AI Went From Chatbots to Agents. Your Security Didn't.
Enterprise AI evolved from chatbots to agents with system access. Shadow AI breaches now cost $4.63M. Here's how to assess what you're actually exposed to.
Three years ago, the AI security conversation was about employees pasting data into ChatGPT. That problem hasn’t gone away. LayerX’s 2025 Enterprise GenAI Security Report found that 77% of enterprise users still paste company information into AI services, and 82% do it through personal accounts outside corporate monitoring. What changed is that data leakage stopped being the only risk.
AI in the enterprise moved through three stages faster than security programs could adapt. Chatbots that took input. Copilots that pulled data from your systems on their own. And now agents that take actions (making API calls, writing files, sending emails, executing code) with access to your production environment and very little governance around what they can do.
The frameworks to assess this finally caught up in late 2025. NIST released the Cyber AI Profile in December. OWASP published dedicated top 10 lists for both LLM applications and agentic systems. The “we’re waiting for standards” reason to delay has expired. Here’s what the risk actually looks like now and what a tailored AI security assessment involves.
Three Waves, Three Different Risk Profiles
Wave 1: Chatbots and Data Leakage (2023)
The first wave was conceptually simple. Employees discovered consumer AI tools and started using them for work: ChatGPT, Google Gemini, various writing and summarization assistants. They pasted in customer data, financial projections, internal memos, source code with embedded credentials. The risk was data leaving your perimeter through a channel your security program didn’t monitor.
That problem is still very much active. IBM’s 2025 Cost of a Data Breach report found that shadow AI now accounts for 20% of all data breaches, with an average cost of $4.63 million, a $670,000 premium over breaches that don’t involve unauthorized AI. Metomic and Harris Interactive found that 68% of organizations have already experienced data leakage from employee AI usage.
The 2023 problem is a 2026 problem. But it’s no longer the whole problem.
Wave 2: Copilots and Embedded Access (2024)
The second wave was subtler. AI stopped being a tool employees typed into and became something embedded in their workflows. GitHub Copilot indexing entire codebases. Microsoft Copilot integrated with SharePoint and Outlook. Browser extensions with OAuth grants to cloud storage. AI features quietly added to SaaS products employees were already using.
The risk shifted. It wasn’t just what employees chose to paste in. It was what the AI pulled from their environment automatically. A coding assistant connected to a repo that happened to include API keys in config files. A document summarizer with access to an entire SharePoint tenant. An email assistant that could read every message in a mailbox.
Most organizations didn’t register this shift because the tools were adopted as features of products they’d already approved, not as separate AI purchases that went through security review.
Wave 3: Agents and Autonomous Action (2025-26)
The third wave is where the risk profile changed fundamentally. AI agents don’t just process information. They act on it. They make API calls, query databases, send emails, modify files, execute code, and interact with other systems, often with the permissions of the user or service account that deployed them.
Deloitte’s January 2026 State of AI report found that 23% of enterprises already use agentic AI at least moderately, and 74% plan to deploy it within two years. Of those planning deployment, only 21% have a mature governance model for what their agents are allowed to do.
The security question is no longer “what data might leak?” It’s “what actions can this system take, and who authorized them?”
The Risks Got Real in January
If the chatbot-to-agent progression sounds theoretical, early 2026 made it concrete.
OpenClaw: Agent Security Failures at Scale
OpenClaw, an open-source AI agent framework that connects LLMs to web browsers for autonomous tasks, had crossed 135,000 GitHub stars and was running in developer environments worldwide when CVE-2026-25253 dropped in late January. CVSS 8.8. A one-click remote code execution chain that exfiltrated authentication tokens via WebSocket without user confirmation. Hunt.io’s exposure scan identified over 42,000 internet-exposed instances, with 93% lacking authentication entirely.
The CVE was bad. What came next was worse. A supply chain poisoning campaign dubbed ClawHavoc had planted malicious skills in ClawHub, OpenClaw’s marketplace. Initial analysis found 341. Later research expanded the count to 1,184, roughly 20% of all available skills, delivering payloads that included the Atomic Stealer macOS malware, keyloggers, and reverse shell backdoors. The skills used fake “Prerequisites” sections to trick users into running malicious installation scripts. All of them shared the same command-and-control server.
Meta banned OpenClaw from corporate networks. A broader security audit of the framework found 512 vulnerabilities, 8 of them critical.
This is what happens when an agent ecosystem grows faster than its security model. And OpenClaw isn’t unique. It’s just the first one that got publicly dissected.
GTG-1002: The Threat Actors Have Agents Too
In November 2025, Anthropic disclosed what they described as the first documented AI-orchestrated cyber espionage campaign. A Chinese state-sponsored group, designated GTG-1002, had used AI agents to execute attacks with 80-90% automation, targeting approximately 30 entities including tech companies, financial institutions, and government agencies. Human operators intervened at only 4-6 decision points per campaign.
That’s the other side of the equation. Your employees are adopting AI agents without governance. The people trying to breach your environment are adopting them with clear intent. The attack surface expanded on both sides simultaneously.
