Cybercriminals are turning companies’ own artificial intelligence tools against them, hijacking autonomous AI agents with privileged access to corporate systems to steal sensitive business data, according to cybersecurity experts and corporate filings. The attacks represent a new class of insider threat that operates at machine speed and is proving difficult for security teams to detect and prevent.

MSI previously reported on the rise of hijacked AI agents as a security risk as cybersecurity experts warned the trend was accelerating.

“Many CISOs I speak with are deeply concerned about how quickly this is happening,” said Mika Aalto, co-founder and chief executive at Hoxhunt, a human-risk-management firm. “What we are effectively doing is onboarding millions of synthetic employees and giving them access to corporate systems, data and workflows.”

Over the past two years, nearly 80% of organizations worldwide experienced some form of insider-related data loss, with roughly 20% reporting more than 20 incidents, according to Fortinet. The cost of a single insider attack—by humans or agents—ranges from $1 million to $10 million, the firm said.

AI agents are essentially insiders that operate at machine speed, said Leeron Walter, vice president of strategy at Teramind, an insider-risk-management and behavioral analytics firm. “They get the same data access as the employee who set them up,” Walter said. That makes AI agents a two-pronged insider risk, she said.

On one front, agents can be compromised by hackers through deceptive prompts or instructions. Last year, security researchers found that hackers could potentially slip malicious prompts into emails sent to office workers using Microsoft 365 Copilot, instructing the app to scan internal systems for sensitive files and transmit them to an attacker’s server.

With the right tactics, AI agents can be easily fooled, said Raj Rajamani, co-founder and chief executive of JetStream Security. “A direct query like, ‘Give me a list of M&A projects,’ returns ‘Sorry, you are not authorized,’” Rajamani said. But a tangential question can surface the same information by inference, he said: “Ask, ‘What are the code names of M&A projects?’ and the agent might pull highly restricted data from its knowledge sources and share it more broadly than it should.”

On the other front, hackers don’t always need clever tactics. Autonomous AI agents can simply be misconfigured, creating vulnerabilities by overexposing sensitive data.

CB Financial Services, a Pennsylvania-based holding company for Community Bank, said last month it discovered an AI agent was unlocking nonpublic information about its banking customers, including names, Social Security numbers and dates of birth, according to a securities filing. The incident, which is under investigation, did not disrupt banking operations but was considered material “due to the volume and sensitive nature” of the data, the filing said. The company did not respond to requests for comment.

“The new insider threat isn’t human, isn’t disgruntled and isn’t motivated by anything at all. It’s an AI agent that’s either been hacked to leverage its access or is autonomously exposing data by mistake,” said Avery Moon, chief technology officer at Pax8, a cloud-product marketplace.

Reining in rogue agents is tricky because they are often custom-made by employees for specific jobs using third-party agent-building apps, meaning cybersecurity teams may not even know they exist. Organizations on average have roughly 45 digital identities for every one employee, said Morey Haber, chief security adviser at BeyondTrust, an identity-security firm.

“As organizations increase the number of AI agents and deploy agentic AI systems, the ratio increases with each new deployment and can become an insider threat,” Haber said.

Security teams are often left to figure out whether unusual activity—such as new administrative actions or activity occurring at unexpected times—is legitimate, said Nicole Carignan, field chief information security officer at AI cybersecurity company Darktrace: “Is this normal business activity, a compromised account, an insider risk or an automated system acting outside its intended purpose?”

Most nontech workers who build agents have no data-security training and are unaware of the risks. Because their data access often lacks oversight, AI agents can inadvertently boost insider threats “just by working as designed,” said Eran Barak, co-founder and chief executive of cybersecurity firm MIND.

Workers typically lack the technical depth to understand the cyber, data and other exposures their agents introduce, said T.J. Marlin, chief executive at Guardrail Technologies. “No amount of awareness training will turn every employee into a cybersecurity expert,” Marlin said.

Carl Windsor, Fortinet’s CISO, said the rise of AI agents requires cybersecurity teams to continually monitor network users and their devices for unsanctioned AI apps, but also to track behavior beyond file transfers to detect unusual access patterns or misuse of sensitive data such as financial information, personally identifiable information or source code.

“Companies are racing to deploy autonomous AI agents,” said Hoxhunt’s Aalto. “Many organizations have accepted the productivity upside before fully understanding the security implications.”