Introduction

Recent developments in agent-based AI frameworks such as OpenClaw have accelerated the shift from AI as a tool to AI as an autonomous operator inside enterprise environments, capable of executing workflows, interacting with enterprise systems and making decisions with minimal human intervention.

At the same time, the recent emergence of platforms such as NVIDIA’s NemoClaw, designed to introduce guardrails and containment around these systems, highlights how quickly security has become the limiting factor in enterprise adoption.

This marks a fundamental turning point in how organisations need to think about risk. The question is no longer what AI systems can do, but how organisations maintain control once those systems are embedded into real workflows, connected to enterprise data and able to act independently across systems.

According to Gartner, 40% of enterprise applications are expected to incorporate AI agents, while McKinsey reports that 62% of organisations are already experimenting with them. As these systems scale, they are introducing a new class of cyber risk that does not sit neatly within existing security models.

The New Attack Surface Is Agent Behaviour

Traditional cybersecurity has focused on protecting systems, networks and endpoints. AI agents change that model entirely, operating across all three while making real-time decisions.

This is creating a new class of vulnerabilities in the agent’s logic, where the gap between intended behaviour and actual execution becomes the point of failure.

These attack vectors are expanding rapidly. In many organisations, machine identities, including AI agents, already outnumber human users by as much as 15 to one, significantly increasing the potential attack surface.

Two emerging risk patterns illustrate this shift:

• Memory poisoning
  Attackers can manipulate an agent’s stored context over time, subtly influencing behaviour until it produces unintended or malicious outcomes without triggering traditional alerts.
• Ghost states
  Agents may retain access to systems or data even after permissions are revoked, creating hidden persistence that is difficult to detect and control.

These are not traditional software flaws, but failures in how autonomous systems interpret, retain and act on information, making them significantly harder to identify and contain using existing security models.

Why Existing Security Models Are Falling Short

The challenge for organisations is that current security frameworks were not designed for systems that can independently plan and execute actions across multiple environments.

Identity and access management models are typically structured around human users and clearly defined roles, while monitoring systems rely on predictable patterns of behaviour.

AI agents disrupt both assumptions because they operate continuously, adapt dynamically and interact across multiple systems in ways that are difficult to trace. In many organisations, machine identities already outnumber human users by more than fifteen to one, and the introduction of autonomous agents further expands this complexity.

The risk is not simply that an AI system can be manipulated, but that once manipulated, it can act at scale across enterprise systems without immediate detection.

From Capability to Control

As organisations move from experimentation to deployment, the focus must shift from enabling AI capability to establishing control over how these systems behave in production environments.

AI agents should be treated as high-privilege, non-human identities that require the same, if not greater, level of governance as human users, particularly given their ability to act across systems and at speed.

At Fujitsu, we are already working with organisations to address this shift through approaches such as Adversarial Detection Engineering, which enables us to simulate adversarial behaviour against AI-driven systems and identify where detection logic fails, particularly in scenarios where threats go undetected and create false negatives. This open-source resource allows organisations to proactively identify weaknesses in how their systems respond under real-world conditions and strengthen their security posture before those gaps are exploited.

What Organisations Should Do Now

Organisations do not need to wait for standards to mature before taking action, but the urgency is in the need to rethink how they approach security in an environment where AI agents can operate autonomously across systems.

There are four practical steps leaders should take now to reduce risk and establish control:

1. Treat agent logic as production code.
   AI agents should be governed like any critical system, with workflows and decision logic tested, version-controlled and continuously validated.
2. Enforce least-privilege access.
   Agents should only access what they need, with clear separation between read-only and actions that can modify systems or data.
3. Establish operational controls.
   Organisations must be able to monitor, intervene and halt agent activity when behaviour deviates from expectations.
4. Test for failure, not just performance.
   Security teams should simulate adversarial scenarios to identify where detection fails and close gaps before they are exploited.

A New Class of Enterprise Risk

AI agents represent a fundamental shift in how enterprise systems operate, introducing autonomy, scale and complexity that existing security models were not designed to handle. The most significant risk is not that these systems will fail in obvious ways, but that they will fail silently, operating outside expected parameters without triggering alerts.

For CIOs, CTOs and security leaders, the priority is no longer just enabling AI, but ensuring it can be controlled, monitored and trusted at scale. Organisations that recognise this early and invest in the right foundations will be able to move faster and more confidently, while those that do not risk introducing a new class of vulnerability into their most critical systems.