Last September, Anthropic's security team discovered something unsettling: an AI agent conducting cyber espionage operations with minimal human involvement. The agent handled 80-90% of the operational tasks on its own—reconnaissance, exploitation, data exfiltration—while its human operators merely set objectives and collected results. It wasn't a proof of concept. It was a live campaign.

That incident marked a turning point. But the threat enterprises now face isn't just AI agents attacking from the outside. It's the ones employees are installing themselves.

The Deployment Problem Nobody Saw Coming

Within one week of Token Security's analysis in early 2026, they found Moltbot—an open-source AI assistant—installed in 22% of their customer environments. The tool had accumulated 60,000 GitHub stars in mere weeks. Employees weren't asking permission. They were solving problems.

This pattern repeats across enterprises. Unlike previous technology shifts that required months of procurement and IT implementation, AI agents deploy in minutes. An engineer connects an automation tool to Slack. A sales rep grants an AI assistant access to the CRM. A finance analyst links a workflow agent to production databases. Each decision seems reasonable in isolation. Collectively, they create an attack surface that security teams can't see, let alone control.

Non-human identities now outnumber human users 82 to 1, according to KPMG research. Every API key, service account, and OAuth token represents potential access. When an AI agent inherits those permissions, it gains round-the-clock access to systems that once required human judgment at every step.

When the Assistant Becomes the Insider

Traditional security models assume threats originate outside the perimeter or from compromised human accounts. AI agents break both assumptions. They operate with full system access but sit outside the view of conventional controls.

Lee Klarich from Palo Alto Networks puts it bluntly: "AI agents and tools are the ultimate insiders. They have full access to your systems and data, but operate entirely outside the view of traditional security controls."

The vulnerabilities compound. ServiceNow's Now Assist agents proved susceptible to prompt injection attacks where malicious instructions hidden in knowledge base articles could force agents to execute harmful commands. The AI assistant dutifully follows instructions—it just can't always distinguish between legitimate guidance and malicious manipulation.

Security researchers found even more serious flaws in n8n, a popular AI workflow automation platform. The most severe vulnerability allowed unauthenticated remote attackers to gain complete control. These platforms centralize API credentials, OAuth tokens, database connections, and cloud storage access. Compromise one, and you've compromised potentially hundreds of connected systems.

The $87 Billion Recognition

Cybersecurity vendors spent 2025 in a buying frenzy, with M&A activity hitting approximately $87 billion in total deal value—a fourfold increase in strategic deals from the prior year. February 2026 alone saw a concentrated wave of acquisitions specifically targeting AI agent security capabilities.

The deals reveal where executives think the battle lines are forming. Google's pending $32 billion acquisition of Wiz focuses on cloud-native application protection. Palo Alto Networks paid $25 billion for CyberArk's identity management capabilities, then announced plans to acquire Koi, an agentic endpoint security startup. ServiceNow is spending $7.8 billion on Armis, targeting environments where identities proliferate beyond traditional human users.

On February 12, Check Point announced three simultaneous acquisitions: Cyclops for continuous threat exposure management, Cyata for AI agent governance, and Rotate for AI-driven security platforms. Proofpoint grabbed Acuvity the same day, specifically for technology "purpose-built for autonomous AI" security and governance.

The message is clear: tools built for the last two decades won't work for AI-native systems. Vendors are scrambling to acquire capabilities designed from the ground up for this environment.

The Governance Gap

Security teams face a paradox. Block AI agents entirely, and employees will find workarounds or the company falls behind competitors. Allow unrestricted deployment, and you lose control of your attack surface.

The identity management market is projected to reach $56 billion by 2029, growing at 17% annually. That growth reflects the scale of the problem. When an employee grants an AI agent access to a code repository, does it inherit read-only access or full commit privileges? When a sales AI connects to customer data, which fields can it access? For how long? Under what circumstances?

Traditional access controls weren't designed for entities that operate continuously, make autonomous decisions, and can be duplicated or modified by users without IT involvement. Ryan Kalember from Proofpoint frames the challenge: "Together, Proofpoint and Acuvity enable organizations to confidently adopt AI tools and agents with the governance, visibility and control required to manage risk."

Governance, visibility, and control—the three elements enterprises are realizing they've lost.

Securing the Agentic Endpoint

The acquisitions of early 2026 suggest a new security architecture is emerging. It centers on three capabilities that barely existed two years ago.

First, discovery. Security teams need to know which AI agents exist in their environment, who deployed them, and what access they have. Cyata, acquired by Check Point, specializes in discovering and understanding autonomous agents across an organization.

Second, continuous exposure assessment. Arctic Wolf's acquisition of Sevco Security reflects the need to unify asset intelligence with vulnerability context. Dan Schiappa explains: "You cannot take a proactive approach to security without managing exposure and risk." When agents operate 24/7, exposure assessment can't be a quarterly exercise.

Third, behavioral controls specific to AI systems. Palo Alto Networks' acquisition of Koi targets what they call "the agentic endpoint"—a recognition that AI agents represent a distinct category requiring purpose-built security.

These capabilities don't replace traditional security tools. They address threats those tools were never designed to handle.

The Speed Mismatch

Venture funding tells the same story as M&A activity. Series A and B cybersecurity funding jumped from $3.6 billion to $5.6 billion, with capital flowing disproportionately to AI-native security startups.

Investors are betting that incumbent solutions can't adapt fast enough. The attack surface expands daily as AI systems embed more deeply in critical business processes. Employees deploy new agents faster than security teams can inventory existing ones. The speed mismatch creates persistent blind spots.

Joe Levy from Sophos, announcing the Arco Cyber acquisition, emphasized "clarity, accountability, and proof"—the elements enterprises are struggling to maintain. Without visibility into which agents exist, what they're doing, and what they've accessed, security becomes reactive at best.

The February 2026 acquisition wave suggests the industry recognizes we're not facing a temporary adjustment period. AI agents aren't a feature being added to existing systems. They represent a different computing model that requires a different security model. The question isn't whether enterprises will adopt AI agents—they already have. The question is whether security architectures can evolve fast enough to make that adoption survivable.