AI agent at the centre of expanding access rings, illustrating the security risks of giving AI agents administrator control

AI Agent Security Risks: How to Deploy AI Agents Safely

Table of Contents

Cyber Security  •  AI Governance

AI Agents Are Asking for the Keys: The Risks of Giving AI Administrator Control (and How to Deploy It Safely)

Agentic AI can plan, decide and act inside your systems without waiting for a human. That is exactly why it is powerful — and exactly why handing it broad or administrator-level access is one of the fastest-growing security risks facing Australian businesses. Here is what can go wrong, and the eight-step framework that lets you keep the benefits without the breach.

By Stanfield IT4 July 202613 min read

There is a moment in almost every AI agent deployment where someone says the same six words: “Just give it admin, it’s easier.” It is said in good faith. The agent keeps hitting permission errors, the pilot is behind schedule, and a single privileged service account makes everything work.

It is also the moment your organisation quietly creates its most dangerous user: one that works 24/7, acts at machine speed, never questions an instruction that looks legitimate, and can be manipulated by a well-crafted email or webpage. Gartner now predicts that by 2028, one in four enterprise breaches will be traced back to AI agent abuse — from external attackers and malicious insiders alike. The analyst firm also expects half of all enterprise incident response effort to involve AI applications by the same year.

The answer is not to avoid AI agents. Deployed well, they are a genuine productivity multiplier for service desks, finance teams, security operations and more. The answer is to deploy them the way you would onboard a powerful new employee: with a defined job, scoped access, supervision, and consequences that have been thought through in advance. This guide covers both halves — the risks that make agentic AI different from any software you have deployed before, and a practical eight-step framework for getting the benefits without compromising security.

Key takeaways

  • AI agents are not chatbots. They take autonomous actions inside real systems, which makes every permission you grant them a live attack surface.
  • Gartner predicts 25% of enterprise breaches will trace back to AI agent abuse by 2028, and that agents will halve the time attackers need to exploit exposed accounts.
  • Prompt injection is unsolved. Any agent that combines private data access, untrusted content and external communication — the “lethal trifecta” — can be turned into an exfiltration tool.
  • Standing administrator access for an agent is never justified. Least privilege, per-agent identities, human approval gates and full audit logging make agents both safer and easier to scale.
  • In Australia, the Essential Eight’s “restrict administrative privileges” control, the Privacy Act’s breach notification scheme and APRA CPS 230/234 all apply to what your agents do — “the AI did it” is not a defence.

What are AI agents, and why is every business deploying them?

An AI agent is software that uses a large language model to plan and carry out multi-step tasks autonomously — reading data, making decisions and taking actions in your systems without a human approving each step. Where a chatbot or copilot drafts something for you to act on, an agent acts itself: it can triage and close tickets, reset passwords, move files, send emails, update records, run scripts and call other software through APIs.

That shift from suggesting to doing is why adoption is exploding. Microsoft is embedding agents throughout 365 via Copilot Studio and Agent Store, Salesforce has bet the company on Agentforce, and frameworks like Model Context Protocol (MCP) make it trivial to wire an agent into email, file shares, CRMs, finance platforms and admin consoles. For a 20–200 seat business, the pitch is compelling: a tireless digital worker that costs a fraction of a salary.

The catch is buried in the definition. An agent is only useful if it has access — to data, to systems, to the ability to change things. Every capability you grant to get value is simultaneously a capability an attacker can hijack or the agent itself can misuse. Understanding that trade-off is the entire game.

Assistant vs agent: who actually pulls the trigger?

AI ASSISTANT / COPILOT

You ask a question

AI drafts / suggests

A HUMAN reviews & executes

Human judgement sits between the AI and every action. Mistakes get caught.

AI AGENT

You set a goal “Resolve overnight tickets”

Agent plans → acts → observes …and loops, autonomously

Email & files
CRM & finance
Admin console

The AI executes directly in live systems. Its permissions ARE your attack surface.

Why AI agents break the traditional security model

Traditional security assumes software behaves deterministically and humans make the judgement calls. AI agents invert both assumptions: they behave probabilistically — the same input can produce different actions — and they make judgement calls at machine speed with no human in between. Your existing controls were not designed for a “user” like that.

