92% of Security Professionals Now Worried About AI Agent Over-Permissions Across Enterprise Systems

By Hector Herrera | June 2, 2026 | Security

Ninety-two percent of security professionals are now concerned about AI agents being granted excessive permissions across enterprise software systems — and for the first time, agentic AI has displaced phishing and ransomware as the category security teams are most worried about.

The finding comes from the Cloud Security Alliance's State of AI Cybersecurity 2026 report, which surveyed security professionals across industries. The report finds that the deployment of autonomous AI agents — software that can take actions, read files, make API calls, and execute tasks without human approval at each step — has outpaced the security frameworks designed to govern them. Companies have adopted agents faster than they've asked whether those agents have more access than they need.

What "Over-Permissions" Actually Means

An AI agent designed to help employees submit expense reports might legitimately need access to a finance platform. In practice, that same agent is frequently granted access to email, calendar, file storage, and communication platforms — because it's more convenient to provision broad access once than to enumerate the specific permissions each workflow actually requires.

This is the over-permission problem. It mirrors a pattern that made service accounts and shared credentials a persistent enterprise security vulnerability for twenty years, with a new dimension: the agent makes autonomous decisions about when and how to use its access, without a human reviewing each action.

The CSA report identifies three specific attack scenarios driven by over-permissioned agents:

1. Credential spanning. An AI agent granted access to a SaaS platform for legitimate workflow automation uses those credentials to access adjacent systems within the platform's permission scope — systems the operator never intended to expose. The agent operates within the rules; the rules were drawn too broadly.

2. Prompt injection attacks. Malicious content embedded in documents, emails, or external data that the agent processes can instruct the agent to take actions using its existing permissions — exfiltrating data, sending messages, or modifying records — without the user's knowledge. A customer service agent that reads incoming emails is a prompt injection surface if those emails can contain hidden instructions.

3. Privilege escalation through agentic chains. Multi-agent systems — where one AI orchestrates others to complete complex tasks — can accumulate permissions across the chain that no single agent was authorized to hold independently. The orchestrator delegates to sub-agents; each sub-agent carries its own credentials; the combined access exceeds what any administrator explicitly approved.

The CVE Exploitation Acceleration

The CSA findings coincide with Mandiant's M-Trends 2026 data, which found that 28.3 percent of CVEs — entries in the Common Vulnerabilities and Exposures catalog, the standard inventory of known software flaws — are now exploited within 24 hours of public disclosure. That rate was roughly 12 percent in 2023.

AI is accelerating attacker timelines at both ends: AI tools help security researchers discover and document vulnerabilities faster, but the same capabilities help attackers develop working exploits before most organizations apply patches. When AI agents operating inside enterprise systems carry broad permissions and run autonomously, a 24-hour exploitation window becomes especially dangerous — there may be no human in the loop to recognize and block anomalous agent behavior before data is exfiltrated.

The Implementation Gap

Despite near-universal concern, only 37 percent of organizations have implemented formal AI agent access governance policies, according to the CSA report. The majority have deployed agents through off-the-shelf tools without examining the underlying permission structures those tools request during onboarding.

Organizations with mature postures are applying consistent practices:

• Least-privilege enforcement — agents receive only the specific permissions required for their defined workflow, reviewed and reauthorized on a defined schedule
• Agent identity management — AI agents are treated as identities in the organization's existing Identity and Access Management (IAM) infrastructure, with the same credential hygiene applied to service accounts
• Behavioral monitoring — anomaly detection deployed on agent activity patterns flags actions that deviate from the agent's stated purpose
• Input sanitization — external data is validated before entering an agent's context window, reducing the prompt injection attack surface

The organizations furthest behind are mid-market companies that accepted default permissions during SaaS AI tool onboarding without security review.

The Vendor Responsibility Problem

The CSA report is partly an indictment of how AI agent products are designed. Many AI productivity tools request broad permissions upfront during onboarding — partially because scoped permission requests create friction in sales and implementation, and partially because engineers building agents find it faster to develop against broad access than to enumerate specific requirements for each use case.

NSA and CISA joint guidance published in May 2026 explicitly addresses this, calling on AI vendors to implement permission scoping by default and provide customers with auditable logs of agent actions. The guidance is advisory, not regulatory — vendors can acknowledge it and continue requesting broad permissions without consequence until liability cases or regulation create harder pressure.

What to Watch

The regulatory response to AI agent security is still forming. The EU AI Act's high-risk AI provisions touch agentic AI in some contexts, but enterprise agents used for internal business processes are largely outside its current scope. US regulators — including the SEC for financial services and HHS for healthcare — are examining whether existing security frameworks (SOX, HIPAA) implicitly require AI agent access governance as a standard of care.

Litigation will likely move faster than regulation. The first major breach attributable to AI agent over-permissions — and the subsequent liability questions about whether the deploying organization exercised reasonable security practices — will establish a standard of care more concretely than any guidance document. Based on the CSA data, 63 percent of organizations are building exposure toward exactly that case.