We quietly stepped past AI hype and are now seeing our way of working change. All thanks to AI agents, especially Claude. It was a subtle shift from chatbots answering questions to agents taking action, actually doing the boring, repetitive aspects of our work. That’s why organizations are deploying Claude to their workforces, ushering in the age of the agent workforce, where employees manage agents.

Suddenly, it’s not just your engineering team using agents. Your finance lead, your marketing manager, and your HR partner are all incorporating agents into executing real work. And almost none of that usage is showing up in your security tools.

The forward-looking security teams we work with at Evoke aren't panicked, but they are anxious. They see the security issues coming our way.

Here are three distinct threats with a single root problem. Your security stack can't see or control what your agents are doing.

A rogue agent is an agent who makes an oopsie. Its intention isn’t malicious, but the outcome isn’t in your favor. We're seeing this play out loudest with coding agents that delete production resources. The pattern is almost always the same: credentials get left lying around, the agent picks them up, and now those are the tools the agent can use. The more access an agent has, the more likely it is to do something it shouldn't.

The agent doesn’t intend to cause harm. It's just focused on accomplishing a task. But agents lack common sense. They can’t tell right from wrong and lack the right specialized knowledge to know when edge cases pop up and that they’re potentially going down a bad path.

As much as we like to personify them, agents are just predicting the next token. I'm not arguing whether LLMs can actually reason or are providing a basic form of intelligence. What I am saying is that we've handed this technology the ability to plan and execute, and accidents will happen.

The next rogue agent incident looks like this:

Neither requires an external attacker or a human-issued command. Just an agent doing its job a little too enthusiastically.

This is the most near-term path to catastrophe that no one is talking about. The industry likes to push prompt injection as the main issue with agents, but that’s not the case. The real risk is what happens if an attacker gets control of your Anthropic account and now has access to everything your agent can access…which is probably everything.

Credential theft is the most common attacker playbook today. Remember the MGM Grand cyber incident? The one that had an approximately $100 million negative impact on its Q3 2023 earnings? An attacker socially engineered the help desk, got an IT admin's credentials, and got access to every application granted to the user, including Azure. Credentials that lead to the crown jewels can have a 9-digit impact.

Now run that same play in 2026. The attacker compromises an employee's account. That account has access to Claude. Claude is connected to internal apps, internal data, all of it. The attacker doesn't need to pivot or escalate. They have an information superhighway and an agent to drive it.

The easier it is for your employees to do their jobs, the easier it is for an attacker to do theirs.

Supply chain attacks have been impacting open-source software all year. The pattern: an attacker compromises a maintainer's account, pushes malicious code, and anyone who pulls the new version gets popped.

That used to be a developer-centric problem. Yet again, agents change the calculus.

Agents write code constantly. They pull packages on the fly. They install dependencies without anyone reviewing them. So now it's not just your developers and your production app pulling that compromised package. It's your sales lead's agent doing data analysis. It's your finance lead's agent grabbing a Python library to wrangle a CSV. Everyone, all at once. How fun.

When an agent downloads a compromised package, it has the same impact as when a developer does. That malicious code executes in the context of the permissions the agent is running as, which is likely the user. The most common outcome here is a credential stealer running, shipping off all of your secrets to the attacker.

All because an agent was trying to execute a basic task for one of your employees.

All good security starts with visibility. The dirty secret that your existing big security vendors won’t tell you is that they don’t have good visibility. EDR can fake its way to seeing shadow AI, but it can’t see what the agents are doing. CASB can see outbound access, but it doesn’t know why an agent is doing something. Your SIEM is getting logs from systems that have no idea what an agent is doing inside them.

Here's the winning playbook that security teams are bringing in Evoke to deliver:

1. Get visibility. Turn on the lights. Find every agent operating in your environment, what tooling it's using, and what it's connected to. You can't protect what you can't see.

2. Understand the blast radius. Cloud security taught us this. The same logic applies to agents. Where are those agents over-permissioned? What tools can each agent use? Which toxic tool combinations increase the risk? You need to pare these down to the minimum access needed to do the job. Least privilege isn't new. It's just one we haven't applied to agents yet.

3. Enforce secure policies. A policy on a wiki page no one visits isn’t a security control. You have to enforce permissions at every tool call and every agent action, scoped to the org, the department, the employee, and the specific agent. Agent security isn’t about equality; it’s about tailored risk reduction.

4. Monitor runtime activity. This is the EDR concept, tailored for agents. Start with deterministic signals. Then build a baseline for each agent and monitor deviations. Agents are already going rogue. Attackers will start targeting them next. Now is the time to get the visibility you need.

This is why we built Evoke. If you don't have visibility, controls, and runtime monitoring in place, you'll be left guessing what happened. And that’s the worst position you can be in. It’s a state I tried to avoid while responding to incidents over a decade. If you're guessing at root cause, you can't fix it. You can't properly contain it. You can't tell your leadership team what happened with any confidence.

The next breach will involve an agent. It doesn't have to be yours.

If you’re a forward-looking security team that wants to get ahead of the risk, let’s chat.