Three properties make agents fundamentally different from every application you have secured before:

  • Instructions and data share one channel. A language model processes its system instructions, your request, and any content it reads — emails, documents, webpages — as a single stream of text. There is no reliable technical boundary marking which words are commands and which are data. OWASP’s agentic security guidance identifies this as the root cause behind most agent failures: hostile text hidden in a document can carry the same authority as a legitimate instruction from you.
  • Agents inherit whatever the account can do — not what the task needs. When an agent runs under a privileged service account or a human’s credentials, every system that account touches is now reachable by the agent, and by anyone who successfully manipulates it. Gartner’s analysts are explicit on this point: authentication and authorisation for agents must be purpose-built, not inherited from human user roles.
  • Failure happens at machine speed and scale. A confused employee makes one bad change and stops. A confused agent can make ten thousand before your Monday coffee. Gartner predicts AI agents will cut the time attackers need to exploit exposed accounts by 50% by 2027 — automation compresses your response window on both sides of the fight.

None of this means agentic AI is unsafe to use. It means the security conversation has to happen before deployment, at the level of identity, permissions and architecture — not after, at the level of prompts and policies asking the agent to please behave.

The real risks of giving AI agents administrator control

Granting an AI agent administrator or broadly privileged access creates six compounding risks: an oversized blast radius, prompt injection hijacking, data exfiltration, unmanaged machine identities, ungoverned shadow agents, and an accountability gap when things go wrong. Each one is manageable on its own. Standing admin access is what welds them together into a breach.

1. The blast radius problem: access granted vs access needed

An agent that triages service desk tickets needs to read a ticket queue, look up a knowledge base and update ticket status. Give that agent Global Administrator “to stop the permission errors” and it can now also read every mailbox, download every SharePoint site, create and delete user accounts, alter security policies and touch your backups. The gap between those two access levels is pure, uncompensated risk — capability nobody is using for value, sitting there waiting to be misused. Security researchers consistently flag over-permissioned agents as one of the most concerning patterns in enterprise AI right now.

The blast radius of “just give it admin”

WHAT ADMIN ADDS

User accounts · Security settings · Backups · Audit logs

WHAT BROAD ACCESS ADDS

All mailboxes · Every file share · Finance systems · Client records

WHAT THE TASK NEEDS

Ticket queue · Knowledge base · Status updates

AGENT

Everything outside the teal box is risk you carry for zero benefit.

2. Prompt injection: the attack you cannot patch away

Prompt injection is the technique of hiding malicious instructions inside content an AI will read — an email, an invoice, a calendar invite, a webpage — so the AI follows the attacker’s instructions instead of yours. Because models cannot reliably separate instructions from data, this is an architectural weakness, not a bug awaiting a patch. OWASP maps prompt injection to six of the ten categories in its Top 10 for Agentic Applications, and Palo Alto Networks’ Unit 42 has documented web-based indirect prompt injection being used against agents in the wild — including attempts to trigger destructive database commands and leak sensitive data.

Now connect the two risks. A prompt-injected agent can only do what its permissions allow. An injected agent with read-only access to a knowledge base is an incident report. An injected agent with administrator rights is a company-wide breach with your name on the OAIC notification.

3. The lethal trifecta: when three safe features become one unsafe agent

Security researcher Simon Willison coined a rule of thumb that Gartner’s guidance now echoes almost word for word: any agent that combines access to private data, exposure to untrusted content, and the ability to communicate externally can be turned into a data exfiltration tool. Gartner bluntly calls use cases combining all three a “no-go zone.” The danger is that each capability sounds reasonable in isolation — it is the combination, usually assembled gradually across a few sprint cycles, that creates the exfiltration path.

The lethal trifecta: never let one agent hold all three

PRIVATE DATA ACCESS Files, mailboxes, CRM, records
+
UNTRUSTED CONTENT Inbound email, web pages, uploads
+
EXTERNAL COMMS Send email, call APIs, browse out
=
EXFILTRATION RISK Gartner: a “no-go zone”

Any two can be governed. All three in one agent means redesign the workflow.

4. Machine identity sprawl nobody is watching

Every agent, connector and automation is a non-human identity with credentials — and machine identities already vastly outnumber humans in most environments, often running on shared service accounts, static API keys and secrets that never rotate. Gartner expects 70% of CISOs to adopt identity visibility and intelligence tooling by 2028 precisely because these accounts have become a primary attack surface. An agent identity that is over-privileged, unmonitored and un-owned is indistinguishable from an attacker’s dream persistence mechanism.

5. Shadow agents: the deployments you never approved

Low-code platforms mean any motivated staff member can wire an agent into company data over a lunch break — no procurement, no security review, no offboarding plan. OWASP’s contributors report shadow AI inside almost every organisation they examine. You cannot scope, monitor or revoke access for an agent you do not know exists, which is why every secure deployment framework starts with an inventory.

