Editor’s note:The following is a sponsored blog post from QA.
The threat category we often underestimate is already inside our organization, authenticated with valid credentials, interacting with systems just as they were designed to, and it may not even be human.
For years, insider threats were treated as a people problem. The disgruntled employee. The contractor stealing data before departure. The sysadmin with privileged access abusing their permissions. I’m not suggesting those risks have gone away, but the definition has evolved for most organizations.
Modern enterprises are rapidly introducing a new class of insider. AI agents, copilots, orchestration frameworks, autonomous workflows, machine identities, synthetic contractors and delegated automation systems are now operating with trusted access across enterprise and operational environments. The insider population has expanded faster than any policy or governance model can adapt, while most organizations are still looking for the wrong insider.
The traditional insider threat model was built around intent – someone deciding to steal, sabotage, leak, or abuse. But most insider incidents are not driven by espionage or malice. They happen because of a combination of access, convenience and weak oversight.
Non-human identitiesa dangerous blind spot
The challenge is that traditional security tooling was largely built to identify known bad behavior breaching a perimeter, when insider activity with legitimate access can flow through normal business operations. That is precisely why it can be so dangerous: a blind spot.
Agentic AI raises the risk threshold for security risk as we deploy systems capable of making decisions, initiating actions interacting with APIs across both enterprise and supply chain environments, modifying workflows, and operating with increasing autonomy inside trusted environments.
These systems are being connected to identity providers, ticketing platforms, source code repositories, financial workflows, knowledge bases, cloud infrastructure, operational technology environments (not the well segregated OT estates) and security tooling. In many cases, they’re being granted broad permissions without effective oversight.
Inherited access is one of the biggest risks with AI agents. In many environments, agents operate with the same permissions as the employee using them and can take actions without approval. They will then become your privileged insider that can run commands, accessing sensitive systems and provisioning resources with little or no oversight. What’s worse is the use of YOLO mode (You Only Look Once/You Only Live Once), which is an autonomous auto-run setting that bypasses interactive permission prompts, effectively removing your safety net for speed.
This creates a distinct category of insider risk – what is known as non-human identities operating as trusted entities inside enterprise boundaries, with far too much agency. OWASP describe this weakness as “Least Agency,” extending least privilege to agentic systems by restricting what each agent and tool can do, how often actions can occur and where execution is allowed. In some environments without distinct agent identities, you’ll have an attribution gap, making enforcement of Least Agency difficult or impossible. The visibility problem is a bigger a challenge than we care to admit (not for long as AIOPS observability maturity will improve). The question isn’t just who has access, but what has access, what it can do autonomously, how its behavior is assured, and who is accountable when it acts outside its intended purpose.
Getting malicious intent all wrong
We still see negligent insiders as the biggest insider risk, ahead of malicious behavior or compromised accounts. The problem is that in an AI-enabled environment, a single careless action no longer stays contained. See past human error, and consider autonomous systems acting with inherited permissions, unclear boundaries and behavior we neither expected nor authorized.
As humans, we often assume insider threats require malicious intent. They do not. AI systems do not need motive to create catastrophic outcomes. They only need excessive permissions, poor oversight, weak identity controls, unclear operational boundaries and exposure to manipulated inputs (Or even an overriding desire to get the task done, at all costs. See my Managing Malevolent AI Agents blog post for additional context).
Security programs are typically built around humans who work relatively predictable hours, operate within known roles and can explain their actions when questioned. AI agents do none of those things. They operate continuously, scale instantly and interact at machine speed. However, researchers are beginning to create a body of evidence to show how these systems now are able to reliably pass the Turing test, tricking us into thinking they are interacting with a human.
So, let’s reflect on how we got here. AI models can sound human because the majority were trained on human behavior at the scale of the internet. They absorbed (scraped with or without consent) patterns in language, tone, emotion and interaction from billions of examples, then reproduce those patterns in ways that feel natural to us, with new scientific evidence underpinning a framework to quantify and shape the emergent behavioral characteristics of 18 large language models (LLMs). This has left us with systems that can convincingly mirror personality, empathy or intent without possessing consciousness, awareness or emotion. (Anthropomorphism is something I’ll write about another time.)
My hypothesis is that any AI agent that can expertly mimic human traits will be able to become the classic human insider threat – not by design or through malicious coercion, but just because it can. Acting alone or in alliance with other agents, and with the ability to coerce humans to take risks, become complicit, or unwittingly accept responsibility.
The identity governance problem
At the same time, AI is accelerating another dimension of insider risk through synthetic identity infiltration. Security teams are increasingly confronting fraudulent remote workers using AI-generated CVs, synthetic LinkedIn profiles, deepfake-assisted interviews and real-time AI support during technical screenings. The goal is simple: to gain privileged access.
Once credentials are issued and trust is established, the attacker no longer needs to breach your systems because you already gave them access. For security practitioners and investigators there is a useful dynamic, free framework co-created by a good friend of mine that is worth a look: Insider Threat Matrix (ITM). The ITM provides investigators with a structure before and after an insider event, helping organize evidence and clearly define the motive, capability and operational methods involved in the activity under investigation. Does it have the Agentic angle I mentioned nailed? Not entirely, yet. Regardless, you will still need the same detection investigation and forensic readiness skills to mitigate and thwart an agentic insider.
On the use of tools, I also encourage you to review both the Insider Risk Framework and the Security Culture Assessment tool from the UK government body, National Protective Security Authority (NPSA). While they don’t address specific synthetic identities, during my time responsible for securing 20% of UK Critical National Infrastructure, I found these to be excellent practical free resources.
Treat AI agents as identities
Traditional insider threat programs assumed a human, a known identity, observable behavioral patterns, clear accountability and a definable intent model. Agentic AI as noted earlier disrupts every one of those assumptions. A motivated insider could absolutely utilize AI to enable the act and could even provide unwitting sycophantic encouragement. The insider may now also be an orchestration layer, a delegated workflow, a compromised AI agent, a synthetic identity, a machine account with excessive privilege or a multi-agent chain with no single owner.
Security teams are still looking for the badge-holder while the environment fills with autonomous entities capable of reading, writing, approving, escalating, querying and executing actions inside trusted systems.
To get ahead of this, you will need to extend Zero Trust principles to non-human identities, with your governance frameworks operational before deployment, not after incident response.
Anthropic evangelizes about Zero Trust for AI, which offers some strong direction. Trust nothing, and verify every agent action. Enforce least access and assume compromise. Identity delivers attribution, observability will expose behavior and monitoring can detect agency drift before it escalates. Boundary controls should reduce your attack surface, integrity protections facilitate recovery and defensive operations must operate at machine speed.
Shifting your mindset
Insider threat is no longer solely about distrusting employees. It is about recognizing that modern organizations are creating enormous populations of trusted entities operating inside their environment. Humans, contractors, third parties, APIs, service accounts, AI agents, autonomous workflows and synthetic identities all represent potential operational risk.
I consider the internal and external threat differentiator to be increasingly meaningless because the next insider threat may not be a person making a malicious decision. It could be a decision being made with no person attached to it at all. Insider threats and our quest for agentic symbiosis will evolve and we must advance our controls with it. Organizations now face a dual challenge of treating AI as an insider risk while increasingly relying on it to defend against insider threats at scale.
