In September 2025, Anthropic publicly disclosed a cyber‑espionage campaign in which a state‑sponsored threat actor used an AI agent to autonomously conduct operations against 30 global targets. According to Anthropic’s assessment, the system performed 80–90% of the tactical workload on its own: reconnaissance, exploit development, and lateral movement across networks at machine speed. This incident signaled a turning point: attackers are moving from experimental use of AI to fully automated, agent‑driven attacks.
How AI agents disrupt the traditional cyber kill chain
The classic cyber kill chain model, introduced by Lockheed Martin in 2011, assumes a step‑by‑step intrusion: initial access, execution, persistence, privilege escalation, lateral movement, and finally data theft or disruption. At each phase, defenders can look for signals: antivirus or EDR detecting malware, network monitoring flagging unusual connections, IAM tools catching privilege escalation, and SIEM systems correlating scattered events into an incident.
Even advanced APT groups such as APT29 typically leave artifacts: anomalous login locations, unusual activity patterns, or deviations from users’ behavioral baselines. Modern detection strategies and frameworks like MITRE ATT&CK are built around recognizing these deviations and mapping them to known techniques.
Autonomous AI agents break this linear logic. They are designed to operate across multiple applications, continuously exchange data, and orchestrate workflows end‑to‑end. Once such an agent is compromised, the attacker does not need to “climb” the kill chain. The agent itself becomes a persistent, legitimate‑looking attack chain that already spans systems, identities, and data.
AI agents in SaaS: legitimate access as perfect cover
Enterprise AI agents in SaaS typically have broad, often excessive permissions. To automate business processes, they are granted access to CRM systems (e.g., Salesforce), corporate messengers (Slack), cloud storage (Google Drive), ITSM platforms (ServiceNow), and other SaaS applications. The agent’s logs effectively form a detailed map of where sensitive data resides and how it is used.
When such an agent is compromised, an attacker instantly inherits its entire security posture: tokens, roles, integrations, and trusted communication channels. Data access and movement appear indistinguishable from normal business automation rather than an intrusion. Every stage that security teams expect to see in a standard kill chain is skipped by design, replaced by actions that look like routine workflow execution.
The OpenClaw crisis: first large‑scale AI agent security failure
The OpenClaw incident illustrated the scale of this emerging risk. Post‑incident analysis showed that around 12% of “skills” on the platform’s public marketplace were malicious. A critical remote code execution (RCE) vulnerability allowed a single click compromise of an agent instance, and over 21,000 agent deployments were directly exposed to the internet.
The most damaging aspect was not the initial breach, but the scope of legitimate access obtained when attackers took over agents already wired into Slack and Google Workspace. These agents could see messages, files, emails, and documents and maintained persistent memory across sessions. What is traditionally considered the final stage of a successful attack—access to sensitive data—was in this case the attacker’s starting point.
Why traditional security tools are blind to AI‑driven attacks
Most cybersecurity controls still focus on anomaly detection. However, when a threat actor “rides” on top of an existing AI agent, almost everything looks normal: the same SaaS APIs, the same time windows of activity, and similar volumes of data transfers. This creates a significant visibility gap: from a business‑logic perspective, the agent is behaving as intended, so its activity rarely triggers classic signatures, UEBA (User and Entity Behavior Analytics) thresholds, or SIEM correlation rules.
Shadow AI and fragmented accountability
An additional challenge is shadow AI—AI agents and integrations deployed directly by business users without IT or security oversight. These tools connect corporate data to external AI platforms via APIs, OAuth, or protocols like MCP (Model Context Protocol), creating “toxic combinations” of systems that appear safe in isolation but are high‑risk in aggregate. This mirrors the shadow IT problem, but with far more powerful automation and broader data reach.
Reco’s approach: identity‑centric security for AI agents in SaaS
The first defensive step is comprehensive AI agent inventory across the SaaS environment, including embedded AI features and third‑party integrations deployed without formal approval. Reco Agentic AI Security automatically discovers these entities and maps which SaaS applications they connect to, what permissions they hold, and which data sets they effectively touch.
Reco’s SaaS‑to‑SaaS visualization highlights how AI agents link systems via MCP, OAuth, or direct API integrations. This makes it possible to identify dangerous privilege combinations where no single application owner granted excessive access, yet the chain of integrations results in critical over‑privilege and an expanded blast radius.
Each agent is then scored based on criteria such as permission breadth, cross‑system reach, and data sensitivity. High‑risk agents are automatically flagged so that identity and access governance processes can enforce least privilege, substantially limiting potential damage in case of compromise.
In parallel, Reco’s behavioral threat analytics engine applies an identity‑centric model not only to human users but also to AI agents. By learning what “normal automation” looks like, it can detect subtle deviations in real time—even when an attacker carefully mimics routine workflows.
The classic kill chain assumes an attacker must “earn” every new level of access. In the era of agentic AI, a single compromised AI agent can provide full, formally legitimate access to critical SaaS data without a single step that resembles a traditional breach. Organizations that monitor only human user behavior risk missing this new class of attacks entirely. Building end‑to‑end visibility into AI agents, their entitlements, and their real behavior in SaaS environments—and enforcing least‑privilege access through tools such as Reco—has become a necessary foundation for any modern AI security strategy.
