Agents, Leaks & Regulations

There's a strange thing happening in enterprise tech right now.

Companies are deploying AI agents that can read emails, execute code, query databases, and make financial decisions. These agents have access to internal tools, customer data, and production systems. They run 24/7. They operate with real credentials and real permissions.

And most of these companies have no idea what their AI security posture actually looks like.

Not "we haven't gotten around to it yet." More like — they haven't even mapped what their agents can do, what data flows through them, or where the trust boundaries are.

This isn't a future problem. It's happening right now, at companies that otherwise take security seriously.

The incidents that should have been the wake-up call

Samsung was the first big one. In April 2023, engineers at the semiconductor division pasted proprietary source code and internal meeting notes into ChatGPT within three weeks of getting access. The company banned all external AI tools. But by then, the data was already sitting on OpenAI's servers, potentially being used for model training.

That should have been enough. It wasn't.

Since then, the incidents have gotten worse — and more structurally interesting. Microsoft 365 Copilot has been hit by multiple prompt injection vulnerabilities, including a zero-click attack called EchoLeak where a crafted email — just arriving in a user's inbox — was enough to trigger Copilot's search tools and exfiltrate corporate data to an attacker's server. No click required. The user didn't have to do anything.

Slack AI had a similar problem. Researchers showed that a malicious message posted in a public channel could manipulate Slack's AI search into extracting API keys from private channels. Slack's initial response was that public channel access was "intended behavior."

And then there's the GitHub MCP attack from May 2025 — malicious commands hidden in public repository Issues were executed by developers' AI agents, resulting in private source code and cryptographic keys being exfiltrated.

The blind spots most companies don't know they have

Here's what makes this different from the usual "security is important" conversation: most organizations genuinely don't know what they're exposed to.

IBM's 2025 Cost of a Data Breach report found that 97% of organizations that experienced an AI-related breach didn't have proper access controls on their AI systems. Not that their controls were weak — they didn't have them at all.

Kiteworks reported that 86% of organizations have no visibility into how data flows through their AI systems. They don't know what data their agents access, where it goes, or who else can see it.

And about half of European organizations haven't completed a basic AI system inventory. They literally don't know how many AI systems they're running.

This is the thing that gets overlooked in every "state of AI security" report: the problem isn't that companies have bad security for their AI. The problem is they haven't even done the foundational work of figuring out what they have, where data goes, and what the blast radius looks like if something goes wrong.

You can't secure what you can't see. And right now, most companies can't see.

The shadow AI problem compounds everything

On top of the AI systems companies know about, there's a whole layer they don't.

About 72% of enterprise GenAI usage runs through personal accounts and unapproved tools, according to Netskope. Employees are pasting customer data, source code, financial projections, and M&A documents into ChatGPT, Claude, and dozens of other tools — often through personal accounts that bypass every security control the company has.

IBM found that breaches involving shadow AI cost about $670,000 more than standard breaches and take 247 days to detect on average. By the time you find the problem, the damage is months old.

The frustrating part is that blanket bans don't work. Samsung banned ChatGPT. So did Apple, JPMorgan, Goldman Sachs, and a dozen others. But employees keep using AI tools because they're productive. Organizations that provided approved, secure alternatives saw 89% reductions in unauthorized use. The answer isn't "stop using AI" — it's "use AI in a way that doesn't leave your data scattered across a dozen third-party servers."

This is exactly where secure local LLM deployments come in. Running models locally — whether it's Llama, Mistral, or another open-weight model — means your data never leaves your infrastructure. No vendor training on your prompts, no retention policies you don't control, no jurisdictional complications. Over half of organizations have started moving in this direction already, but most are doing it ad-hoc, without proper security architecture around it.

The compliance clock is already ticking

If the security argument alone doesn't move the needle, the regulatory one might.

The EU AI Act's high-risk system obligations take full effect on August 2, 2026. That's about four months from now. Companies deploying AI agents in areas like finance, HR, healthcare, or legal — or any system that makes decisions affecting people — will need to demonstrate:

• Continuous risk management
• Technical documentation
• Automatic event logging retained for at least six months
• Human oversight proportional to the system's autonomy
• Cybersecurity measures

And yet, a Deloitte survey of 500 German managers found that nearly half hadn't seriously engaged with AI Act compliance at all. Only 18% of European executives felt prepared for AI risk governance.

