IA is no longer just a tool: automated agents that change the rules of cyberespionage

In September 2025, Anthropic revealed that a State-sponsored actor used an IA agent to run an autonomous cyber-espionage campaign against 30 international targets. According to the company, the automated agent took over most of the tactical tasks: from recognition to the generation of operating code and side movements at machine speed. This episode puts a disturbing reality on the table: automation not only accelerates attacks, but can also radically change their nature. You can read Anthropic's statement here: Anthropic - Disrupting AI espionage.

Most current defenses remain anchored to mental models designed for human attackers. The cyber kill chain framework developed by Lockheed Martin in 2011 helped organize response and detection by describing how an intruder progresses from initial access to its final goal. This approach has been useful for more than a decade because each phase of the attack offers opportunities for detection and containment. See the original explanation of the kill chain in Lockheed Martin: Lockheed Martin - Cyber Kill Chain.

But IA agents do not behave as human users or as point tools that must be made step by step. These programmed entities act on a continuous basis, orchestrate flows between multiple applications and, in many deployments, are entrusted with extensive privileges to automate processes. If an attacker is able to compromise an agent with permits already granted within the organization's environment, it practically inherits the access and "authority" that that agent possesses, and thus jumps above the traditional Kill Chain.

The magnitude of the problem is clear when we imagine an agent who already has visibility about internal emails, documents and conversations: his activity history is, in fact, a detailed map of where the valuable data are. An attacker who controls that agent gets both the guide and the keys; he can move information between systems under the appearance of legitimate operations and on expected times, drastically reducing the anomaly signals that detection systems seek.

This risk vector is not theoretical. Incidents such as the crisis known as OpenClaw have shown in practice how malicious "skills" marketplaces, remote execution vulnerabilities and thousands of exposed instances can be combined to provide an extremely efficient access path for malicious actors. The OpenClaw case analysis published by the company that reported it itself provides details on the scale and mechanisms: OpenClaw - Event analysis.

The direct consequence of this transformation is a detection gap. Many security tools are optimized to identify behaviors that deviate from the normal human pattern: unusual accesses, programs executed from atypical locations, steps of privilege that do not correspond to the user context. But when malicious activity is channelled through an agent that, by design, access the same applications and moves the same data types, the signals that would usually fire alarms are diluted in the noise of automation.

In view of this scenario, the first priority should be to recover visibility over automated entities that interact with corporate infrastructure. It is not just a matter of detecting connections to APIs or individual integrations: it is necessary to build a continuous inventory of agents, their origins, their permissions and the roads they trace through SaaS applications. Without that map, security teams are essentially blind to the possibility that a legitimate process has been abducted.

Controlling the risk also involves rethinking the management of privileges. The practices of "least privilege" and identity governance should be applied with the same rigour to service accounts, automated applications and IA agents as to people. Limiting permissions, evaluating toxic combinations between integrations and segmenting accesses reduces the surface that a compromised agent can exploit. For broader frameworks on risk management in IA and governance measures, it is useful to review NIST's work on the AI Risk Management Framework: NIST - RMF.

Detection must also evolve: a focus is needed on the identity and behaviour of automations, which understands what is "normal" for a particular agent and is able to identify subtle deviations in their access patterns, frequency and data destinations. Tools designed to shape human identities can be expanded to incorporate specific behaviour models of agents, correlating telemetry between SaaS, IAM and internal messaging to find discrepancies that were previously unnoticed. In the safety ecosystem it is important to contrast these capabilities with frameworks such as MITre ATT & CK to understand tactics and techniques that can be adapted to automated agents: MITRE ATT & CK.

In addition to monitoring and limiting, it is essential to audit the additional software that connects to critical flows. Many organizations discover late that third-party tools or unsanctioned integrations ("Shadow AI") have access to sensitive information. A continuous and verifiable inventory of integrations reduces surprises and allows prioritizing remediations according to the real risk that each connector brings.

This is not just a technical problem, but an organizational one. The adoption of IA in companies is often driven by productivity and process automation, with integration decisions that do not always go through centralized security controls. The response therefore requires coordination between product, IT, security and compliance teams to ensure that access policies and audit mechanisms are incorporated from the deployment phase of any agent.

In the background, the lesson is clear: the presence of IA agents in an environment is no longer just a question of innovation, it is a risk vector that changes the rules of the game. If the defense continues to think only of human intruders that must be opened step by step, it will be late - or not - when someone controls an agent with legitimate permission. The advantage, on the other hand, is that many of the measures that reduce this risk are part of well-known practices: precise inventories, access governance, identity-based detection and permit segmentation, applied with the ambition of also covering automations.

For teams that want to start closing this gap, there are emerging solutions aimed at discovering agents, mapping their scope and detecting specific automation anomalies within the SaaS ecosystem. These tools combine discovery of integrations, display of "blast radius" and position analysis to prioritize interventions where they matter most. If you want to explore how to raise it in your organization, you can consult resources and demos offered by suppliers in this area, for example: Reco - SaaS-to-SaaS visualization, Reco - Identity and Access Governance and Reco - Identity Threat Detection and Response.

The appearance of IA agents in daily operations is not reversible, and poses both opportunities and risks. The difference between a covert intrusion and a timely detection will depend, to a large extent, on how much an organization invests in visibility and control of the same automations. It is not a question of stopping the adoption of IA, but of integrating it safely: to control who is the real "actor" behind each automated action and to ensure that its permissions, routes and behaviors are subject to the same scrutiny as those of any human account.