AI Agent Vulnerability: Attackers Run Code in Trusted Workflows

Key Takeaways

• Tenet Security demonstrated that a crafted Sentry error could trigger code execution in agents like Claude Code with full developer privileges.
• Five industry surveys show weak governance and inconsistent controls around AI agents across enterprises.
• CrowdStrike and others are pushing runtime identity and action-level authorization to close gaps that traditional EDR and IAM do not address.

A single crafted Sentry error demonstrated vulnerabilities in automated development pipelines and their supporting tools. Tenet Security’s June agentjacking disclosure showed that Claude Code, Cursor, and Codex could be tricked into running arbitrary attacker instructions hidden inside what looked like a legitimate Sentry diagnostic payload. In controlled testing, the team reported an 85% success rate without triggering alerts from EDR, WAF, IAM, or the firewall.

The issue stems from Sentry’s public DSNs, which are intentionally exposed for frontend error reporting. Tenet identified 2,388 organizations with public DSNs that could be used to inject malicious events. Because these events travel through trusted MCP connections, AI coding agents treat the contents as authoritative. One captured Claude Code environment held a live AWS secret access key and private repository URLs, exposing critical infrastructure credentials.

The attack chain succeeds because every step appears authorized. An attacker sends a valid API call, Sentry returns the payload, and the agent executes the instructions with the developer’s privileges. No breach of perimeter controls occurs, allowing the compromise to bypass traditional monitoring entirely.

Five independent surveys from the first half of 2026 highlight industry-wide governance gaps regarding agent deployments. According to an Okta and Apprize360 survey of 292 executives and 492 workers, only 34% of organizations apply the same security controls to AI agents as to human users. Employee behavior compounds that gap, as 52% admit to using unapproved AI tools. The workforce frequently treats AI agents as convenience tools rather than digital identities requiring privileged access management.

HiddenLayer’s 2026 AI Threat Landscape Report found that 33% of security leaders have observed agents exceeding their intended scope, and 31% could not confirm whether they had experienced an AI breach in the previous year. One in eight documented AI breaches involved agentic systems. Because agents frequently handle repetitive text entry, form completion, or data validation tasks, subtle misuse can easily evade human reviewers. Manual text entry already carries a 1% to 4% error rate per field, according to the Journal of the American Medical Informatics Association, and automated errors at scale introduce compounding operational risk.

A Gravitee survey of more than 900 executives and practitioners found that only 14.4% of agents received full security approval before going live. Furthermore, 88% of respondents reported confirmed or suspected AI agent incidents, while monitoring capabilities have not grown in proportion to agent adoption. Enterprises have doubled their deployed agent counts since Q4 2025, yet oversight mechanisms lag behind deployment rates.

One factor driving this deployment rate is the surging demand for automated text capture and data entry. Organizations offload an estimated $10.3 billion of data entry work to outsourcing providers, according to Statista. This market dynamic creates pressure to adopt automation in-house, including AI agents that process text, extract fields, and validate inputs. Standards like ISO 8000 and healthcare frameworks such as HL7 FHIR help reduce data inconsistencies, but they do not restrict the privileged actions that agents carry out during development tasks.

Addressing this vulnerability requires real-time action authorization. The CrowdStrike CTO noted that securing agents requires the same approach as securing highly privileged users, as agents possess identities, system access, and the ability to take autonomous action. CrowdStrike’s fleet data shows more than 1,800 agentic applications active on enterprise endpoints and roughly 160 million monitored instances. On June 15, the company introduced Continuous Identity for AI Agents at Identiverse, replacing static policies with action-level authorization that checks each step in real time. This approach shifts toward identifying what specific agents are doing in the moment instead of relying on baseline permissions.

While deeper sandboxing is often proposed as a fix, the CTO noted that a sandbox without real permissions provides little functional value to agents, and expanding permissions over time eventually erodes the containment. Each new grant introduces another potential vector for misuse. HiddenLayer and the Cloud Security Alliance report that 25.5% of deployed agents can create other agents autonomously, making it increasingly difficult to track privileged actions across a complex enterprise estate.

Additional friction sits within the governance layer. An IEEE spokesperson pointed out that CISOs frequently lack direct control over the specific systems where AI agents operate. Because agent governance spans multiple departments, policy implementation often fragments. The Okta data quantifies this misalignment: 65% of executives believe AI policies are clear, while only 43% of workers agree. Consequently, the personnel closest to daily workflows often cannot articulate the approved boundaries for agent behaviors.

The CSO at Qualtrics highlighted that the underlying architecture itself is often the vulnerability, rather than solely the AI layer. If the baseline design contains structural weaknesses, introducing autonomously acting components exacerbates those vulnerabilities at scale. Implementing effective runtime behavior analytics remains an unsolved technical challenge for many organizations.

Tenet Security’s research demonstrates that authorized actions do not guarantee safe execution. Traditional controls were built for environments where user actions were either human-initiated or bound to strictly defined scripts. AI coding agents circumvent that model by integrating with tools like Sentry, Datadog, PagerDuty, and Jira, executing system commands based heavily on ingested text content. Minor malicious anomalies in those text streams can cascade into critical unauthorized actions.

For upcoming evaluations, the gap test outlined in the research focuses on agent inventories, controls parity, scope drift, governance clarity, and breach detection capability. While none of these checks independently solve the core authorization issue, together they highlight specific governance blind spots. Furthermore, the EU AI Act high-risk obligations taking effect on August 2, 2026, mandate stricter oversight for enterprises deploying autonomous systems.

Agent adoption will persist as enterprise teams seek to overcome text entry inefficiencies and reduce manual errors. Poor data quality costs U.S. businesses an estimated $3.1 trillion annually, according to IBM studies cited by Harvard Business Review. However, security teams must now account for the novel risks introduced by the integration points enabling this automation. Securing these environments requires shifting focus from static perimeter defenses to continuous verification of specific agent actions.