Stolen Credentials and the Escalation of Agentic AI Attacks

Overview of the Autonomous Threat Landscape

The integration of artificial intelligence into cyber operations has shifted from basic automation to the deployment of ‘agentic AI’—autonomous systems capable of planning, utilizing external tools, and executing complex sequences of actions to achieve a specific objective. This transition has significantly expanded the potential ‘blast radius’ of security incidents. According to SecurityWeek, recent data from IBM X-Force indicates a dangerous synergy between identity-based weaknesses and AI-driven exploitation.

As organizations grant AI agents more autonomy to interact with internal APIs, databases, and communication channels, the security of the credentials governing those agents becomes the primary point of failure. If an adversary gains control of these credentials, they do not just compromise a static account; they hijack an active, automated workflow capable of lateral movement and data exfiltration at machine speed.

Technical Analysis: The Authentication Gap

One of the most concerning findings from IBM X-Force research is the current state of vulnerability management. In 2025, of the approximately 400,000 vulnerabilities tracked by the group, 56% required no authentication for exploitation. This represents a massive surface area for initial access, where attackers can bypass traditional perimeter defenses without needing to crack complex passwords or bypass multi-factor authentication (MFA) initially.

Weaponizing Agentic AI

Agentic AI differs from standard LLMs (Large Language Models) in its ability to execute code and interact with the environment. When these agents are configured with ‘over-privileged’ access—a common occurrence in DevOps and cloud environments—they become ideal vehicles for automated attacks.

Threat actors are increasingly focusing on ‘identity-based’ attacks rather than traditional software exploits. By utilizing stolen session cookies, OAuth tokens, or API keys, an attacker can assume the identity of a trusted AI agent. Because these agents are expected to perform high volumes of automated tasks, their malicious activities often blend in with legitimate traffic, making detection via traditional anomaly-based systems difficult.

The Blast Radius Problem

The ‘blast radius’ refers to the maximum potential damage a single compromised credential can cause. In an environment utilizing agentic AI, this radius is exacerbated by:

1. Tool Use Integration: AI agents often have permission to call external scripts or third-party integrations.
2. Context Injection: Attackers can use prompt injection to trick an agent into using its legitimate credentials to perform unauthorized actions, such as dumping a database or changing system configurations.
3. Speed of Execution: Manual incident response is frequently too slow to counter an agent that can cycle through thousands of lateral movement attempts per second.

Actionable Recommendations for Defenders

To mitigate the risks associated with weaponized agentic AI and the proliferation of unauthenticated vulnerabilities, security teams should prioritize the following technical controls:

1. Identity Threat Detection and Response (ITDR)

Organizations must move beyond simple MFA and implement ITDR solutions that monitor for session hijacking and token theft. Specifically, defenders should look for ‘impossible travel’ patterns in API usage and sudden changes in the complexity or volume of tasks performed by service accounts and AI agents.

2. Micro-Segmentation and Least Privilege

AI agents should never have broad access to the corporate network. Apply strict micro-segmentation so that an agent’s credentials only function within a highly restricted environment. Implement ‘Just-in-Time’ (JIT) access for AI agents, ensuring that credentials are only valid during the specific window of time an automated task is scheduled to run.

3. Hardening the Vulnerability Management Lifecycle

Given that 56% of vulnerabilities require no authentication, patching schedules must be prioritized based on ‘exploitability in the wild’ rather than raw CVSS scores alone. Systems that are exposed to the public internet and require no authentication must be isolated behind a Web Application Firewall (WAF) or a Zero Trust Network Access (ZTNA) gateway to force an authentication layer where one is natively missing.