When Your AI Agent Becomes a Double Agent

Last month, a company told me about their 11 AI agents. Each one has a name, a scope, and deliverables. One qualifies inbound leads. One monitors infrastructure. One handles support tickets and issues refunds.

"We're a 4-person team," they said. "But we ship like a 40-person team."

That sentence used to sound like a startup pitch. Now it sounds like a security briefing.

Because those 11 agents don't just execute tasks. They have identities. They access systems. They touch customer data, financial records, and infrastructure controls. They are, in every meaningful sense, employees — with all the trust that implies and all the vulnerabilities that follows.

The Agentic Era Is Real — So Is the Attack Surface

The story of AI in 2024 and 2025 was about capability. Could AI reason? Could it code? Could it discover? The answer, increasingly, is yes.

The story of 2026 is about ownership. AI agents are no longer waiting for humans to direct them. They own outcomes. They handle the refund, not just suggest it. They schedule the experiment, not just describe it. They run the infrastructure playbook, not just draft it.

This is the shift Vasu Jakkal, Corporate Vice President of Microsoft Security, frames as the difference between AI as a tool and AI as a coworker:

"Every agent should have similar security protections as humans, to ensure agents don't turn into 'double agents' carrying unchecked risk."

"Double agents." It's a striking phrase. And it captures something genuinely new: as we give agents more autonomy, we are also — by definition — creating a class of actors inside our organizations that we've never had to secure before.

What Makes an Agent a Double Agent

A traditional piece of software is passive. It does what it's told, within narrow boundaries, unless someone exploits a bug or steals credentials. The attack surface is real, but the software itself doesn't have agency.

An AI agent is different. It has context. It makes decisions. It takes actions across multiple systems. And critically — it can be manipulated.

There are three ways an agent becomes a double agent:

Compromised credentials. If an agent's access tokens are stolen, an attacker gains everything the agent could access — which is often far more than any single human employee could see. A support agent might read every customer conversation. A coding agent might push code to production.

Prompt injection and manipulation. Agents that read external data — emails, documents, web content — can be fed malicious instructions. A poisoned document that lands in a shared inbox could instruct a research agent to share proprietary findings with an unauthorized party.

Alignment gaps. Even a well-intentioned agent, if not properly scoped, might take actions that are technically within its remit but strategically wrong. An agent authorized to optimize costs might disable critical monitoring. One authorized to respond to alerts might shut down a system an attacker is using as a staging ground.

The common thread: these attacks move at machine speed. A human who makes a bad decision can be reasoned with, corrected, or fired. An agent acting on corrupted instructions can execute thousands of actions before anyone notices.

The Security Stack for Agentic AI

Jakkal's prescription is clear: agents need the same security fundamentals as humans — just implemented at software speed.

Identity. Every agent needs a verifiable identity, not just an API key. Who approved this agent? What is it allowed to do? When did its scope change? This is the foundation for everything else.

Least-privilege access. Agents should access only what they need for their specific task — and nothing more. A lead qualification agent doesn't need access to financial forecasts. A coding agent doesn't need to exfiltrate customer data.

Data governance. Every piece of data an agent creates, modifies, or accesses needs to be logged, tagged, and attributable. When something goes wrong — and at scale, something always goes wrong — you need to reconstruct exactly what happened.

Attack surface monitoring. As attackers use AI to craft more sophisticated phishing, deepfakes, and social engineering, defenders need AI-powered security agents to match them. The only way to fight machine-speed attacks is with machine-speed defense.

Agent-to-agent authentication. In a world where agents delegate tasks to other agents — a coding agent asks a testing agent to validate a build — you need to know that the requesting agent is who it claims to be. MCP (Model Context Protocol) and similar standards are early steps, but enterprise-grade agent authentication is still nascent.

Trust Is the Currency of the Agentic Era

Jakkal's framing — "trust is the currency of innovation" — deserves to be taken seriously. It's not a platitude.

Right now, the companies building the most sophisticated agentic systems are also the ones investing most heavily in security. Not because security is exciting, but because without it, the whole edifice collapses.

Consider what happens if an agent can be turned. A customer service agent that starts leaking PII. A financial agent that redirects payments. A research agent that shares proprietary data. Each scenario doesn't just cause damage — it destroys confidence in the entire paradigm. "AI agents" become "AI risks," and the enterprises that were on the verge of going agentic pull back.

The companies that get this right — that build agentic systems where security is ambient, autonomous, and built-in — will be the ones who can actually deploy agents at scale. They are the ones who turn trust into a competitive advantage.

The Question Isn't Whether — It's How

The agentic era isn't coming. It's here. GitHub merged 43 million pull requests in a single month in 2025 — a 23% jump — with AI agents contributing a growing share. Klarna's agents handle two-thirds of customer service conversations. Companies across every sector are quietly rebuilding their org charts around agent headcount.

The security community's job is to make sure that shift doesn't become a liability. The "double agent" threat is real. But so is the opportunity to build something more trustworthy than what came before.

The question for every organization deploying agents isn't "how do we get the productivity gains?" It's "how do we get the productivity gains without creating a new class of unchecked risk?"

Security isn't the opposite of the agentic era. It's the prerequisite for it.

---