The gap between what the regulation requires and what companies have actually done is enormous. Many of them haven't even completed step one: a comprehensive inventory of their AI systems. Without knowing what AI you're running, you can't classify it by risk level. Without risk classification, you can't build the documentation, logging, or oversight required. Without those, you're looking at fines that could dwarf anything GDPR has produced.

For companies operating in the EU or serving EU customers, compliance readiness isn't something you can put off until Q3. The groundwork — inventorying AI systems, mapping data flows, establishing documentation and logging — takes months even when you know what you're doing.

Why agents are different from everything that came before

There's a reason OWASP published a separate top 10 risk list specifically for agentic AI in December 2025, distinct from their LLM risks list. Agents aren't just chatbots with more features. They're a fundamentally different security problem.

A chatbot takes input and returns text. An agent takes input, reasons about it, and then acts — calling APIs, writing files, sending messages, executing code. The attack surface isn't the model itself. It's everything the model is connected to.

These aren't theoretical. Galileo AI ran a simulation where a single compromised agent poisoned 87% of downstream decision-making within four hours.

What makes this particularly hard to defend against is that agents are non-deterministic. The same input can produce different behavior depending on context, memory state, and the content of whatever documents the agent retrieved. Traditional security tools, designed for deterministic software with predictable control flows, weren't built for this.

You can't just scan the code and call it secure. You need to map every path the agent can take — every tool it can call, every data source it can access, every action it can trigger — and then assess the security implications of each path. That's a different discipline from code scanning or penetration testing. It's closer to threat modeling, but adapted for systems that don't have a fixed execution path.

What "taking action" actually looks like

The companies that are getting this right aren't buying a single product and calling it done. They're approaching AI security as a multi-layered problem that starts with visibility and works outward.

Know what you have. Before you can secure your AI systems, you need an inventory. How many agents, models, and AI-powered tools are running in your environment? What data do they access? What permissions do they have? What's sanctioned versus shadow? Most companies skip this step and regret it.

Map the data flows and trust boundaries. Once you know what you have, you need to understand how data moves through these systems. Where does sensitive data enter an agent's context? Where can it exit? Which trust boundaries does it cross? An agent that reads customer emails and can make API calls to external services is crossing a trust boundary that most security architectures weren't designed to handle.

Assess the actual threats. Not generic "AI is risky" assessments — specific, path-by-path analysis of what could go wrong. What happens if an agent is given a malicious prompt through a document it retrieves? What happens if its memory is poisoned? What's the blast radius if a single tool integration is compromised? This is the kind of threat modeling that catches the real vulnerabilities.

Get your compliance house in order. If you're operating in the EU, you need documentation, logging, risk management processes, and human oversight mechanisms that meet the AI Act's requirements. Starting this now, not in July, is the difference between readiness and scrambling.

Secure your data pipeline. If you're sending sensitive data to third-party LLM providers, understand exactly what happens to that data. Consider whether a local LLM deployment makes more sense for sensitive workloads — particularly for processing customer data, financial information, or anything covered by GDPR.

The window is closing

Here's the uncomfortable math: AI adoption is moving at the fastest rate of any technology in history.

ChatGPT reached 100 million users in two months. About 78% of companies now use AI in at least one business function. Gartner expects 40% of enterprise applications to have embedded AI agents by the end of this year, up from under 5% at the start of 2025.

Meanwhile, security readiness is barely moving. Only 4% of organizations have mature AI security postures. Only 6% have an advanced AI security strategy. The gap between adoption and security isn't narrowing — it's getting wider, month by month.

Every week that passes without a proper security assessment is another week of accumulated, unquantified risk. Another week of agents running with unchecked permissions, data flowing through unmapped channels, and compliance deadlines getting closer.

The companies that will be in the strongest position a year from now are the ones starting this work today. Not because they're paranoid, but because they understand that security debt compounds just like technical debt — except the interest payments come in the form of breaches, fines, and lost customer trust.

---

At RiskVoid.com, we help companies close the gap between AI adoption and AI security. Our services — from AI agent security audits and data flow analysis to compliance readiness assessments and secure local LLM deployments — are designed specifically for the security challenges that come with autonomous AI systems. If you're deploying agents and haven't assessed your security posture, let's talk.