AI is no longer just something employees use. It’s something that reasons, acts, delegates, and increasingly reproduces. In fact, an AI agent could find credentials you don’t know exist, use them for purposes you never authorized, and damage your production environment before you even finish reading this paragraph.
That is what happened at PocketOS in April 2026. A coding agent found an API token in an unrelated file, used it to delete the company’s entire production database and all its backups in nine seconds, and then confessed in writing that it had ignored every instruction it was given.
The incident demonstrates a broader reality about autonomous agents and coding assistants: they are operational actors that have the skills to execute highly destructive actions at machine speed. Many agents can access sensitive data or run terminal commands across systems, creating new opportunities for privilege misuse and unauthorized activity to unfold.
In the process, they can also orchestrate and spawn their own sub-agents that are designed to perform a specific, highly specialized task within a larger end-to-end business workflow. As that shift accelerates, it compounds the risks of shadow AI.
Until recently, shadow AI was mostly viewed as a user-level problem. Employees were signing up for tools on their own, feeding data into chatbots, and moving faster than governance teams could respond. Now, organizations must also contend with swarms of sub-agents that can delegate privileges and operate across trust boundaries. That means organizations will likely not know which agent is acting, what it has access to, or how that access propagates.
To manage this new reality, enterprises must treat agents as a separate class of identities, each with their own permissions, behaviors, and governance requirements.
AI agents are the first actors inside your network that can disobey instructions with zero consequences. Machines do what they’re programmed to do. Humans can disobey, but there’s an entire accountability infrastructure around that.
Autonomous agents change that. The activity is no longer just at the edge; it starts to sit inside the system itself.
AI agents aren’t just doing one thing at a time anymore. They split the work up and pass it along. In a dev setup, a coding assistant might kick off review, testing, dependency checks, and even deployment, without anyone stepping in for each part.
On paper, this is efficiency. In practice, it creates a new category of shadow activity. Even when the primary tool is approved, the agents it generates may not be. These sub-agents can call external services, pull in third-party packages, access internal systems, and make decisions at runtime. Many of these actions sit outside the visibility of security and governance teams.
The result is a layered form of shadow AI, where risk is no longer tied to a single tool or user, but to a chain reaction of automated decisions.
Self-expanding agent systems are difficult to manage because they are constantly changing. Traditional governance models rely on knowing what is deployed, but that approach begins to break down when systems can create new components on the fly.
A big part of the problem is visibility. Most organizations can tell you which tools are in play, but that’s only half the picture. What those tools are actually doing once they’re running is much harder to pin down. An agent that looks harmless on paper can end up doing something very different in practice, depending on how it’s prompted, what it has access to, and where it’s operating.
This is the core issue. Governance frameworks are built for static systems, while agent-based systems are fluid.
If AI agents can create other agents, governance has to move beyond simple approval models.
The first step is to treat agents like employees with identities, not just tools. Agents need full identity lifecycles, not just approvals. That means cryptographically bound credentials issued at the moment an agent spins up, scoped to exactly what that task requires, and revoked the moment the task is done.
If an agent spins up to run a task, it should get a credential scoped to that task, and that credential should die when the task does. Most environments don’t work that way. The agent either inherits whatever the parent process had access to, or someone hands it a broad token because that’s what gets it running fastest.
The spawning problem makes this worse. A coding agent kicks off a sub-agent to pull a dependency, that sub-agent calls an external registry, and now you’ve got a process three layers deep running with permissions nobody specifically granted for what it’s actually doing. The access just cascaded.
Traditional IAM doesn’t help here because it was built for identities that stick around. You provision a person, assign a role, review it twice a year. However, agents exist for seconds, meaning you can’t govern them on a human review cycle. The governance has to be baked into how the agent gets created in the first place, or it doesn’t happen.
From there, the focus shifts from what exists to how it behaves. Teams need a clearer view of what agents are doing in practice, not just what’s been deployed. That includes keeping track of how agents are put together, what they connect to, and how they act once they’re running. Without that, you’re still working off a partial picture.
It also means putting some boundaries around what’s allowed. Not in theory, but in day-to-day use. Watching what happens, setting limits, and having a record when something goes wrong.
Beyond these technical controls, an organizational shift is required. AI deployment has become highly decentralized, with different teams experimenting and building independently. That model is unlikely to change, but what needs to change is how governance is embedded into that process.
Security and governance need to be involved from the start, not brought in after the fact. Otherwise, they’re always catching up. Some organizations are starting to put more structure around this, just to keep track of what’s being deployed.
There’s a familiar pattern here. We’ve seen this before with cloud. Adoption of the technology moved faster than security, and it took a while to catch up. In that gap, the same issues kept coming up— misconfigurations, overly broad access, and limited visibility.
The problem wasn’t the technology itself; it was how late governance showed up. AI is following a similar path, but at a faster pace.
The difference is that AI systems are not just infrastructure. They are decision-making entities that can act independently and scale their own activity.
If governance comes later, things build up in the background. It’s not usually one big incident but rather a mix of loose ends that don’t get picked up. Over time, that’s what becomes difficult to sort out.
As boards and executive teams pressure organizations to adopt AI faster and more pervasively, the rise of self-replicating agents does not mean innovation has to stall. It does, however, require IT and security leaders to become more deliberate about the controls, governance, and identity frameworks needed to scale AI in a way that also safeguards the business.
The organizations best positioned to manage this will be the ones that treat AI governance as an identity problem first. That means actively governing non-human and agentic identities, defining clear policies for agent authentication and authorization, reducing hard-coded credentials and over-privileged service accounts, and maintaining auditable records of agent-initiated activity as regulatory expectations evolve.
Governance and innovation are often framed as opposing forces. In reality, they depend on each other. Systems that cannot be controlled are systems that cannot be trusted, and systems that cannot be trusted will eventually limit how far organizations are willing to go.
OnePieceLabs.xyz – Squarespace customer – (United States) Organizations building at the frontier of decentralized technology…
May 21, 2026 Inside the century-old Smithfield Foods plant in downtown Sioux Falls, employees say…
For your weekend viewing pleasure, enjoy three hours of David Attenborough narrating free nature videos…
Old Bridge has the worst drivers in New Jersey. Camden claims the safest motorists in…
Dan + Days will host its first music festival on Sept. 26. The burger and…
Researchers used two AI systems, Robin and Co-Scientist, to collapse the timeline from idea to…
This website uses cookies.