rapidly expanding that population.
The AI itself is now a target you can talk to
Here is what makes this genuinely new rather than just faster. You do not exploit a model with a buffer overflow. You exploit it with words. Attackers are learning that arguing with an AI's safety controls is harder than simply changing the rules it operates under. Plant malicious instructions in the configuration files that coding tools load at startup, and you override behavior once and have it persist silently across every session, including on developer machines where nobody notices. Config files have become a supply chain risk that needs the same scrutiny as third-party code.
The agent marketplaces are repeating a mistake the software world already made. In late January 2026, attackers uploaded hundreds of malicious skills to a popular public agent marketplace, reaching 824 by mid-February, because anyone with a GitHub account older than a week could publish with no code review, no signing, and no malware scanning. We have seen this movie with npm. The plot does not end well.
And then there is memory. Memory poisoning implants false or malicious information into an agent's long-term storage, and unlike a prompt injection that ends when the chat closes, the poisoned memory persists, with the agent recalling the malicious instruction days or weeks later. The failure mode is not a hacked server. It is misplaced trust in a system that looks like it is working. In one documented set of AI-driven operations, every incident was discovered through attacker errors or provider-side monitoring rather than victim-side controls, because AI-executed commands look like skilled human activity. That last point is the one that keeps CISOs up at night. Your own logs will not save you if the intruder looks like a competent employee.
What it means
The market read: this is a spending category that grows regardless of the AI-hype cycle, and possibly because of it. Enterprise AI budgets are still expanding as net-new spend, not reallocation, and every dollar of agent deployment creates a downstream dollar of governance need. That is a rare thing, a security tailwind driven by the very technology causing the risk. When a cheaply reproducible AI capability leaks, the market notices; investors have already wiped billions off cybersecurity names in a single session on fears that frontier models lower the floor for attackers. Expect that volatility to continue, and expect it to be a buying signal more often than a selling one.
Where I would lean in: the identity layer is the choke point, and it is being reframed from a front door you pass through once into a runtime system that evaluates every action continuously. Okta made agent governance generally available this spring, pitching agents as first-class identities you discover, assign a human owner, give short-lived credentials, and kill instantly when they go rogue. Whether or not Okta specifically wins, the category it is defining, governing non-human identities, is where the durable revenue sits. I would weight identity and agent-governance exposure over pure perimeter and content-filtering plays, which are fighting the last war.
What I would actually do as an operator: treat every agent as an employee that can be socially engineered, because it can. Enforce human approval architecturally for anything irreversible, funds, data deletion, permission changes, rather than trusting a prompt-level guardrail. Build an inventory of your agents before you build anything else, because you cannot govern what you cannot see. And compress your patch cycle to hours, not weeks, or accept that you are structurally behind.
The close is simple. The AI buildout gets discussed in terms of compute, chips, and the eye-watering data center lease commitments now north of $850 billion. That is the visible half. The invisible half is that we have plugged millions of autonomous, credentialed, persuadable systems into the core of the enterprise, and the security model has not caught up. The companies that treat AI as a pure productivity tool without updating their threat model are the most exposed. The ones that recognize identity is the new perimeter, and that the AI itself is now something you can attack with a sentence, will be the ones still standing when the first truly large agentic breach hits the front page. It is coming. The only open question is whose name is on it.

