Technology

Shared API keys expose AI agents at 69% of enterprises, new VentureBeat research finds

The use of shared API keys across multiple AI agents poses a significant security risk for enterprises, according to recent research conducted by VentureBeat. When one API key is shared among five AI agents, a compromised agent can access the permissions of all five, allowing attackers to exploit the accumulated permissions across multiple workflows without leaving a clear trail of attribution.

The study, which surveyed 107 enterprises, found that a staggering 69% of organizations have instances of credential sharing among their AI agents. This alarming statistic has prompted a surge in investment in enterprise security solutions, with companies like Palo Alto Networks, CrowdStrike, and Cisco collectively spending over $22 billion on acquisitions in the past year to address this critical security gap.

Palo Alto Networks recently completed a $21.1 billion acquisition of CyberArk, while CrowdStrike acquired runtime authorization platform SGNL for $740 million and released Continuous Identity for AI Agents. Cisco also announced its intent to acquire non-human identity specialist Astrix Security for $400 million.

The survey results highlight the urgent need for improved security measures in enterprises, especially in the realm of AI agent security. Over half of the respondents reported experiencing AI agent security incidents or near-misses, underscoring the importance of implementing robust security protocols to protect against potential breaches.

Despite the high prevalence of credential sharing among AI agents, only 32% of enterprises provide each agent with its own scoped, managed identity. Many agents still rely on shared API keys or borrowed human and service-account credentials, leaving organizations vulnerable to security breaches. The lack of individual identities for AI agents amplifies the risk of a single compromised agent leading to a widespread security incident.

The research also revealed that larger enterprises, with more than 1,000 employees, are at a higher risk of security incidents related to AI agents. While 49% of organizations enforce scoped permissions at runtime and monitor agent activity, only 30% isolate their highest-risk agents in sandboxes, highlighting a critical gap in containment measures.

The study identified model providers, such as OpenAI, Google Cloud, and Microsoft Azure, as the primary security layer for AI agents in most enterprises. While these built-in guardrails offer some level of protection, they do not provide agents with individual identities or sandboxing capabilities, which are essential for containing security breaches.

To address the security gaps identified in the survey, security directors are advised to take three key actions:

1. Inventory every agent’s credentials to eliminate shared and borrowed identities.
2. Prioritize sandboxing for the riskiest agents to contain potential security incidents.
3. Align security budgets with the incident rate to adequately fund AI agent security measures.

The full Q2 Agentic Security report, featuring a comprehensive vendor matrix and industry-specific insights, will be unveiled at VB Transform. Enterprises are urged to close the AI agent security gap proactively to avoid potential breaches that could compromise sensitive data and operations.

Related Articles

Back to top button