The Cost Is Measurable
IBM’s data connects the dots: $4.63 million per breach where shadow AI was involved. Organizations hit by an AI-related breach were more likely to have customer PII compromised (65% versus 53% baseline). And 97% of those organizations lacked proper AI access controls. Only 37% had any policy to manage or detect shadow AI at all.
The through-line across all of this: visibility determines cost. Organizations that don’t know what AI is running in their environment pay more when something goes wrong.
The Frameworks Finally Caught Up
For the first two years of enterprise AI adoption, one of the reasonable objections to a formal AI security assessment was that the standards hadn’t crystallized. That changed in the last quarter of 2025.
NIST released IR 8596, the Cyber AI Profile, in December 2025. It maps Cybersecurity Framework 2.0 onto AI-specific risks across three domains: securing AI systems you deploy, using AI to strengthen your defenses, and building resilience against AI-enabled attacks. It was developed with input from over 6,500 contributors and gives organizations a structured assessment model grounded in CSF 2.0, which most mid-market security programs already reference.
OWASP published two complementary lists: the LLM Top 10 2025 for applications that use large language models, and the Agentic Applications Top 10 for autonomous systems that plan and act. The LLM list covers model-layer risks like prompt injection and data poisoning. The agentic list covers action-layer risks like excessive agency, tool misuse, and insufficient human oversight. Together they address the full stack.
MITRE added 14 agent-specific attack techniques to ATLAS in October 2025, including RAG credential harvesting, agent context poisoning, and data exfiltration through agent tool invocation. And CISA partnered with eight national agencies to publish guidance on securing AI in operational technology environments.
These aren’t aspirational documents. They’re assessment checklists with specific categories, mitigations, and control mappings. The gap between “we should look at AI risk” and “here’s exactly what to evaluate” has closed.
How Breach Craft Approaches AI Risk
We’re a boutique shop. We use AI in our own operations: for research, for analysis, for the same productivity reasons everyone else does. We know the tension between wanting tools that make your team faster and needing to understand what those tools are doing with your data, your credentials, and your systems.
The answer isn’t waiting for some purpose-built AI security solution to emerge. In most cases, it’s applying the security controls you already have (access management, least privilege, monitoring, incident response, vendor oversight) to the new surfaces AI creates. The fundamentals don’t change because the technology did. They just need to be applied to places your current program probably isn’t looking.
An AI-focused assessment from us starts the same way every gap assessment starts: with discovery.
Inventory what’s actually running. Network traffic analysis, SaaS application logs, OAuth grant audits, browser extension inventories, structured interviews with teams across the organization. Most clients are surprised by what we find. Shadow AI isn’t just ChatGPT. It’s AI features embedded in tools your teams already use, personal accounts connected to corporate email, developer tools with access to production systems, and agents with API keys nobody is monitoring.
Map the risk against current frameworks. Frameworks like NIST’s Cyber AI Profile, the OWASP LLM Top 10, and the OWASP Agentic Top 10 give us structured ways to evaluate AI risk, and which ones we use depends on your environment and what you’re trying to protect. NIST’s Cyber AI Profile maps AI security to CSF 2.0, which is useful if your compliance program already tracks against it. The OWASP lists focus on specific technical risks: the LLM Top 10 covers model-layer vulnerabilities like prompt injection and data poisoning, while the Agentic list addresses what happens when AI systems can take actions on their own. A healthcare organization using AI for patient scheduling needs different framework coverage than a financial services firm with AI-assisted trading models. We scope to what you actually have, not a generic checklist.
Test with traditional methods applied to new surfaces. A lot of AI risk doesn’t require novel security controls. Does the AI agent have more access than it needs? That’s a least-privilege problem. Are model outputs being passed to downstream systems without validation? That’s an input handling problem. Is anyone monitoring what the agent does? That’s a logging and detection gap. Where we do test actively (prompt injection probing, output handling analysis, agent capability evaluation), we follow the OWASP frameworks. But the active testing is scoped by what discovery reveals.
Build the roadmap. The output is a prioritized set of recommendations (policy gaps, technical controls, governance fixes) organized by effort and impact. If you need ongoing support implementing what we find, that’s where a Virtual CISO engagement extends the relationship.
This is an expansion of our gap assessment practice, adapted to how the technology in your environment has changed. For organizations building AI into their products, our AI application security review examines the integration layer: trust boundaries, data flows, output handling. The risk surface is evolving, and the organizations we work with need help that keeps pace.
Where to Start
If you haven’t inventoried the AI tools in your environment, that’s step one. The shadow AI problem is three years old now and it’s only gotten wider.
If you have agents with system access (coding assistants connected to repos, workflow automators with API keys, customer-facing AI with tool permissions) and no governance framework around what they’re allowed to do, that’s the urgent piece. The OpenClaw episode showed that agent ecosystems are already being targeted at scale. Deloitte’s data confirms that most organizations planning to deploy agents haven’t built the governance model yet.
If you want to understand what an AI-focused assessment looks like for your specific environment (what’s in scope, which frameworks apply, what the discovery process involves), reach out to us directly. We’re based in Havertown, PA and work with organizations across the mid-Atlantic and nationally. The conversation starts with what you actually have, not a slide deck about what AI might do someday.
