A year ago, most enterprise AI answered questions. Now it acts. AI agents read inboxes, query databases, and call APIs to finish tasks on their own. Many also hold live credentials. Some make decisions that no human signs off on. That independence is the point of an agent. It is also the problem.

An agent is not a chatbot with extra features. It can keep reaching systems after the first approval. It runs on its own schedule, it remembers, and it acts faster than any analyst can review. Give it a goal, and it will find a path to that goal, including paths you did not intend.

Security teams spent two decades building controls around human users and the apps they run. Agents fit neither. They behave like users but multiply like software. That is the ugly part: many teams cannot even count them yet, let alone say what each one can reach.

The ways to attack an agent are mostly new. The first is the input it reads. In prompt injection, instructions hidden in an email, a web page, or a document get treated as commands, and the agent does what the attacker wrote instead of what you asked.

The tools around the agent are the next opening. An agent leans on connectors and other software to get its work done. A poisoned tool can feed it false data or quietly pull data out. Open agent protocols like the Model Context Protocol make that tool layer more useful and more exposed.

Then there is access. Agents are often handed more than the task needs, so if an attacker takes over one, they reach everything that the agent could. The field calls this excessive agency. Plainly, the agent can do more than the job ever required. Memory makes it worse because one bad instruction planted once can shape every decision the agent makes later.

And agents increasingly call other agents. Trust starts to chain, so one compromised agent becomes the way into the next. Researchers have already turned that chain into self-spreading attacks that move from agent to agent with no human in the loop.

Underneath all of it sits identity. Every agent, and every tool it uses, needs an account to do anything. That account is an identity. Not a person. A machine with access. These machine identities pile up faster than human accounts, and they outlast the projects that created them.

The systems most companies use to manage access were built for employees who log in and log off, not for software that logs in constantly, calls services silently, and rarely has a clear owner. That gap is where much of the real agent risk lives.

The market is scrambling to close these gaps. The 2026 Cybersecurity Stars Awards recognized companies working on the basics of agent security: limit what an agent can do, track the identities it uses, watch it while it runs, find where it is exposed, and control the data it moves.

Lasso Security and Trent AI took the Agentic AI Security category for limiting what an agent can reach and do, so a hijacked agent can only go so far. Token Security works the identity side of the same problem, locking down the machine accounts agents use to log in, the kind of sprawl older identity tools were not built to track.

Limits mean little if no one watches the agent while it works. eSentire was recognized for security operations built around agent autonomy: let the system act, but keep monitoring, limits, and human oversight around it. Sevii took its award for automatic defense and remediation, stepping in on its own when an agent moves faster than a human review queue can keep up with.

You cannot secure an agent you cannot see. Reclaim Security and Akto were recognized in Agentic Exposure Management for hunting down agents that are reachable, over-permissioned, or exposed through the systems around them. Reclaim's angle is remediation, not just reporting. Akto was also named Best Cybersecurity Startup.

Surf AI took its award for agentic security hygiene. Less glamorous, more necessary: keeping an agent's permissions, tools, and workflows from drifting into a mess over time.

Agents also handle sensitive data, often with little context for what should stay internal. Bonfy.AI won an AI Security Solution award for data protection built around AI systems and agents: what data moved, where it went, and whether it should have moved at all.

Twine Security points to the obvious next phase. Named one of the year's Most Innovative companies, it builds what it calls AI digital employees, agents meant to do security work themselves rather than only assist an analyst. The autonomy that makes agents a risk is now the defense.

Security teams will manage agents on both sides: the ones creating risk, and the ones used to contain it.

The near-term work is basic and uncomfortable. Inventory the agents already running and the identities they hold. Scope each agent to the least access it needs. Treat anything an agent reads as untrusted input.

Watch agent behavior while it runs, not only when you deploy it. The tools above are built for those steps. But the first move is the most basic: until a security team can count how many active agents hold live credentials, the rest does not matter.

The complete list of 2026 Cybersecurity Stars Awards winners is live at awards.thehackernews.com/winners/2026.