Jack Cherkas, CISO at Syntax, says AI agents will be the biggest insider threat if companies do not put identity controls in place. Wendi Whitmore at Palo Alto Networks calls AI agents "the new insider threat" without qualification. And Security Boulevard just published a piece documenting how a single compromised AI coding assistant nearly wiped an organization's entire AWS infrastructure — EC2 instances, S3 buckets, IAM users — all because the agent had inherited its human's permissions.
The Amazon Q VS Code incident from July 2025 is the one that should keep you up at night. A malicious pull request got into the extension. The AI assistant — trusted, embedded, operating with the developer's full credentials — was told to delete everything. And it tried.
The Permission Inheritance Problem
Here is what every enterprise deploying AI agents is doing right now: giving agents the same credentials their human operators have.
An RPA bot that processes invoices gets admin rights because it needs to log into multiple systems. An AI coding assistant gets the developer's cloud keys because it needs to deploy. A customer service agent gets database access because it needs to look up records.
None of these agents have their own identity. They are ghosts operating through borrowed credentials. When one gets compromised, the blast radius is whatever its human could do — which is usually everything.
Token Security's Itamar Apelblat put it precisely: "AI agents should not inherit the full permissions of the humans who create them. When they do, organizations lose visibility and control over what those systems can access and execute."
Intent Is Not Identity
Token Security just launched intent-based AI agent security — understanding what an agent is designed to do and constraining it to that purpose. This is a real step forward. But intent without identity is half the solution.
Intent-based security answers: "Is this agent doing what it should?"
It does not answer: "Is this agent who it claims to be?"
A compromised agent has the same declared intent as the legitimate one. The Amazon Q attack worked precisely because the malicious code operated through a trusted identity — the extension itself. Intent inspection would not have caught it because the channel was trusted.
What Cryptographic Identity Adds
When every agent has its own Ed25519 keypair and a verifiable identity chain:
The agent is distinguishable from its human. A compromised agent's actions are traceable to the agent, not the developer. Credential rotation happens at the agent level, not the human level.
Behavioral trust scoring detects drift. An agent that suddenly starts deleting infrastructure when it normally reads logs triggers an alert — not based on permission boundaries, but on behavioral deviation from its established pattern.
Delegation chains enforce scope narrowing. A human delegates "read" and "deploy" to their agent. The agent cannot subdelegagate "delete" because it was never granted. This is enforced cryptographically, not by policy configuration.
Cross-system identity is portable. The same agent identity works across cloud providers, CI/CD pipelines, and SaaS tools. No more per-system service accounts with no owner.
The Insider Threat That Proves Itself Safe
The traditional insider threat model assumes you cannot trust insiders. The agent insider threat is worse: you cannot even identify insiders. Every agent looks the same — an API call with a bearer token.
Cryptographic identity flips this. Every action is signed. Every delegation is scoped and auditable. Every trust relationship is earned through verified behavior over time.
Three CISOs are telling us AI agents are the next insider threat. They are right. The question is whether we solve it with better guardrails around borrowed human identities — or give agents their own identity and make them accountable.
We are building AIP — open-source cryptographic identity for AI agents. Ed25519 signatures, delegation chains, behavioral trust scoring, cross-protocol interop. and your agent gets its own provable identity in one command.
Top comments (0)