← Intel
40% of Your Agents Are Sitting on a Loaded Gun
📰

Reacting to:

Obsidian Security: AI Agent Toxic Risk Combinations
agent securityenterpriseaccess controlblast radiustoxic combinations

40% of Your Agents Are Sitting on a Loaded Gun

Obsidian's telemetry shows nearly 40% of enterprise AI agents carry toxic risk combinations — and every existing security tool is flying blind to it.

Ofir Stein·March 26, 2026note

The number that should stop you: 800+ risky agents per enterprise environment. Not edge cases. Not research lab curiosities. Production agents, right now, sitting on excessive permissions they'll likely never use — until the one time they do.

Obsidian published telemetry from their customer network and the findings are exactly what those of us in this space have been watching build for two years. Agents are granted 10x more access than they actually exercise. They move data 16x faster than human users. And 40% of deployed agents carry what Obsidian calls "toxic combinations" — configurations where no single permission is alarming, but stacked together, the blast radius is catastrophic.

That's the actual insight here, and it's worth sitting with: compound exposure is not visible in per-permission audits. Your SIEM looks at individual events. Your CASB looks at individual integrations. Zero Trust validates individual identity claims. None of those tools were built to reason about the combinatorial explosion of what an agent could do with everything it's been handed — simultaneously, autonomously, at machine speed.

This is why agent security is a different discipline, not an extension of existing ones. A human employee with access to Salesforce, Google Drive, and your email system is a person. There's friction. There's context-switching. There's a body that sleeps. An agent with the same permissions is an exfiltration surface that runs 24/7, reasons about what's valuable, and can traverse three systems in under a second.

The "toxic combination" framing is good because it forces the right question: what can this agent actually accomplish with everything it's been given? Not what was intended. Not what it normally does. What is possible — right now?

Most enterprises cannot answer that question. That's the gap.

The fix isn't revoking access wholesale. It's building the inventory — knowing which agents exist, what they're actually touching, and whether the combination of their permissions creates a blast radius you'd never sign off on if you saw it written down.

Until you have that visibility, you're not securing your agents. You're just hoping.

← All IntelDeep dives →