AI agents are talking to each other, and your security team is blind to it
TL;DR
AI agents are no longer just generating text on demand, they are executing actions, building transient trust chains with other agents, and sharing data completely outside your security team's line of sight. Gartner predicts 40% of enterprise applications will include task-specific AI agents by end of 2026, up from less than 5% just twelve months ago. The governance frameworks most businesses have built were designed for human-directed AI, not for autonomous agent networks forming and dissolving connections at runtime. If you cannot see the full interaction graph of every agent operating in your environment, you cannot secure your business.
What exactly is an AI agent, and why does it matter more than a chatbot?
The era of the generative AI chatbot was about productivity. You type a prompt. You get an answer. A human being is in the loop at every step.
An AI agent is fundamentally different. It does not wait for instructions. It executes actions.
A single agent can read your emails, draft a response, log into your CRM, update a client record, ping your accounting software to generate an invoice, and send a Slack message to your sales team to confirm the deal is closed, all without a single human ever clicking a button.
This is the threshold we have already crossed. The era of agentic AI is not coming. It is here.
How fast is agentic AI spreading across enterprise?
According to Gartner, 40% of all enterprise applications will include task-specific AI agents by the end of 2026. That number was less than 5% just twelve months ago.
That is not a trend. That is an explosion.
The fastest-growing category of data sharing in your entire business is also the one with the absolute least visibility.
What is the agent-to-agent trust chain problem?
In the old world of software, trust was explicit. An IT administrator manually approved every connection between systems. A human being clicked a consent screen, generated an API key, and established a persistent, auditable link. If something went wrong, your security team could pull the logs, find the API key, and revoke access.
Agent-to-agent interactions do not work like this.
When one AI agent decides it needs information from another to complete a task, the trust relationship is formed dynamically, at runtime. It exists only for the milliseconds it takes to transfer the data, and then it disappears entirely.
- No consent screen
- No persistent token
- No human oversight
- No log entry capturing what data was shared
The Cloud Security Alliance has identified these invisible chains of trust as the core security problem of the agentic era. Your identity access management tools were built to monitor human beings logging into cloud services from laptops. They were not built to observe transient, runtime interactions between autonomous algorithms operating across multiple SaaS platforms simultaneously.
What happens when one of those agents is compromised?
In a traditional cyberattack, a hacker steals a password, logs in, and then has to actively escalate privileges to reach sensitive data. That lateral movement usually triggers alarms, a marketing intern trying to download the payroll database at 3:00 AM on a Sunday looks suspicious to your security software.
When an AI agent is compromised, through a malicious prompt injection, a poisoned data source, or a compromised server connection, the attack looks entirely different.
The compromised agent does not need to hack anything. It simply continues doing exactly what you programmed it to do: passing context, calling other tools, handing off data to the next agent in the chain. Except now the context it is passing is controlled by the attacker.
Because the agent is operating within its normal behavioural parameters, it generates absolutely no detectable anomaly. To your security software, it looks like business as usual.
The blast radius of that single compromised agent instantly extends to every other agent, tool, and database it touches. And because you have no visibility into those transient trust chains, you have no way of knowing how far the infection has spread until the data is already gone.
See where AI fits in your business. Free.
A 45-minute audit. We map the highest-value automations and what they're worth in time and money. No pitch, no pressure.
Is this a theoretical risk, or is it happening right now?
It is happening right now, at scale.
Cybersecurity firm RPost has detected over 11,500 businesses currently under active surveillance by cybercriminals using AI-driven reconnaissance tools. These attackers are using artificial intelligence to map corporate networks, identify vulnerable agents, and prepare for highly targeted, automated strikes. They are actively targeting over $5.5 billion in financial transactions.
SailPoint, the identity security firm, is blunt: AI agents are "the next foundation of identities we need to manage." Their research found that 40% of weekly security incidents flagged by enterprise systems are already false positives, meaning your security team is drowning in noise. Now layer on an entirely new category of non-human identities that your existing tools were never designed to track.
Shadow AI compounds the risk further. Your marketing team might be using a free agent they found online to scrape competitor pricing data. That agent might be perfectly safe. But if it connects to another agent with read-only access to your customer database, and that second agent connects to a third with permission to post publicly to your company's Twitter account, you have just created a catastrophic data exposure vector, from three individually harmless permissions.
Security experts call this a "toxic combination."
Where do Australian and Singaporean businesses actually stand?
The KPMG AI Pulse survey found a critical paradox in Australia. Australian businesses are global leaders in AI governance and risk management frameworks, they have the policies, committees, and compliance documentation. But only 8% of Australian organisations have progressed to the orchestration stage, where multiple AI agents work together autonomously.
That means 92% of Australian businesses have not yet confronted the agent-to-agent security challenge at scale. The governance frameworks they have built are designed for a world of human-directed AI, not for autonomous agents forming and dissolving trust relationships faster than any human can monitor.
