Will AI agents ‘get real’ in 2026?
In my house, we consume a lot of AI research. We also watch a lot—probably too much—TV. Late in 2025, those worlds collided when the AI giant Anthropic was featured on “60 Minutes.” My husband tried to scroll past it, but I snatched the controller away, unable to resist a headline calling out the first widely acknowledged case of an “agentic AI cyberattack.”
The framing itself was irresistible, a milestone moment in the rapid acceleration of AI. But it cued familiar reflexes. That phrasing—an “agentic AI cyberattack”—quickly spawned headlines claiming autonomous AI attackers had arrived on the scene, while other commentators alluded to the inevitability of sentient AI.
Somewhere between the segment’s B-roll and Time magazine proclaiming the “Architects of AI” its Person of the Year, I found myself asking whether we were already at that precipice.
Are we at the moment when machines start to think for themselves?
I couldn’t help it when I leapt to Skynet with a better UI.
Soon, however, nuance crept back in. As sensational as the story was, security leaders—including my colleague Kevin Bocek—were quick to point out what the coverage didn’t dwell on. This wasn’t the AI deciding to attack. Claude didn’t just wake up one morning and choose espionage.
To be clear, AI agents do not possess intent or consciousness. Humans were still pulling the strings behind the operation. The distinction matters, as it helps us clarify where the real dangers live.
That is, the world isn’t facing off against a legion of T-1000s, but we are grappling with AI systems that act at real scale, across real infrastructure, with real credentials.
And 2026 is set to present a very different kind of problem for teams trying to secure AI agents.
Was 2025 really the ‘year of AI agents’?
If you followed the tech press or security trades, the answer to that question seemed settled long before 2025 even appeared on our calendars.
It was crowned “the year of AI agents” across think pieces, keynotes, and vendor decks alike. Surveys showed that agentic systems were already deployed to production across financial services and software companies, and that adoption is expected to double by 2028.
And to be fair, something did change.
2025 marked the year when agents transitioned from experimentation to an enterprise objective. AI assistants stopped being friendly (sometimes overly so) conversational endpoints and started becoming operational ones. They approved payments, provisioned cloud resources, triaged and escalated alerts, and delegated tasks to other agents.
In some cases, they acted without a human explicitly approving each step.
But results were mixed.
From benign examples, like the Wall Street Journal’s vending machine snafu, to more serious incidents like the deletion of production databases, the world got an early look at what happens when AI agent capabilities outpace control.
And while agents gained power quickly, the structures meant to govern them lagged. Teams relied on security systems built for people, stretching them to govern entities that never log off, forget, or get a bad feeling about an incorrect action.
So, was 2025 the year of AI agents?
At the very least, it was the year businesses realized they’d already let them in.
Breaches, breakdowns, and the reality of AI in the enterprise
If 2025 proved anything, it’s that AI doesn’t magically exempt anyone from old security truths. DeepSeek’s January rise and stumble is a perfect example.
DeepSeek DDoS: New tech, similar threats
The Chinese AI startup captured global attention with a high-performing model, then almost immediately ran into painfully familiar problems. A massive DDoS attack forced the company to halt new registrations. Researchers uncovered exposed databases, leaked API keys, and basic security gaps that had nothing to do with machine learning sophistication and everything to do with trust and privileged access—the same fundamentals that have been taxing security teams for years.
Third-party risks and insider threats
Later that same month, CyberArk Labs turned its attention toward web-based AI agents as a new blend of third-party risks and insider threats. Because once you introduce agency and autonomy, risk profiles change. AI that can act can unlock greater productivity, but it also introduces shadow agents, developers as accidental full-stack R&D departments, and unchecked access spreading laterally.
Threat modeling and jailbreaking AI agents
By April, our Labs team began threat modeling agentic AI, demonstrating how these systems could be compromised through control flow manipulation, jailbreaking, excessive permissioning, denial-of-service attacks, and remote code execution.
To help counteract these emerging threats, our team continued to advocate for defense-in-depth for AI agents, built on an identity-first security foundation.
Model Context Protocol (MCP) and advanced tool poisoning
Dubbed the “USB-C of LLM tool access,” MCP allows agents to integrate with systems in a “seamless and dev-friendly way,” but it also vastly widens the potential impact of AI-agent-related breaches. As our Labs team demonstrated, MCP introduces additional classes of vulnerability, including advanced tool poisoning attacks.
AI agents as a new class of identity
As the year progressed, one thing became impossible to ignore: AI agents are a new class of identity, and they must be secured as such.
They mimic your people, but at machine speed, touching sensitive data, executing transactions, and interacting with core systems. If they aren’t scoped appropriately, you can over-permission, which can have cascading effects across the enterprise.
In one experiment, CyberArk Labs hid a malicious prompt inside a shipping address field. An AI agent later ingested it while processing orders, interpreted it as an instruction, and—because it had access it didn’t need—misused downstream tools to exfiltrate sensitive data.
No malware, no exploit kit, and no breach in the traditional sense. Just an agent doing precisely what it was allowed to do in an environment that trusted it too much.
Why identity is the control plane for agentic AI security
By the end of 2025, a clear pattern was emerging across incidents, experiments, and near-misses. Whenever AI agents caused trouble, even unintentionally, identity was almost always at the forefront.
Agents authenticate, inherit permissions, and call APIs. They operate under credentials that often outlive their purpose and exceed their scope. If something goes wrong, you can’t reason with an AI agent. Or shame it. Or ask it to “be careful next time.”
You can only revoke what gives it power.
That’s why identity is the control plane for agentic AI.
Organizations that treat agents as privileged machine identities—discoverable, scoped, and carefully governed—can quickly contain issues. Those that don’t will likely find themselves chasing symptoms, with no clean way to shut something down without breaking everything else.
Realizations like these set the stage for 2026.
How AI agents will evolve in 2026
If 2025 exposed the cracks in AI security controls, 2026 will apply greater pressure.
AI agents will become more advanced, interconnected, and deeply integrated into business-critical workflows. At the same time, machine identities will proliferate for reasons unrelated to AI, making careful containment even more critical.
What’s more, a runaway agent in 2026 won’t look dramatic. It will appear legitimate, authenticate successfully, and act quickly. By the time a human notices something’s even wrong, the damage could already be distributed across multiple systems.
That’s why CyberArk’s perspective on the evolving AI landscape in 2026 keeps returning to the same idea: identity will be the kill switch for AI systems.
Not a big red button or a hefty power cord to yank from a socket.
Instead, organizations need lifecycle governance: knowing what an agent is deployed for, what it’s allowed to touch, on whose behalf, when access should expire, and how to revoke it.
We’ll also see agents move closer to decision authority. “Shadow boards” and AI advisors won’t replace humans, but they will gain access to the deepest layers of corporate data. That access must be governed like privilege, because that’s exactly what it is.
How agentic AI can get real without teams getting reckless
The most dangerous myth about AI is that the real risks arrive with sentient machines, but that’s not true. They arrive with trust—and those dangers are already here.
Trust is all an AI agent needs to cause damage: permissions, persistence, and integration. Organizations hand those out every day, often without realizing how far the blast radius extends.
So no, we’re not on the brink of Skynet.
But we are building enterprises where machines act continuously, quietly, and in ways that have lasting consequences inside real environments.
So, the next time a headline tempts us with visions straight out of Terminator, remember: the real story is about trust, identity, and the choices we make today.
Kaitlin Harvey is a digital content manager at CyberArk.
