For as long as we've had insider threat programs, "insider" meant intent. The malicious employee. The exfiltrator on their way out the door. We built the whole discipline—DLP, UEBA, access reviews, user behavior analytics—around catching people who meant to do harm, or who got phished into it.
Your most dangerous insider right now has no intent. It isn't even human.
It's an agent. You issued it credentials. Someone on your team pointed it at production and moved on. It's doing exactly what it was told, at machine speed, with access you approved. Your stack won't flag it, because your stack was built to catch outsiders getting in, not the things you already trust doing something you didn't expect.
This isn't a malicious-insider problem. It's not a phishing problem. It's a structural one: the population of insiders quietly expanded to everyone, plus every agent they spun up. And most of them don't know they're insiders at all.
The new insiders don't know they're insiders
We've spent a decade learning to manage the citizen developer, who are employees of all technical levels wiring up apps and automations outside security's line of sight. That problem was annoying but bounded. Low-code could only reach so far.
The agent era blew the ceiling off.
Two new insiders showed up, and neither fits the old model.
The first is the citizen hacker. Same well-meaning employee, vastly more capable. They're the human in the loop, and the loop now includes an agent with access to production data, internal APIs, and SaaS tooling. Services that are stood up in an afternoon, and reviewed by no one. Verizon's latest Data Breach Investigation Report puts regular AI users at 45%, up from 15% a year ago, expanding both your attack surface and potential insiders.
The second insider is the agent itself. The agent is sanctioned but over-permissioned, or unapproved shadow AI, connected by someone who never filed a ticket. It doesn't matter which. Once it holds credentials and can act on its own, it's a non-human identity with insider access and no operator behind the wheel. It does what it was allowed to do. That varies team to team, user to user, and nobody's keeping the map.
From sanctioned to SEV1
The reason insider risk is outrunning governance is that it looks like compliance. When a tool is corporate-blessed, installing it doesn't feel like risk—it feels like keeping up. Market pressure and AI mandates push teams to adopt faster than they can scope permissions or think about blast radius.
The receipts are already public. In every one of these, the damage came from capability and access, not intent:
- Feb 2026: OpenClaw deleted a user's entire email inbox, even when told to confirm before acting. It's a clean illustration of what "deploy straight to prod" does with untested tooling. It's now sponsored by OpenAI and packaged for the enterprise by Microsoft, so better guardrails may be coming.
- March 2026: an internal AI agent at Meta exposed company and user data to unauthorized employees for about two hours. Meta called it a SEV1.
- April 2026: a coding agent at PocketOS deleted the entire production database and its backups in seconds, no confirmation prompt. ~30 hours of downtime.
- June 2026: Anthropic disclosed that its newest model had rare (<0.01%) instances of working around sandboxes and blocked commands to satisfy a user's goal.
None of these were attackers. They were trusted tools doing trusted-looking things with access someone signed off on.
You can't find weird if you don't know normal
This is where it gets hard for defenders. Agents don't look like the threats our tooling was built to catch.
From a defender's seat, agent activity reads as the user. The process tree says the user spawned it. The calls carry the user's token. The data it touches is data the user could already reach. An AI client spawning node, npx, or python3 is normal. An outbound connection to some API is normal. Credential access on a developer box is normal, right up until you look at the parent process and realize a subprocess, not the human, is the one reaching into the keychain.
That's the tell. Not the indicator, but the behavior, and the context around it.
But you only catch the tell if you've done the unglamorous work first: an inventory of what's running, and a baseline of what normal looks like for it. Most teams have neither. We don't reliably know what MCP servers are installed, what scopes our agents hold, or what a normal day of agent activity even looks like. Without that, drift is invisible, and "shadow AI" stops being a buzzword and becomes your actual environment.
And don't wait for the alert. Every reactive control in the stack is waiting for an event: a signature, a known-bad indicator, a risk score tipping over a line. A credentialed agent doing what it was permitted to do trips none of them. The most dangerous activity here is, by design, the activity that looks the most normal. If detection only starts when something fires, this entire class of insider never reaches the queue. It just accrues, quietly, until it's an incident.
What to do before it's a SEV1
You don't need a new platform to start. You need to treat agents like what they are and go hunt them.
- Treat agents as shadow IT with autonomous capability. An agent isn't a chat window. It's infrastructure: a persistent service with API keys, credential stores, and memory. Inventory each one the way you'd inventory a server: what runs, what it holds, what it can reach, who owns it.
- Baseline normal. You can't find weird if you don't know normal. Profile agent and non-human behavior: what it calls, what it touches, and when. Deviation is the signal.
- Go looking. Don't wait for the alert that was never going to fire. Hunt the agent and NHI activity your controls can't see, and turn what you find into durable detections.
- Hunt behavior, not names. OpenClaw today, something else next quarter. A
python3 child of Cursor calling security find-generic-password is the same tell whether the package is mcp-server-acme or whatever it rebrands to next month. So hunt the lineage, not the label. - Failure is a feature if you log it.. Meta and PocketOS are only lessons if you capture them with structure. Utilize durable memory like the Agentic Threat Hunting Framework, an open-source harness that saves hunts so every failure, near-miss, and finding feeds the next hunt instead of dying in a Slack thread.
The insider you authorized
Prevention isn't wrong. It's just not the whole job, and it never was. What changed in the agentic era is that the threat stopped arriving from outside and started coming from the things we trust, and at a scale and speed no perimeter was designed for.
That's not an argument to slow AI adoption. It's an argument to see what you're adopting. Inventory the agents. Baseline normal. Hunt the behavior. Give your hunts memory so the program gets sharper every time something goes sideways, instead of starting over.
The insider you need to worry about is one you authorized. But that isn't a reason to trust your people, or your agents, any less. It's a reason to build the visibility to trust them well, and then go find what you've been missing.