In Singapore, the Monetary Authority's Phase 2 MindForge toolkit, developed by 24 financial institutions, is one of the most advanced agentic AI risk frameworks in the world. But even Singapore's responsible AI maturity score sits at just 2.5 out of 4.0. The governance infrastructure is being built, but it is not keeping pace with the speed of agent deployment.
Does governance mean banning AI agents?
No. And attempting to ban them would be catastrophic for your competitiveness.
A Deloitte report found that 66% of early adopters are already seeing significant efficiency and productivity gains from agentic AI. Over half are achieving enhanced decision-making capabilities, and 20% are directly growing their revenue through autonomous AI initiatives.
The businesses that deploy agents safely will obliterate the competition. The businesses that try to ban them will be out-innovated and out-priced into irrelevance. The businesses that deploy them recklessly will be destroyed by a data breach they never even saw coming.
"Governance and trust must precede orchestration and scale.", Bain & Company
Governance is no longer an administrative checkbox. It is the most critical security function in your entire organisation.
How urgently does this need to be addressed?
The UK government's emergency open letter to business leaders was not a suggestion. It was a warning.
Frontier AI model capabilities are now doubling every four months. The agents you deploy today will be exponentially more powerful, and exponentially more dangerous if ungoverned, by Christmas. The window to build your governance architecture before the agents outpace your ability to control them is closing rapidly.
What to do this week
Ask your IT and security leaders these three questions today. If the answer to any of them is no, you are operating blind in the most dangerous cybersecurity environment in history.
1. Do we have a complete, real-time inventory of every AI agent operating in our network, including shadow AI tools our staff have deployed themselves?
Most businesses do not. Start with a full audit of every SaaS tool, browser extension, and automation workflow in use across your organisation.
2. Can we see the full interaction graph of what those agents are connecting to, what data they are sharing, and what the composite permissions of those trust chains look like?
If your identity access management tools cannot show you non-human identity flows, they are not fit for purpose in 2026.
3. If an autonomous agent begins behaving maliciously, do we have the technical capability to instantly sever its connections to every other tool in our stack before the data leaves the building?
This is not a theoretical fail-safe. It is table stakes for any organisation deploying agentic AI at scale.
Follow the Bain & Company principle: governance and trust before orchestration and scale. Map your agents. Define their permissions explicitly. Build the kill-switch architecture before you need it.
The question is not whether AI agents will transform your industry. The question is whether you will govern that transformation, or whether that transformation will govern you.
Where to from here
Book a free 60-minute AI audit, we'll explore exactly what workflows are worth augmenting with AI.
Live with passion & AI,
Brett
Running an event? Put practical AI on your stage.
Keynotes and workshops that send business owners home with a plan they can use Monday morning. No hype.
Frequently asked questions
What is an agentic AI system?
+
An agentic AI system executes actions autonomously, reading emails, updating databases, triggering software integrations, without a human clicking a button. Unlike chatbots that respond to prompts, agents operate continuously across your technology stack without human intervention at each step.
Why can't existing security tools detect agent-to-agent data sharing?
+
Traditional identity and access management tools were built to monitor human beings logging into systems from laptops. Agent-to-agent trust relationships form dynamically at runtime, exist for milliseconds, and leave no persistent token or log entry, making them invisible to conventional security software.
What is a 'toxic combination' in AI agent security?
+
A toxic combination occurs when individually harmless agent permissions create a catastrophic composite risk when chained together. An agent with read access to your customer database connected to another with permission to post publicly creates a major data exposure vector, even though neither permission seems dangerous in isolation.
How many Australian businesses are running multiple AI agents autonomously?
+
According to the KPMG AI Pulse survey, only 8% of Australian organisations have reached the orchestration stage where multiple AI agents work together autonomously. The remaining 92% have not yet confronted the agent-to-agent security challenge at scale.
What does Gartner predict for AI agent adoption by end of 2026?
+
Gartner predicts that 40% of all enterprise applications will include task-specific AI agents by the end of 2026, up from less than 5% just twelve months earlier.
What is shadow AI and why is it a security risk?
+
Shadow AI refers to unsanctioned AI tools deployed by employees without IT approval. When these tools connect to other agents that have access to sensitive company data or external channels, they create unmonitored data exposure vectors that security teams cannot see or control.
What were RPost's findings on AI-driven cyberattacks?
+
Cybersecurity firm RPost detected over 11,500 businesses currently under active surveillance by cybercriminals using AI-driven reconnaissance tools, with those attackers targeting over $5.5 billion in financial transactions.
Brett is a four-time founder (Darra Tyres, Gladfish, EzyTrac, Anaboo) and the operator behind AIOS, Anaboo's AI Operating System. He writes from inside the build, installing AI in his own businesses first and reporting back what actually moves the numbers. Based between Singapore, the UK and Australia.
