In September 2025, Anthropic disclosed that a state-sponsored threat actor used an AI coding agent to execute an autonomous cyber espionage campaign against 30 global targets. The AI handled 80-90% of tactical operations on its own, performing reconnaissance, writing exploit code, and attempting lateral movement at machine speed.
This incident is worrying, but there’s a scenario that should concern security teams even more: an attacker who doesn’t need to run through the kill chain at all, because they’ve compromised an AI agent that already lives inside your environment. One that already has the access, the permissions, and a legitimate reason to move across your systems every day.
A Framework Built for Human Threats
The traditional cyber kill chain assumes attackers have to earn every inch of access. It’s a model developed by Lockheed Martin in 2011 to describe how adversaries move from initial compromise to their ultimate objective, and it’s shaped how security teams think about detection ever since.
The logic is simple: attackers need to complete a sequence of steps, and defenders can interrupt the chain at any point. Every stage an attacker has to pass through is another opportunity to catch them.
A typical intrusion moves through distinct stages:
- Initial access (exploiting a vulnerability, etc.)
- Persistence without triggering alerts
- Reconnaissance to understand the environment
- al movement to reach valuable data
- Privilege escalation when access isn’t sufficient
- Exfiltration while avoiding DLP controls
Each stage creates detection opportunities: endpoint security might catch the initial payload, network monitoring might spot unusual lateral movement, identity systems might flag a privilege escalation, and SIEM correlations might tie together anomalous behaviors across systems. The more steps an attacker takes, the more chances there are to trip a wire.
This is why advanced threat actors like LUCR-3 and APT29 invest heavily in stealth, spending weeks living off the land and blending into normal traffic. Even then, they leave artifacts: unusual login locations, odd access patterns, slight deviations from baseline behavior. These artifacts are exactly what modern detection systems are engineered to find.
The problem here, though, is that AI agents don’t really follow this playbook.
What an AI Agent Already Has
AI agents operate fundamentally differently from human users. They work across systems, move data between applications, and run continuously. If compromised, an attacker bypasses the entire kill chain – the agent itself becomes the kill chain.
Think about what an AI agent typically has access to. Its activity history is a perfect map of what data exists and where it resides. It probably pulls from Salesforce, pushes to Slack, syncs with Google Drive, and updates ServiceNow as part of its normal workflow. It was granted broad permissions at deployment, often admin-level access across multiple applications, and it already moves data between systems as part of its job.
An attacker who compromises that agent inherits all of it instantly. They get the map, the access, the permissions, and a legitimate reason to move data around. Every stage of the kill chain that security teams have spent years learning to detect? The agent skips all of them by default.
The Threat Is Already Playing Out
The OpenClaw crisis showed us what this looks like in practice:
Roughly 12% of skills in its public marketplace were malicious. A critical RCE vulnerability allowed one-click compromise. Over 21,000 instances were publicly exposed. But the scarier part was what a compromised agent could access once it was connected to Slack and Google Workspace: messages, files, emails, and documents, with persistent memory across sessions.
The main problem is that security tools are designed to detect abnormal behavior. When an attacker rides an AI agent’s existing workflow, everything looks normal. The agent is accessing the systems it always accesses, moving the data it always moves, operating at the times it always operates.
This is the detection gap security teams are facing.
How Reco Closes the Visibility Gap
Defending against compromised AI agents starts with knowing which agents are operating in your environment, what they connect to, and what permissions they hold. Most organizations have no inventory of the AI agents touching their SaaS ecosystem. This is exactly the kind of problem Reco was built to solve.
Discover Every AI Agent in Play
Reco’s Agentic AI Security discovers every AI agent, embedded AI feature, and third-party AI integration across your SaaS environment, including shadow AI tools connected without IT approval.
 |
| Figure 1: Reco’s AI Agents Inventory, showing discovered agents and their connections to GitHub. |
Map Access Scope and Blast Radius
For each agent, Reco maps which SaaS apps it connects to, what permissions it holds, and what data it can access. Reco’s SaaS-to-SaaS visualization shows exactly how agents integrate across your application ecosystem, surfacing toxic combinations where AI agents bridge systems together through MCP, OAuth, or API integrations, creating permission breakdowns that no single application owner would authorize.
 |
| Figure 2: Reco’s Knowledge Graph surfacing a toxic combination between Slack and Cursor via MCP. |
Flag Targets, Enforce Least Privilege
Reco identifies which agents represent your biggest exposure by evaluating permission scope, cross-system access, and data sensitivity. Agents associated with emerging risks are automatically labeled. From there, Reco helps you right-size access through identity and access governance, directly limiting what an attacker can do if an agent is compromised.
 |
| Figure 3: Reco’s AI Posture Checks with security scores and IAM compliance findings. |
Detect Anomalous Agent Activity
Reco’s threat detection engine applies identity-centric behavioral analysis to AI agents the same way it does to human identities, distinguishing normal automation from suspicious deviations in real time.
 |
| Figure 4: A Reco alert flagging an unsanctioned ChatGPT connection to SharePoint. |
What This Means for Your Team
The traditional kill chain assumed that attackers had to fight for every inch of access. AI agents upend that assumption entirely.
One compromised agent can give an attacker legitimate access, a perfect map of the environment, broad permissions, and built-in cover for data movement, without a single step that looks like an intrusion.
Security teams that are still focused exclusively on detecting human attacker behavior are going to miss this. The attackers will be riding your AI agents’ existing workflows, invisible in the noise of normal operations.
Sooner or later, an AI agent in your environment will be targeted. Visibility is the difference between catching it early and finding out during incident response. Reco gives you that visibility, across your entire SaaS ecosystem, in minutes.
Learn more here: Request a Demo: Get Started With Reco.
