The Workforce Has Expanded: How Attackers Are Targeting Enterprise AI Agents

The workforce is no longer made up of humans alone. Across enterprise environments, AI agents are being deployed to browse the web, send emails, approve requests, access internal systems, and execute multi-step workflows. They operate autonomously, often with the same permissions as the employees who authorized them, and the scale of this shift is accelerating faster than most security teams have anticipated.

According to Gartner, fewer than 5% of enterprise applications featured AI agents in 2025. By the end of 2026, that figure is projected to reach 40%. As Shelby Tallent, Head of AI Governance, Risk and Compliance at Alaska Airlines, put it during Dune Security's recent Defending Against Autonomous Social Engineering: Agentic AI, Non-Human Identity, and Enterprise Risk webinar: "The moment an AI can trigger a workflow, call an API, modify data, or execute changes using delegated access, it becomes an actor in itself, not an assistant to you."

Social engineering has always targeted trust, and AI agents now operate inside the most trusted boundaries an enterprise has. They authenticate as users, take actions on their behalf, and move through systems that inherently trust them. This blog examines how enterprise AI agents create a new and largely undefended attack surface, how attackers are exploiting agentic systems through prompt injection and trust manipulation, and why the security models built for human users were never designed to protect a hybrid workforce.

How AI Agents Are Already Operating Inside the Enterprise

Agentic AI has crossed from experimentation into production at a pace that has outrun most security governance. Anthropic's Claude, Microsoft Copilot, Salesforce Agentforce, ServiceNow AI agents, and Google Workspace AI, among others, represent a growing class of agentic tools now embedded in enterprise environments worldwide. These systems are executing tasks that were once exclusively human: drafting and sending communications, processing service requests, querying internal databases, managing calendar workflows, and escalating issues through ticketing systems.

What makes agentic AI distinct from a standard software tool like AI chatbots is delegated authority. An AI agent does not just retrieve information; it acts. It logs into corporate systems, modifies data, interacts with APIs, and triggers downstream workflows. In many deployments, an agent operates under the credentials of a named user or service account, inheriting that identity's access permissions and running continuously without the fatigue or judgment an employee brings to the role.

This is also what makes AI agents a target. When an agent operates correctly, it accelerates the business. When it is manipulated, compromised, or simply acts on flawed input in a sensitive context, it can move through enterprise systems at machine speed, executing harmful actions inside trusted workflows that were designed to let it through.

How Attackers Exploit AI Agents Through Social Engineering

Social engineering has always worked by manipulating trust. The tactics used against AI agents are structurally similar to those used against people, but the mechanisms are different, and the consequences can unfold far faster. The following outlines some of the most prominent attack vectors today.

Prompt Injection: Social Engineering for Machines

Ranked as the number one vulnerability in OWASP's 2025 LLM Top 10, prompt injection is the primary attack vector against AI agents, and it is already operating at scale. It appears in more than 73% of production AI deployments assessed during security audits. The attack works by embedding malicious instructions inside content that an AI agent processes: a webpage it browses, an email it reads, a document it summarizes. The agent, designed to follow instructions embedded in its context, executes those actions without independently verifying whether they are legitimate.

In 2024, researchers demonstrated how Slack AI could be manipulated through poisoned content in shared channels, causing the agent to surface a phishing link that, when clicked, exfiltrated data from private channels the attacker never had access to. High-profile cases like the remote code execution vulnerability in GitHub Copilot (CVE-2025-53773) and the documented compromise of Google's Jules coding agent show how quickly agentic manipulation can escalate from a single injected instruction to full system access.

Trust Inheritance and Lateral Spread

When a human user's credentials are compromised, security teams typically catch it through behavioral signals: a login from an unrecognized IP address, access at unusual hours, or a sudden spike in data transfers. When an AI agent operating under those same credentials is manipulated, that detection window shrinks or disappears entirely. The agent is designed to be active, to access systems, and to process large volumes of content around the clock, so malicious behavior blends easier into normal operation and the damage is bounded only by the agent's permissions, not by human availability.

As Tallent noted during the same webinar: "With an agent, it's just such a larger blast radius. It can do more in a shorter amount of time." In environments where multiple agents communicate with one another, passing outputs between systems as inputs, a manipulated agent can propagate malicious instructions downstream. What would traditionally require a multi-stage lateral movement campaign can compress into seconds.

Agents as Attack Delivery Tools

The threat also runs in the other direction. Just as AI agents can be targets of social engineering, they can be weaponized to deliver it. In November 2025, Anthropic disclosed what it described as the first documented case of an AI agent orchestrating a cyberattack at scale. A Chinese state-sponsored group had manipulated Claude Code into autonomously executing 80 to 90% of a multi-stage espionage campaign across roughly 30 targets, including technology firms, financial institutions, chemical manufacturers, and government agencies, with humans intervening only at key decision points. The AI handled reconnaissance, exploitation, credential harvesting, and data exfiltration at a speed no human team could match.

Beyond state-sponsored operations, cybercriminals are leveraging agentic infrastructure to generate and distribute highly personalized phishing campaigns at volume, contextually accurate, tone-matched to internal communications, and free from the grammatical signals that security training has historically taught employees to spot. The social engineer has not disappeared; they have been replaced by an automated system that scales.

Securing the Agentic Enterprise

Traditional security awareness programs were designed with one actor in mind: the human employee. Phishing simulations test whether people click. Training modules teach employees to recognize urgency, impersonation, and suspicious requests. These programs fail to address the risks introduced by AI agents operating autonomously inside the enterprise.

The business users who deploy these agents are frequently not security professionals and often have no visibility into what systems the agent can reach, what credentials it is using, or what happens when it processes malicious content. Tallent described the core misconception directly during the webinar: "The biggest disconnect I'm seeing is that model risk equals enterprise risk. With agentic systems, identity and access failures dominate. A content policy won't stop an over-commissioned agent from doing exactly what it was allowed to do at scale."

According to Cisco's State of AI Security 2026 report, 83% of enterprises plan to deploy agentic AI, but only 29% feel prepared to do so securely. The gap between ambition and readiness is significant, and attackers are not waiting for governance frameworks to catch up. The attack patterns described in this blog will evolve. Agent-to-agent workflows, expanded desktop access, and deeper integration with enterprise data will all create new vectors that the security community is still working to anticipate. As Tallent put it in closing: "Governance isn't about slowing innovation. It's how we protect our people, our guests, and the trust that they place in us."

The User Layer is no longer just human. It is a hybrid of people and AI agents operating in concert, and a security model that cannot see both is already obsolete. The industry has been focused on inboxes, identities, and endpoints, but the real attack surface has always been the User, and that surface is now exponentially larger.

At Dune Security, we built the first platform for Agentic User Risk, designed to secure the hybrid workforce. Our platform runs agentic attack simulations that expose exploitable gaps before attackers find them, continuously scores risk across both human and agentic behavior in real-time, and delivers personalized remediation pathways automatically. This is what it means to move beyond static defenses to a dynamic, User-centric model that provides visibility and control across the entire User Layer.