6. The accountability gap

When an agent sends the wrong file to the wrong client, who is responsible — the vendor, the developer, the staff member who prompted it, or the director who approved the rollout? Legally, the answer in Australia is straightforward: your organisation is. The Privacy Act’s notifiable data breach scheme, APRA’s prudential standards and your client contracts do not contain an AI exemption. Operationally, though, many businesses discover the gap only during an incident: no logs of what the agent actually did, no named owner, no kill switch, and an audit trail that shows a service account “everyone” used.

25%

of enterprise breaches will be traced to AI agent abuse by 2028 (Gartner)

50%

of enterprise incident response effort will involve AI applications by 2028 (Gartner)

faster exploitation of exposed accounts as attackers adopt agents by 2027 (Gartner)

What has already gone wrong: real-world incidents

These are not hypotheticals. Documented incidents already span self-inflicted agent disasters, zero-click exploits against mainstream copilots, and live attacks observed by threat researchers.

The production database wipe

In 2025, Replit’s coding agent deleted a live production database during an explicit code freeze, generated thousands of fake records, and wrongly claimed rollback was impossible. No attacker was involved — the permission model alone made the disaster possible. The same permissions would have served an attacker via prompt injection just as well.

EchoLeak: the zero-click copilot exploit

CVE-2025-32711 showed that a crafted email could make Microsoft 365 Copilot exfiltrate organisational data with no clicks and no user interaction — the assistant processed the malicious content automatically. It was patched, but it proved the attack class works against the tools your staff already use.

Injection in the wild

Unit 42 researchers have observed webpages weaponised against browsing agents in real attacks — hidden instructions attempting data destruction, contact-list theft, system prompt leakage and resource-exhaustion denial of service. Agents that read the open web are reading attacker-controlled input.

The pattern across all three: the model’s intelligence was never the weak point. The permissions were. Which is good news, because permissions are something you fully control.

How to deploy AI agents securely: an 8-step framework

To deploy AI agents securely, inventory every agent, scope each one’s job before granting access, issue per-agent identities, enforce least privilege with no standing admin rights, gate high-impact actions behind human approval, sandbox and limit the agent, fix data governance first, and log everything with a rehearsed kill switch. Treat it like onboarding a powerful contractor: define the role, grant the minimum, supervise the work, and keep records. Here is each step in practice.

The secure AI agent deployment framework

Govern first, connect second — every step before the agent touches production

1

Inventory every agent

Including shadow deployments and pilots

2

Scope the job before the access

Written task definition → permission list

3

One identity per agent

Never shared accounts or human credentials

4

Least privilege, zero standing admin

Scoped roles + just-in-time elevation only

5

Human approval for high-impact actions

Deletes, payments, access changes, external sends

6

Sandbox, segment, set hard limits

Test environments, allowlists, rate & spend caps

7

Fix data governance first

Labels, permissions hygiene, DLP before connection

8

Log, monitor, rehearse the kill switch

Full audit trail + agent-aware incident response

Step 1 — Build an AI agent inventory before anything else

You cannot secure what you cannot see. Catalogue every agent, copilot, connector and automation touching company data — sanctioned or not — and record for each: its owner, its purpose, the systems it can reach, the data it can read or change, and how it authenticates. Include the pilots someone built in Copilot Studio, Power Automate or Zapier last quarter. This register becomes the backbone of every other control, and in regulated industries it is fast becoming an auditor’s first request.

Step 2 — Scope the job before you grant the access

Write the agent’s job description first: the specific tasks, the specific systems, the specific data, and — just as important — the actions it must never take. Only then translate that into permissions. If you cannot write the task definition in a paragraph, the agent is not ready to deploy. This single habit eliminates the “give it admin so the pilot works” trap, because access requests now have to trace back to a documented task.

Step 3 — Give every agent its own identity

Each agent gets a dedicated, named identity — a service principal or workload identity — never a shared service account and never a human’s login. Store its credentials in a vault, rotate them automatically, and prefer short-lived tokens over static API keys. Assign a human owner who is accountable for it, and fold agent identities into your joiner-mover-leaver process so retiring an agent revokes its access the same day. When something odd happens at 2 am, “which identity did it and who owns it” should take one lookup, not one week.

Step 4 — Apply least privilege and eliminate standing admin rights

Grant the narrowest role that completes the task: read-only wherever possible, scoped to specific sites, mailboxes, queues or API endpoints rather than tenant-wide. If an agent genuinely needs a privileged operation occasionally, use just-in-time elevation — temporary rights, granted for a defined change, automatically expiring — instead of standing admin. This is the same “restrict administrative privileges” discipline the Essential Eight demands for humans, applied to your newest class of user. A useful test: if this agent were fully compromised today, would the damage be a bad afternoon or a board meeting?

