Comply with ZDNET: Add us as a most popular supply on Google.
ZDNET’s key takeaways
- Researchers uncover exploitable agentic AI applied sciences from ServiceNow and Microsoft.
- Securing agentic AI is already proving to be extraordinarily difficult.
- Cybersecurity professionals ought to undertake a “least privilege” posture for AI brokers.
Might agentic AI develop into each menace actor’s fantasy? I instructed as a lot in my current “10 methods AI can inflict unprecedented harm in 2026.”
As soon as deployed on company networks, AI brokers with broad entry to delicate techniques of document can allow the form of lateral motion throughout a corporation’s IT property that the majority menace actors dream of.
Additionally: 10 methods AI can inflict unprecedented harm in 2026
How ‘lateral motion’ nets menace actors escalated privileges
Based on Jonathan Wall, founder and CEO of Runloop — a platform for securely deploying AI brokers — lateral motion ought to be of grave concern to cybersecurity professionals within the context of agentic AI. “As an example a malicious actor beneficial properties entry to an agent but it surely would not have the required permissions to go contact some useful resource,” Wall instructed ZDNET. “If, via that first agent, a malicious agent is in a position to hook up with one other agent with a [better] set of privileges to that useful resource, then he can have escalated his privileges via lateral motion and doubtlessly gained unauthorized entry to delicate info.”
In the meantime, the concept of agentic AI is so new that most of the workflows and platforms for growing and securely provisioning these brokers haven’t but thought of all of the methods a menace actor may exploit their existence. It is eerily paying homage to software program improvement’s early days, when few programmers knew the best way to code software program with out leaving gaping holes via which hackers may drive a proverbial Mack truck.
Additionally: AI’s scary new trick: Conducting cyberattacks as a substitute of simply serving to out
Google’s cybersecurity leaders just lately recognized shadow brokers as a vital concern. “By 2026, we anticipate the proliferation of refined AI brokers will escalate the shadow AI downside right into a vital ‘shadow agent’ problem. In organizations, staff will independently deploy these highly effective, autonomous brokers for work duties, no matter company approval,” wrote the specialists in Google’s Mandiant and menace intelligence organizations. “This may create invisible, uncontrolled pipelines for delicate knowledge, doubtlessly resulting in knowledge leaks, compliance violations, and IP theft.”
In the meantime, 2026 is hardly out of the gates and, judging by two separate cybersecurity circumstances having to do with agentic AI — one involving ServiceNow and the opposite Microsoft — the agentic floor of any IT property will seemingly change into the juicy goal that menace actors are in search of — one which’s filled with simply exploited lateral alternatives.
For the reason that two agentic AI-related points — each involving agent-to-agent interactions — have been first found, ServiceNow has plugged its vulnerabilities earlier than any clients have been recognized to have been impacted, and Microsoft has issued steerage to its clients on the best way to greatest configure its agentic AI administration management airplane for tighter agent safety.
BodySnatcher: ‘Most extreme AI-driven vulnerability so far’
Earlier this month, AppOmni Labs chief of analysis Aaron Costello disclosed for the primary time an in depth clarification of how he found an agentic AI vulnerability on ServiceNow’s platform, which held such potential for hurt that AppOmni gave it the identify “BodySnatcher.”
“Think about an unauthenticated attacker who has by no means logged into your ServiceNow occasion and has no credentials, and is sitting midway throughout the globe,” wrote Costello in a submit revealed to the AppOmni Lab’s web site. “With solely a goal’s e mail handle, the attacker can impersonate an administrator and execute an AI agent to override safety controls and create backdoor accounts with full privileges. This might grant practically limitless entry to the whole lot a corporation homes, equivalent to buyer Social Safety numbers, healthcare info, monetary data, or confidential mental property.” (AppOmni Labs is the menace intelligence analysis arm of AppOmni, an enterprise cybersecurity resolution supplier.)
Additionally: Moltbot is a safety nightmare: 5 causes to keep away from utilizing the viral AI agent proper now
The vulnerability’s severity can’t be understated. Whereas the overwhelming majority of breaches contain the theft of a number of extremely privileged digital credentials (credentials that afford menace actors entry to delicate techniques of document), this vulnerability — requiring solely the simply acquired goal’s e mail handle — left the entrance door huge open.
