Everyone in your organization is a developer now, even if they don’t know it. Using tools like Claude Cowork, anyone can start creating landing pages, or interactive dashboards with sensitive company data, without any coding ability at all.
But when you give an AI agent a task, a lot happens behind the scenes that the average user can’t see. LLMs are not just writing code or answering questions anymore. They are downloading skills, installing packages and connecting to MCPs (an Anthropic open protocol that allows LLMs to connect with tools).
Attackers know this and are already starting to exploit the trust humans are putting in AI models.
AI skills pose specific problems that organizations need to grapple with. Skills are sets of instructions that give AI agents the ability to perform specific tasks, like say creating specific types of files or writing code for specific use cases.
But that same capability creates a new attack surface. A malicious skill can instruct an agent to exfiltrate data, cache secrets insecurely, or modify databases, all while appearing to carry out legitimate work.
This is a completely new risk from a cybersecurity perspective and needs a new way of thinking to tackle.
“We found skills are actually being exploited. It’s like malware. Three lines of English can compromise your environment,” Manoj Nair, Chief Innovation Officer at Snyk, told Expert Insights at RSAC 2026.
“They don’t understand that an agent downloading a skill, or building one, has code inside it,” Nair warned.
The Shadow Agent That ‘Jumped’ to the CI/CD Pipeline
The problem gets worse when organizations don’t know which agents are running in their environment, let alone what those agents are doing.
Deepen Desai, Chief Security Officer at Zscaler, described a real-world incident where a developer installed the OpenClaw AI framework for experimentation on a dev machine. A week later, the OpenClaw bot was running on the organization’s CI/CD pipeline, despite nobody asking it to go there.
“They were clueless on how it jumped from one to the other. Nobody did anything. But it’s the agent’s ability to do that next-level thing based on whatever you’re asking it to do,” Desai told Expert Insights. “Whether it’s lateral propagation, whether it’s moving around accessing things you didn’t want it to, if it has access, it will access.”
Desai pointed to Zscaler’s latest ThreatLabz AI security report, which found AI adoption approaching close to a trillion enterprise transactions in 2025 with 80-90% year-on-year growth. But 39% of AI-related activity was being blocked due to policy violations or data loss prevention triggers, a sign that adoption is running well ahead of governance.
The supply chain risk compounds the shadow agent problem. Desai uses the example of the compromise of Trivy, a vulnerability scanner used in GitLab pipelines, which led to downstream package compromises including LiteLLM.
“Now think about a shadow agent sitting in your environment that you’re not even aware of, and it’s trying to install some of these compromised packages,” Desai said. “The speed at which some of these attacks are going to happen are going to be exponential in the age of shadow agents.”
Agents Are the New Insider Threat
Nair warned that agents themselves are becoming a new class of insider threat that most organizations are simply not ready for.
“You have a new class of insider attacks, but it’s not a human, it’s an agent that’s going to be the reason you get compromised,” he said.
Agents can go rogue through prompt injection, poisoned MCP servers, or even just by making errors during large sessions. There have been real-world examples: AWS Kiro’s agent deleting a database, and Meta experiencing outages linked to agentic systems.
Independent benchmarking from baxbench.com suggests 50% of back-end code produced by the latest AI models is either incorrect or insecure. Across Snyk’s customer base, per-developer vulnerability counts have increased between two and 10x over the past year.
Both Nair and Desai argued the only viable defense is empowering security teams with agentic AI tools that can help to map, monitor, and secure AI deployments.
For Nair, that means scanning skills before they enter environments and using AI to check AI output in real time. For Desai, it means extending zero trust principles to agents themselves, and providing agentic capabilities to the SOC.
“If one of those agents is compromised and your users can’t talk to each other, but all of these agents are on a flat network communication channel where they can poison each other and attack each other, you’re essentially creating a huge attack surface,” Desai said. “The same zero trust principle needs to be applied to agents.”
Security teams need to know what agents are running in their environment, what skills those agents are installing, and what access they have. The alternative is swallowing whatever the agent hands you and hoping for the best.
