Over-Privileged AI Agents Are the Next Enterprise Blind Spot

The AI permission gap is becoming a significant blind spot for CISOs, especially as enterprises move from simple chatbots to autonomous agents capable of executing code.

Security teams are starting to realize that they are deploying artificial intelligence (AI) agents with the same mistakes organizations made during the cloud and SaaS land rush: excessive Identity and Access Management (IAM) roles and no way to enforce least privilege.

Over-permissioning is a problem because agents can directly access internal systems with overly broad credentials. A single hijacked or rogue agent can exfiltrate or alter sensitive data at machine speed.

Token Security recently released AI Privilege Guardian, an open-source tool designed to help security teams finally close the AI-permission gap before it is too late.

Itamar Apelblat, co-founder and CEO of Token Security, argues that we keep treating AI as a new interface rather than a new identity class. With cloud and SaaS, organizations moved fast, over-permissioned everything, and assumed they would clean it up later, which rarely happened.

“With AI agents, the risk is amplified because the ‘user’ isn’t a human making a few deliberate actions a day. It’s a goal-driven system that can operate continuously across systems at machine speed with access to business-critical data and processes," he told LinuxInsider.

Open Source, Not a Gated Feature

Apelblat explained that his company released the new security tool as open source because the industry needs a shared baseline for how to think about agent permissions before AI access sprawl becomes entrenched. Permission models for agents are still emerging, and they benefit from real-world input.

"We want the community to contribute new intent templates, better mappings to cloud and SaaS controls, and feedback on what ‘right-sized’ access actually looks like in practice," he noted.

Token also offers an enterprise platform that provides these capabilities and much more to manage AI agents and non-human identities at scale.

Shrinks the Attack Blast Radius

When an AI agent is compromised, the damage can spread far faster than with a stolen human credential. Token Security’s AI Privilege Guardian helps contain machine-speed attacks before defenders can react.

A stolen human credential usually limits an attacker to what one person can do in a session. A compromised agent inherits the full authority of an automated workflow, often spanning APIs, cloud control planes, and sensitive data, Apelblat explained.

"In a machine-speed attack, an attacker can hijack an over-privileged agent and trigger destructive or exfiltrating actions, deleting resources, modifying configurations, or pulling data, faster than a human team can detect or respond," he said.

One core feature of the tool defines what an agent is supposed to do. It translates a high-level intent, such as "cost-optimizer," into granular technical permissions that are not overly restrictive and remain useful.

"We start with intent and then narrow it to the specific services, resources, environments, and APIs the agent actually needs," Apelblat noted.

From there, the tool generates a least-privilege policy aligned to that purpose and validates it against real usage patterns. The objective isn’t to lock the agent down arbitrarily, but to give it the exact access required to do its job, and nothing more.

Separates Legit Tasks From Privilege Drift

Apelblat further explained that the declared intent becomes the contract. Token's security software compares what the agent is actually doing based on execution logs and permissions in use against what it was defined to do.

If new actions appear that aren’t justified by the original purpose, that’s flagged as drift. An updated intent and review should accompany legitimate evolution. Silent expansion of access is the risk signal.

"Identify agents, understand what they can access, and surface risky or unmanaged permission sets so security teams can bring them under governance instead of shutting them down blindly," he said.

With a tool like the AI Privilege Guardian, agent builders can properly scope access permissions for AI agents from the start, helping promote a more formal approach to deploying enterprise AI.

Apelblat explained that least privilege constrains what an AI agent can do, not how it thinks. The model can still reason through complex workflows.

"We’re simply limiting the tools and resources it can act upon. We test and iterate based on observed behavior until the agent can complete its tasks successfully, without carrying unnecessary authority," he said.

The Control Layer IAM Doesn’t Provide

According to Apelblat, traditional IAM/IGA tools are built around humans, logins, sessions, and static roles.

"AI agents don’t behave like that. They’re non-deterministic, autonomous, and act through toolchains and APIs, where the real question is what actions are allowed, not who logged in," he clarified.

What is missing, he added, is an intent-based control layer that can generate, validate, and continuously right-size permissions around an agent’s purpose.

Apelblat identified the biggest red flags in uploaded execution logs as overly broad permissions, wildcards, unused access, and combinations such as full read/write/delete when only read access is required.

"We also see AI agents with unnecessary cross-environment access that lets them move into sensitive systems that they don’t need to be accessing. The tool highlights permissions that were never used, actions outside the stated mission, and access that creates an unnecessary blast radius," he added.

Shadow AI Agents Are Spreading Fast

Apelblat agreed that shadow IT agents are popping up in departments without security oversight. AI Privilege Guardian also addresses that threat.

"We’re seeing teams spin up agents quickly, often outside formal security review, just like shadow IT in the SaaS era. Discovery is the first challenge," he said.

The platform extends that visibility with centralized governance for agents and other non-human identities, so security teams can manage them without shutting them down reflexively.

"With a tool like the AI Privilege Guardian, agent builders can properly scope access permissions for AI agents from the start to help promote a more formal deployment of enterprise AI," he added.

What Comes Next

Beyond IAM and least privilege, Apelblat sees trustworthy autonomy as the next major unsolved security challenge for the industry. This involves verifying in real time that an agent’s actions are legitimate, traceable, and enforceable.

The solution means stronger runtime controls, which include high-fidelity auditing of tool use, rapid containment when behavior goes off-script, and instant revocation when something goes wrong.

"Governance has to operate at the same speed as the agents themselves," he concluded.