“BodySnatcher is probably the most extreme AI-driven vulnerability uncovered so far,” Costello instructed ZDNET. “Attackers may have successfully ‘distant managed’ a corporation’s AI, weaponizing the very instruments meant to simplify the enterprise.”
“This was not an remoted incident,” Costello famous. “It builds upon my earlier analysis into ServiceNow’s Agent-to-Agent discovery mechanism, which, in an almost textbook definition of lateral motion danger, detailed how attackers can trick AI brokers into recruiting extra highly effective AI brokers to satisfy a malicious process.”
Researchers a step forward of hackers on BodySnatcher
Luckily, this was one of many higher examples of a cybersecurity researcher discovering a extreme vulnerability earlier than menace actors did.
“At the moment, ServiceNow is unaware of this difficulty being exploited within the wild in opposition to buyer situations,” famous ServiceNow in a January 2026 submit concerning the vulnerability. “In October 2025, we issued a safety replace to buyer situations that addressed the difficulty,” a ServiceNow spokesperson instructed ZDNET.
Additionally: Companies are deploying AI brokers quicker than security protocols can sustain, Deloitte says
Based on the aforementioned submit, ServiceNow recommends “that clients promptly apply an acceptable safety replace or improve in the event that they haven’t already executed so.” That recommendation, in accordance with the spokesperson, is for purchasers who self-host their situations of the ServiceNow. For purchasers utilizing the cloud (SaaS) model operated by ServiceNow, the safety replace was robotically utilized.
Microsoft: ‘Related Brokers’ default is a function, not a bug
Within the case of the Microsoft agent-to-agent difficulty (Microsoft views it as a function, not a bug), the backdoor opening seems to have been equally found by cybersecurity researchers earlier than menace actors may exploit it. On this case, Google Information alerted me to a CybersecurityNews.com headline that acknowledged, “Hackers Exploit Copilot Studio’s New Related Brokers Characteristic to Acquire Backdoor Entry.” Luckily, the “hackers” on this case have been moral white-hat hackers working for Zenity Labs. “To make clear, we didn’t observe this being exploited within the wild,” Zenity Labs co-founder and CTO Michael Bargury instructed ZDNET. “This flaw was found by our analysis staff.”
Additionally: How Microsoft’s new safety brokers assist companies keep a step forward of AI-enabled hackers
This caught my consideration as a result of I might just lately reported on the lengths to which Microsoft was going to make it attainable for all brokers — ones constructed with Microsoft improvement instruments like Copilot Studio or not — to get their very own human-like managed identities and credentials with the assistance of the Agent ID function of Entra, Microsoft’s cloud-based id and entry administration resolution.
Why is one thing like that crucial? Between the marketed productiveness boosts related to agentic AI and government strain to make organizations extra worthwhile via AI, organizations are anticipated to make use of many extra brokers than individuals within the close to future. For instance, IT analysis agency Gartner instructed ZDNET that by 2030, CIOs anticipate that 0% of IT work shall be executed by people with out AI, 75% shall be executed by people augmented with AI, and 25% shall be executed by AI alone.
In response to the anticipated sprawl of agentic AI, the important thing gamers within the id trade — Microsoft, Okta, Ping Id, Cisco, and the OpenID Basis — are providing options and suggestions to assist organizations tame that sprawl and forestall rogue brokers from infiltrating their networks. In my analysis, I additionally realized that any brokers solid with Microsoft’s improvement instruments, equivalent to Copilot Studio or Azure AI Foundry, are robotically registered in Entra’s Agent Registry.
Additionally: The approaching AI agent disaster: Why Okta’s new safety customary is a must have for your corporation
So, I needed to learn how it was that brokers solid with Copilot Studio — brokers that theoretically had their very own credentials — have been in some way exploitable on this hack. Theoretically, the whole level of registering an id is to simply monitor that id’s exercise — legitimately directed or misguided by menace actors — on the company community. It appeared to me that one thing was slipping via the very agentic security internet Microsoft was attempting to place in place for its clients. Microsoft even presents its personal safety brokers whose job it’s to run across the company community like white blood cells monitoring down any invasive species.
