Phishing the agent: Why AI guardrails arent enough
Date:
Mon, 22 Jun 2026 13:39:33 +0000
Description:
AI agents are handed the keys to the kingdom but can't always be trusted.
FULL STORY ======================================================================Copy link Facebook X Whatsapp Reddit Pinterest Flipboard Threads Email Share this article 0 Join the conversation Follow us Add us as a preferred source on Google Newsletter Subscribe to our newsletter AI agents are reshaping how enterprises automate work, but their effectiveness depends on access to sensitive systems and data.
The paradox is that granting them the permissions they want creates new
attack surfaces that organizations arent yet equipped to handle. This is the defining tension of the AI era. Latest Videos From Watch full video here: Jeremy Kirk Social Links Navigation
Director, Okta threat Intelligence. AI agents are proliferating across enterprises with 91% of organizations already using them yet only 10% have a clear IT management strategy in place.
This gap matters because as these systems grow more autonomous and more
deeply embedded in workflows, enterprises are operating without clear visibility, meaningful oversight and control over how their AI agents behave. You may like AI agents are the new unmanaged endpoints Always-on AI Agents
put everything hackers could ever want behind a single attack surface How AI agents are wrecking havoc in legacy security setups and enterprises are catching up The access problem Our recent research revealed how agents
running on OpenClaw, an open-source AI agent automation platform, could
expose credentials and leak sensitive information when attackers compromised the communication channels controlling them.
To appreciate the scale of this risk, we must first understand the platform itself. OpenClaw combines a chatbot -style interface with access to external tools and large language models . Are you a pro? Subscribe to our newsletter Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed! Contact me with news
and offers from other Future brands Receive email from us on behalf of our trusted partners or sponsors By submitting your information you agree to the Terms & Conditions and Privacy Policy and are aged 16 or over.
Users can then configure agents to browse the web, read and write files, manage inboxes, execute commands, or interact with other machines. In many cases, theyre designed to operate autonomously with minimal human oversight.
That level of access is what makes agents powerful, helping many to manage everyday admin and time-consuming tasks. However, this power is a double edged-sword and can make them a risk to businesses. When agents become attack surfaces Agents need access to tools, accounts, applications, the web and
more to be useful. Often, this means an agent needs access to secrets: API keys, personal access tokens, credentials, .env files, OAuth tokens. What to read next The mobile app traffic your security team can't see and AI agents are generating it Why self-running agents are creating the biggest security crisis of 2026 What the OpenClaw vulnerability reveals about the future of agentic AI security
The agents/models are by default prompted to be as helpful as possible, and that characteristic starts to pose some particular concerns when it comes to credentials and tokens. If an agent such as OpenClaw cant access a resource, it will ask for credentials right in the chat, exposing those secrets within the context window. Agents will happily store API keys in their unencrypted configuration files, which information-stealing malware is starting to
target.
Remote access capabilities could effectively create a back door into enterprise environments. If an attacker gained access to the communication channel controlling an agent, such as a messaging or remote access platform, they could potentially gain access to everything the agent itself could access. In an enterprise context, this is a nightmare. The paradox of recognized risk Perhaps the most revealing finding was that some agents recognize risky behavior while simultaneously carrying it out. This
underlines how their decision-making ability and autonomous operations can be a business risk.
In one test, an agent correctly identified that exposing an OAuth refresh token through an unencrypted communication channel represented a serious security violation. But it then proceeded to share the token anyway before expressing concern about its own decision.
Organizations should not rely on the invisible guardrails that frontier model providers put around agents. Theyre easily circumvented.
But an AI agent cannot divulge credentials that it doesnt have access to.
This is why the conversation around AI agent security cannot focus solely on stronger guardrails. Attackers are already finding ways to manipulate agent behavior through prompt injection, social engineering, and compromised communication channels. Governance, not just guardrails AI agents are essentially identities within enterprise systems and need to be managed as such. They perform actions and make operational decisions in ways that increasingly resemble human employees or privileged service accounts. Yet
many organizations are deploying these systems without applying the same governance standards.
Most businesses already understand the importance of least-privilege access, audit logging, identity management , and access reviews for employees. AI agents should be subject to the same principles. That means limiting what agents can access, avoiding long-lived credentials wherever possible, and ensuring sensitive information is stored securely through centralized systems with human oversight.
Organizations also need visibility into where agents are deployed, what tools they can interact with, and how to disable them quickly if something goes wrong. If an agent goes rogue, there needs to be a kill switch, a way to immediately revoke an agents access to resources and shut it down.
Agentic AI systems could deliver major operational upsides, but deploying
them without robust identity and access governance introduces significant security risk. As these systems become more deeply embedded across enterprise environments, organizations must stop treating them as experimental tools and start governing them as part of the digital workforce.
This means managing the full lifecycle of agents, from knowing which agents are deployed, what resources they access to and keeping a full audit trail so no one can say, I dont know what happened. The agent did it.
Theres no reason why conventional security wisdom, such as the principle of least privilege, lifecycle management and robust logging, should be thrown
out in an agentic age. In fact, its more relevant than ever. We've tested and reviewed the best cloud storage . This article was produced as part of TechRadar Pro Perspectives , our channel to feature the best and brightest minds in the technology industry today.
The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here:
https://www.techradar.com/pro/perspectives-how-to-submit
======================================================================
Link to news story:
https://www.techradar.com/pro/phishing-the-agent-why-ai-guardrails-arent-enoug h
--- Mystic BBS v1.12 A49 (Linux/64)
* Origin: tqwNet Technology News (1337:1/100)