In September 2025, Anthropic revealed that state-sponsored threat actors used AI-coding agents to conduct autonomous cyber espionage against 30 targets around the world. The AI handled 80-90% of tactical operations on its own, performing reconnaissance, writing exploit code, and attempting lateral movement at machine speeds.
While this incident is alarming, there are scenarios that should be even more concerning for security teams. It’s an attacker who doesn’t need to perform any kill chain to compromise an AI agent that’s already in the environment. Something you already have access to, privileges for, and a legitimate reason to move between systems every day.
A framework built for human threats
Traditional cyber kill chains assume that an attacker needs to gain all access. It’s a model developed by Lockheed Martin in 2011 to explain how attackers move from an initial breach to a final objective, and it’s been shaping how security teams think about detection ever since.
The logic is simple. The attacker must complete a series of steps, and the defender can interrupt the chain at any time. Every stage an attacker has to go through is another opportunity to catch him.
A typical infestation progresses through different stages:
Initial access (e.g. vulnerability exploitation) Persistence without triggering alerts Reconnaissance to understand the environment Lateral movement to get to valuable data Privilege escalation if access is insufficient Extraction while circumventing DLP controls
Each stage creates an opportunity for detection. Endpoint security captures the initial payload, network monitoring detects unusual lateral movement, identity systems flag privilege escalation, and SIEM correlation can tie together anomalous behavior across systems. The more steps the attacker takes, the more likely he is to trip over the wire.
This is why advanced threat actors like LUCR-3 and APT29 invest heavily in stealth, spending weeks away from land and blending into normal traffic. Still, artifacts remain, such as unusual login locations, strange access patterns, and slight deviations from baseline behavior. These artifacts are exactly what modern detection systems are designed to detect.
However, the problem here is that the AI agent doesn’t actually follow this strategy.
What AI agents already have
AI agents behave fundamentally differently than human users. They operate between systems, move data between applications, and run continuously. If compromised, the attacker bypasses the entire kill chain and the agent itself becomes the kill chain.
Consider what an AI agent typically has access to. That activity history is the perfect map of what data exists and where. Perhaps you pull from Salesforce, push to Slack, sync with Google Drive, and update ServiceNow as part of your normal workflow. They are granted broad privileges upon deployment, often granting administrator-level access across multiple applications, and are already moving data between systems as part of their job.
If an attacker compromises that agent, everything in that agent is immediately inherited. They get maps, access, permissions, and a legitimate reason to move data. Is it each step in the kill chain that security teams have spent years learning to detect? Agents skip them all by default.
The threat is already underway
The OpenClaw crisis showed us what this looks like in practice.
Approximately 12% of skills in the public marketplace were malicious. A critical vulnerability in RCE could allow security to be compromised with a single click. More than 21,000 cases were published. But more frighteningly, connecting to Slack or Google Workspace allows a compromised agent to access messages, files, emails, and documents that have persistent memory between sessions.
The main problem is that security tools are designed to detect anomalous behavior. When an attacker gets on board with an AI agent’s existing workflow, everything seems normal. Agents access systems that are always on the go, move data that is always on the move, and operate at the same times that they are always on the go.
This is the detection gap facing security teams.
How Reco closes the visibility gap
Defending against compromised AI agents starts with knowing which agents are operating in your environment, what they are connected to, and what privileges they hold. Most organizations do not have an inventory of AI agents to impact their SaaS ecosystem. This is exactly the kind of problem Reco was created to solve.
Discover all AI agents in play
Reco’s Agentic AI Security detects all AI agents, built-in AI capabilities, and third-party AI integrations across SaaS environments, including shadow AI tools connected without IT approval.
Figure 1: Reco’s AI agent inventory. Shows discovered agents and their connections to GitHub.
Map access range and explosion radius
Reco maps each agent to which SaaS apps they connect to, what permissions they have, and what data they can access. Reco’s SaaS vs. SaaS visualization shows exactly how agents are integrated across the application ecosystem, exposing the toxic combination of AI agents bridging systems through MCP, OAuth, or API integration, creating a breakdown of privileges that no single application owner would allow.
Figure 2: Reco’s knowledge graph reveals a toxic combination between Slack and Cursor via MCP.
Flag targets and enforce least privilege
Reco identifies which agents are at greatest risk by assessing scope of privilege, cross-system access, and data sensitivity. Agents associated with new risks are automatically labeled. From there, Reco right-sizes access through identity and access governance, directly limiting what an attacker can do if an agent is compromised.
Figure 3: Reco’s AI posture check with security score and IAM compliance results.
Detecting anomalous agent activity
Reco’s threat detection engine applies the same identity-centric behavioral analysis to AI agents as it does to human identities, distinguishing between normal automation and suspicious deviations in real time.
Figure 4: Reco alert flags unauthorized ChatGPT connections to SharePoint.
What this means for your team
Traditional kill chains assume that attackers must fight to gain any access. AI agents completely overturn that assumption.
A single compromised agent can give an attacker legitimate access, a complete map of the environment, extensive privileges, and built-in cover for data movement without performing a single step that appears to be a compromise.
Security teams focused solely on detecting human attacker behavior will miss this. Attackers are riding on the AI agent’s existing workflow and are invisible to the noise of normal operations.
Sooner or later, the AI agents in your environment will become targets. Visibility is the difference between discovering it early and during incident response. Reco provides visibility across your SaaS ecosystem in minutes.
Learn more here: Request a demo: Get started with Reco
Source link