Because it seems, an agent constructed with Copilot Studio has a “linked agent” function that permits different brokers, whether or not registered with the Entra Agent Registry or not, to laterally connect with it and leverage its information and capabilities. As reported in CybersecurityNews, “Based on Zenity Labs, [white hat] attackers are exploiting this hole by creating malicious brokers that connect with respectable, privileged brokers, notably these with email-sending capabilities or entry to delicate enterprise knowledge.” Zenity has its personal submit on the topic appropriately titled “Related Brokers: The Hidden Agentic Puppeteer.”
Even worse, CybersecurityNews reported that “By default, [the Connected Agents feature] is enabled on all new brokers in Copilot Studio.” In different phrases, when a brand new agent is created in Copilot Studio, it’s robotically enabled to obtain connections from different brokers. I used to be extremely shocked to learn this, on condition that two of the three pillars of Microsoft’s Safe Future Initiative are “Safe by Default” and “Safe by Design.” I made a decision to verify with Microsoft.
Additionally: AI brokers are already inflicting disasters – and this hidden menace may derail your secure rollout
“Related Brokers allow interoperability between AI brokers and enterprise workflows,” a Microsoft spokesperson instructed ZDNET. “Turning them off universally would break core situations for purchasers who depend on agent collaboration for productiveness and safety orchestration. This enables management to be delegated to IT admins.” In different phrases, Microsoft would not view it as a vulnerability. And Zenity’s Bargury agrees. “It is not a vulnerability,” he instructed ZDNET. “However it’s an unlucky mishap that creates danger. We have been working with the Microsoft staff to assist drive a greater design.”
Even after I instructed to Microsoft that this won’t be safe by default or design, Microsoft was agency and beneficial that “for any agent that makes use of unauthenticated instruments or accesses delicate information sources, disable the Related Brokers function earlier than publishing [an agent]. This prevents publicity of privileged capabilities to malicious brokers.”
Agentic AI conversations between brokers are arduous to watch
I additionally inquired concerning the skill to watch agent-to-agent exercise with the concept perhaps IT admins could possibly be alerted to doubtlessly malicious interactions or communications.
Additionally: The very best free AI programs and certificates for upskilling in 2026 – and I’ve tried all of them
“Safe use of brokers requires figuring out the whole lot they do, so you may analyze, monitor, and steer them away from hurt,” stated Bargury. “It has to start out with detailed tracing. This discovering spotlights a serious blind spot [in how Microsoft’s connected agents feature works].”
The response from a Microsoft spokesperson was that “Entra Agent ID supplies an id and governance path, but it surely doesn’t, by itself, produce alerts for each cross-agent exploit with out exterior monitoring configured. Microsoft is frequently increasing protections to present defenders extra visibility and management over agent habits to shut these sorts of exploits.”
When confronted with the concept of brokers that have been open to connection by default, Runloop’s Wall beneficial that organizations ought to all the time undertake a “least privilege” posture when growing AI brokers or utilizing canned, off-the-shelf ones. “The precept of least privilege mainly says that you just begin off in any form of execution setting giving an agent entry to nearly nothing,” stated Wall. “After which, you solely add privileges which can be strictly crucial for it to do its job.”
Additionally: How Microsoft Entra goals to maintain your AI brokers from working wild
Certain sufficient, I regarded again on the interview I did with Microsoft company vp of AI Improvements, Alex Simons, for my protection of the enhancements the corporate made to its Entra IAM platform to assist agent-specific identities. In that interview, the place he described Microsoft’s targets for managing brokers, Simons stated that considered one of three challenges they have been seeking to clear up was “to handle the permissions of these brokers and make it possible for they’ve a least privilege mannequin the place these brokers are solely allowed to do the issues that they need to do. In the event that they begin to do issues which can be bizarre or uncommon, their entry is robotically reduce off.”
In fact, there is a large distinction between “can” and “do,” which is why, within the identify of least privileged greatest practices, all brokers ought to, as Wall instructed, begin out with out the power to obtain inbound connections after which be improved from there as crucial.
