There is a new employee in your organisation that has access to your customer database, your financial records, your contracts, and your email. It works around the clock, never takes holidays, and costs almost nothing to deploy. Most concerning of all, nobody in your security team knows it exists. This phantom worker is an AI agent, and according to Microsoft's Cyber Pulse report, more than 80% of Fortune 500 companies now deploy such agents using low-code or no-code platforms.
AI agents are autonomous software systems designed to perform complex tasks by accessing and processing data across multiple enterprise systems. According to reporting from Kiteworks, these digital workers can connect to everything from CRM platforms to financial databases, often requiring broad system permissions to function effectively.
Key Facts:
- Over 80% of Fortune 500 companies deploy AI agents through low-code platforms
- Business teams regularly bypass IT governance when implementing AI solutions
- AI agents typically require extensive data access permissions to perform their functions
- Most organisations lack visibility into their shadow AI deployment landscape
How Shadow AI Bypasses Traditional Access Controls
The appeal of low-code AI platforms lies in their accessibility to non-technical teams. Marketing departments deploy chatbots that access customer databases. Finance teams create automated reporting agents that pull from accounting systems. HR departments build screening tools that process employee records. Each deployment follows the path of least resistance, sidestepping established IT governance processes that would normally scrutinise such broad data access requirements. These platforms often present themselves as simple productivity tools, masking the extensive system permissions they actually require.
Why Traditional Security Measures Miss AI Agent Risks
Traditional access management assumes human users with predictable behaviour patterns. AI agents operate differently, making thousands of data queries per day across multiple systems in patterns that don't match normal user behaviour. They often require service account privileges that persist indefinitely, creating permanent pathways into sensitive systems. Security teams accustomed to monitoring human access patterns may not recognise the data flows these agents generate, particularly when they're deployed through platforms that abstract away the underlying database connections and API calls.
What Boards Should Demand From Their AI Governance
Executive teams must recognise that AI agents represent a fundamental shift in how data flows through their organisations. The recent AI agent security breach at McKinsey demonstrates how quickly these systems can become attack vectors when improperly secured. Directors should demand comprehensive AI asset inventories that include all automated systems, regardless of how they were deployed. This inventory must map exactly what data each agent can access and why such access is necessary. Additionally, boards should ensure that AI governance frameworks specifically address the unique risks posed by autonomous systems that don't follow traditional user access patterns.
Related Reading
Grammarly Sued for Stealing Journalist Identities Without Consent โ Julia Angwin's class-action lawsuit against Grammarly reveals how AI companies are appropriating professional identities
China Bans OpenClaw AI at Banks and Government Agencies โ Chinese authorities ban OpenClaw AI citing security risks, whilst UK organisations eagerly adopt similar autonomous agen
Zero-Click Excel Bug Turns Copilot Into Corporate Data Thief โ CVE-2026-26144 allows attackers to exploit Microsoft 365 Copilot through malicious Excel files, turning AI assistance in
Strengthen your organisation's security posture