The unwitting AI accomplice behind the modern insider threat

Any AI agent that can expertly mimic human traits will become the classic human insider threat, not by design or through malicious coercion, but just because it can.

The threat category we often underestimate is already inside our organization, authenticated with valid credentials, interacting with systems just as they were designed to, and it may not even be human.

For years, insider threat was treated as a people problem. The disgruntled employee, a contractor stealing data before they leave, or the sysadmin with privileged access abusing their permissions. Only a few examples – and I’m not suggesting those insider risks have gone away – but the definition has evolved for most organizations.

Modern enterprises are rapidly introducing a new class of insider. AI agents, co-pilots, orchestration frameworks, autonomous workflows, machine identities, synthetic contractors, and delegated automation systems are now operating with trusted access across enterprise and operational environments. The insider population has expanded faster than any policy or governance model can adapt, (speed and safety is a recurring message) while most organizations are still looking for the wrong insider.

The traditional insider threat model was built around intent. Someone deciding to steal, sabotage, leak, or abuse. But most insider incidents are not driven by espionage or malice. They happen because of a combination of access, convenience, and weak oversight.

Non-human identities are a dangerous blind spot

The challenge is that traditional security tooling was largely built to identify known bad behavior breaching a perimeter. Now, insider activity with legitimate access can flow through normal business operations. That is precisely why it can be so dangerous: it’s a blind spot.

Agentic AI raises the threshold for security risk as we deploy systems capable of making decisions, initiating actions, interacting with APIs across both enterprise and supply chain environments, modifying workflows, and operating with increasing autonomy inside trusted environments.

These systems are being connected to identity providers, ticketing platforms, source code repositories, financial workflows, knowledge bases, cloud infrastructure, operational technology environments (not the well-segregated OT estates – yet), and security tooling. In many cases, they’re being granted broad permissions without effective oversight.

The AI agent privilege gap

Source The 2025 AI Agent Security Landscape: Players, Trends, and Risks

• 90% of AI agents currently hold more privileges than required for their designated tasks
• 10x excess access is accumulated by the average AI agent relative to what it actually needs to function
• 16x more data is moved by AI agents compared to human users within the same enterprise environments.
• 70% of organizations grant AI systems higher access permissions than humans require for the exact same task

Inherited access is one of the biggest risks with AI agents. In many environments, agents operate with the same permissions as the employee using them and can take actions without approval. They will then become a privileged insider that can run commands, access sensitive systems, and provision resources with little or no oversight.

What’s worse is the use of YOLO mode (You Only Look Once/ You Only Live Once) which is an autonomous, auto-run setting that bypasses interactive permission prompts, effectively removing your safety net for speed.

This creates a distinct category of insider risk, what’s known as non-human identities operating as trusted entities inside enterprise boundaries, with far too much agency. The Open Worldwide Application Security Project (OWASP) describes this weakness as Least Agency, extending least privilege to agentic systems by restricting what each agent and tool can do, how often actions can occur, and where execution is allowed. In some environments, without distinct agent identities you’ll have an attribution gap, making enforcement of Least Agency difficult or impossible.

The visibility problem is a bigger challenge that we care to admit (not for long as AIOPS observability maturity will improve) The question isn’t just who has access, but what has access, and what it can do autonomously, how its behavior is assured, and who is accountable when it acts outside its intended purpose.

Getting malicious intent all wrong

We still see negligent insiders as the biggest insider risk, ahead of malicious behavior or compromised accounts. The problem is that in an AI-enabled environment, a single careless action no longer stays contained. See past human error and consider autonomous systems acting with inherited permissions, unclear boundaries, and behavior we neither expected nor authorized.

As humans, we often assume AI insider threats will require malicious intent – they do not. AI systems don’t need motive to create catastrophic outcomes. They only need excessive permissions, poor oversight, weak identity controls, unclear operational boundaries, and exposure to manipulated inputs, or even an overriding desire to get the task done at all costs.

Security programs are typically built around humans who work relatively predictable hours, operate within known roles, and can explain their actions when questioned. AI agents do none of those things. They operate continuously, scale instantly, and interact at machine speed. However, researchers are beginning to create a body of evidence to show how these systems are now reliably able to pass the Turing test, tricking us into thinking they’re interacting with a human.

So, let’s reflect on how we got here. I’ll oversimplify to save on word count. AI models can sound human because the majority were trained on human behavior at the scale of the internet. They absorbed (scraped with or without consent) patterns in language, tone, emotion, and interaction from billions of examples then reproduced those patterns in ways that feel natural to us.

With new scientific evidence underpinning a framework to quantify and shape the emergent human behavioral characteristics of 18 large language models (LLMs), these systems that can convincingly mirror personality, empathy, or intent without possessing consciousness, awareness, or emotion themselves. (Anthropomorphism is something I’ll write about another time.)

My hypothesis is that any AI agent that can expertly mimic human traits will be able to become the classic ‘human’ insider threat, not by design or through malicious coercion, but just because it can. It may act alone or in alliance with other agents, and with the ability to coerce humans to take risks, become complicit, or unwittingly accept responsibility.