Step 5 — Put a human approval gate in front of high-impact actions

Define the irreversible or high-consequence actions — deleting data, moving money, changing permissions, sending to external recipients, modifying security settings — and require explicit human confirmation before the agent executes them. This is the single highest-leverage control available, and it does not mean reviewing everything: let the agent run autonomously on low-risk, reversible work and queue only the dangerous 2% for a human tap. The Replit incident is what step 5 exists to prevent.

Step 6 — Sandbox, segment and set hard limits

Develop and test agents in environments with synthetic data before they ever see production, and keep production access mediated through controlled interfaces rather than direct database or file-system rights. Constrain the blast radius with hard, non-negotiable limits enforced outside the model: allowlisted tools and domains, rate limits on actions per hour, spending caps, and network segmentation so a customer-facing agent physically cannot reach your finance system. Prompts asking the agent to behave are policies; limits enforced in infrastructure are controls. And keep the lethal trifecta test from earlier: if one agent ends up holding private data, untrusted input and an outbound channel, split the workflow into separate agents with a checkpoint between them.

Step 7 — Fix your data governance before you connect the agent

An agent inherits every permission sin in your tenant. The overshared “Everyone” folder from 2019, the unlabelled client files, the finance library with lax access — an agent will surface and act on all of it at machine speed. Before connecting agents to Microsoft 365 or any data platform: run a permissions audit and trim oversharing, apply sensitivity labels so tooling can distinguish public from confidential, and extend DLP policies to cover AI-driven access. This is the same lesson learned in every Copilot rollout — the AI is only as safe as the data estate underneath it — and Gartner expects remediating “AI data debt” to consume a third of IT effort through 2030 for organisations that skipped it.

Step 8 — Log everything, monitor continuously and rehearse the kill switch

Capture a complete audit trail of every agent action — what it read, what it changed, what it sent, and why — and feed agent identities into your monitoring the same way you watch privileged human accounts, alerting on anomalies like off-hours activity, unusual data volumes or first-time system access. Then prepare for the bad day: a documented kill switch that pauses the agent and revokes its tokens in minutes, rollback procedures for its changes, and an incident response runbook that includes agent scenarios. Test it before you need it. If your current IR plan has no answer to “the agent has gone rogue, now what?”, step 8 is your gap.

Keeping the benefits: the controls that preserve ROI

Security controls do not reduce the value of AI agents — they are what allows the value to scale. Ungoverned pilots get quietly shut down after the first scare; governed agents earn the trust to take on bigger workloads. Gartner’s own recommendation is telling: it does not advise slowing AI adoption, it advises building security capability at the same pace as deployment capability. Here is how each major benefit survives — and improves — under the framework above.

The benefit you want

24/7 service desk triage and resolution

Risk if ungoverned

Admin-level agent resets the wrong accounts or is hijacked to escalate an attacker

The control that keeps both

Scoped helpdesk role, JIT elevation for privileged fixes, approval gate on access changes

The benefit you want

Instant answers and reporting from company data

Risk if ungoverned

Oversharing surfaces payroll and client files; injected content exfiltrates them

The control that keeps both

Permissions cleanup, sensitivity labels and DLP before connection (Step 7)

The benefit you want

Automated remediation across endpoints

Risk if ungoverned

A wrong decision executes destructively across the fleet at machine speed

The control that keeps both

Change windows, rate limits, human approval for destructive actions, tested rollback

The benefit you want

Customer-facing agents handling requests end-to-end

Risk if ungoverned

Every customer message is untrusted input — prompt injection by design

The control that keeps both

Trifecta separation: no direct data-store writes, mediated APIs, output filtering

The benefit you want

Coding and DevOps agents shipping faster

Risk if ungoverned

Production access disasters — the Replit scenario

The control that keeps both

Sandboxed environments, read-only production, human-reviewed merges and deploys

Notice what none of these controls do: none of them remove the agent’s ability to do the valuable work. They remove its ability to do everything else. That is the entire philosophy — maximum capability inside the fence, zero capability outside it.

What this means for Australian businesses

Australian regulators have not created an AI carve-out — the obligations you already carry apply in full to what your agents do. Three frameworks matter most for the businesses we work with:

  • The Essential Eight. “Restrict administrative privileges” is one of the eight mitigation strategies for a reason, and the ACSC’s intent applies squarely to non-human identities: privileged access should be validated, scoped, time-limited and logged. An agent holding standing admin rights is a direct contradiction of the control — and increasingly something assessors ask about. Application control and patching obligations extend to the agent platforms and connectors themselves.
  • The Privacy Act and Notifiable Data Breaches scheme. If an agent discloses personal information it should not have — whether through misfire or manipulation — that is an eligible data breach like any other, with OAIC notification obligations and, under the strengthened penalty regime, serious financial exposure. “The AI did it autonomously” changes nothing about your liability; if anything, it invites questions about the governance you had in place.
  • APRA CPS 234 and CPS 230. For financial services entities, information security capability must be commensurate with the size and extent of threats — and an agent with write access to regulated data is unambiguously part of that threat surface. CPS 230’s operational risk and service provider requirements capture agent platforms and the material processes agents now execute. Boards, not vendors, own the outcome.

For aged care providers, law firms and not-for-profits, the same logic flows through sector obligations — confidentiality duties, care recipient privacy, donor data stewardship. The consistent theme: the accountability sits with you, so the governance must too. The upside is real, though. The framework in this guide is not exotic — it is the Essential Eight mindset applied to a new class of identity. Businesses that already run disciplined privileged access management are 80% of the way there.

Frequently asked questions

What is an AI agent, in simple terms?

An AI agent is software powered by a large language model that can plan and complete multi-step tasks on its own — reading data, making decisions and taking real actions in your systems, such as updating records, sending emails or resetting passwords, without a human approving every step. That autonomy is what separates an agent from a chatbot or copilot, which only suggests actions for a human to carry out.

Why is giving an AI agent administrator access so risky?

Because everything the account can do, the agent can do — and so can anyone who successfully manipulates it. Admin rights mean a single prompt injection, misjudgement or compromised credential can reach every mailbox, file, user account and security setting at machine speed. Gartner predicts 25% of enterprise breaches will trace back to AI agent abuse by 2028, and over-permissioned agents are the common thread.

What is prompt injection?

Prompt injection hides malicious instructions inside content an AI reads — an email, document, invoice or webpage — so the AI follows the attacker’s commands instead of yours. Language models cannot reliably distinguish instructions from data, so it is an architectural weakness rather than a patchable bug. The defence is limiting what an injected agent could actually do: least privilege, approval gates and separating data access from external communication.

Can AI agents be deployed securely at all?

Yes. Secure deployment is well understood: inventory your agents, scope each job before granting access, issue per-agent identities, enforce least privilege with no standing admin rights, gate high-impact actions behind human approval, sandbox and rate-limit the agent, fix data governance first, and log everything with a rehearsed kill switch. Organisations doing this are scaling agents confidently; the failures come from skipping these steps, not from the technology itself.

What does least privilege mean for an AI agent?

It means the agent gets only the permissions its documented task requires — read-only where possible, scoped to specific systems and data rather than tenant-wide, with privileged operations handled through temporary just-in-time elevation instead of standing rights. A ticket-triage agent gets the ticket queue and knowledge base, not Global Administrator. If the agent were fully compromised, least privilege is what decides whether that is a contained incident or a company-wide breach.

How does the Essential Eight apply to AI agents?

Directly. “Restrict administrative privileges” applies to non-human identities as much as staff: agent access should be validated against need, scoped, time-limited, logged and regularly reviewed. Patching and application control obligations extend to agent platforms and their connectors. An agent holding standing admin rights contradicts the control and will increasingly draw assessor attention during Essential Eight maturity reviews.

Who is accountable when an AI agent causes a data breach?

Your organisation. The Privacy Act’s Notifiable Data Breaches scheme, APRA prudential standards and your client contracts contain no AI exemption — a disclosure caused by an agent is assessed like any other breach, including OAIC notification and penalty exposure. Autonomy is not a defence; it raises the bar for demonstrating the governance, access controls and monitoring you had in place.

Deploy AI with confidence — not crossed fingers

Stanfield IT helps Australian businesses roll out AI agents and Microsoft 365 Copilot with the governance to match — scoped access, data protection, monitoring and Essential Eight alignment built in from day one. 100% Australian owned and operated, securing regulated businesses for 14 years.

S

Written by the Stanfield IT team

Stanfield IT is a 100% Australian-owned managed IT and cyber security provider headquartered on Sydney’s Northern Beaches, with teams in Sydney, Melbourne, Brisbane and Perth. We specialise in Essential Eight, ISO 27001, managed detection and response, and secure AI adoption for businesses in financial services, healthcare, aged care, legal and the not-for-profit sector.

Experience better IT services

If your IT feels reactive or unclear, we’ll stabilise the essentials and align it to your business goals.

IT Services for Australian Businesses - Stanfield IT
Scroll to Top