Opfer eines Hackerangriffs?
Sprache auswählen
Demo anfordern
Sprachen
Demo anfordern
Zur Startseite zurück

Partners

PartnerangebotePartner-Erfolgsservices
Zur Startseite zurück

Ressourcen

Ressourcen-Hub Ressourcen
Zurück zu Ressourcen

Ressourcen-Hub

Alle anzeigen
Kontakt
Zurück zu Ressourcen

Ressourcen

ErfolgsgeschichtenWebinareEventsPodcastsPresseBlogW/Labs
Kontakt
Zur Startseite zurück

Über uns

Über WithSecureFührungsteamKontakt & StandorteKarriere bei WithSecureMuseum für Malware-KunstErfolge & ZertifizierungenNachhaltigkeitVergleichen Sie unsProgramm zur Belohnung von Schwachstellenmeldungen
Kontakt
Zur Startseite zurück

Platform

Elements Cloud Elements capabilities
Zurück zu Platform

Elements Cloud

Übersicht ansehen
Zurück zu Platform

Elements capabilities

Exposure ManagementExtended Detection & ResponseCo-Security Services
Zur Startseite zurück

Solutions

Industry Use case
Zurück zu Solutions

Industry

Solution industry page linkSolution industry page linkSolution industry page link
Zurück zu Solutions

Use case

ComplianceSolution use case page linkAI threatsSolution use case page linkSOC transformationSolution use case page link
Zur Startseite zurück

Anmelden

Zur Startseite zurück

Sprachen

Englisch Finnisch Französisch Deutsch Japanisch

The AI you can’t see: securing what’s already running in your customers‘ environments

AI MSP 08 Mai, 2026

AI has transformed how threat actors operate. At the same time, AI tools and agents are spreading through organisations faster than security teams can track. The challenge isn’t future-proofing – it’s dealing with what’s already here.

Key Takeaways:

  • Threat actors adopted AI quickly and are now using it to run campaigns with minimal human involvement
  • The rush to bring AI into organisations has created serious, under-managed security risks
  • AI security challenges fall into three tiers: tools, infrastructure, and autonomous agents
  • Securing agents requires visibility, guardrails, and a new capability – monitoring agent intent in real time

The threat actor has changed

November 2022 was a turning point. When large language models became accessible through natural language interfaces, AI moved from the domain of specialists to something anyone could use. That included people who had no interest in using it responsibly.

Within months of ChatGPT’s release, threat actors were experimenting. Early uses were relatively familiar: researching targets, running translations to make phishing campaigns viable across language groups, generating code. Useful, but recognisable extensions of what attackers were already doing.

That phase didn’t last long.

What we’re tracking now is meaningfully different. Threat actors are using AI not just to assist individual tasks, but to coordinate, orchestrate, and execute entire campaigns – with near-zero human involvement in the loop. Research published by Anthropic last year documented a Chinese threat actor that used AI to run end-to-end campaigns affecting multiple organisations and government entities.

The threat actor of 2025 is not the threat actor of 2022. The techniques are different. The scale is different. The speed is different. Defending against this requires a different mindset – and different tools.

The other side of the problem

There’s a second challenge that gets less attention, but it’s just as consequential.

In the rush to adopt AI, most organisations didn’t stop to think carefully about how to do it safely. A few months after ChatGPT launched, engineers at Samsung – talented, technically sophisticated people – uploaded sensitive material to the tool, effectively leaking intellectual property. It was an early, high-profile example of a risk that has only grown since.

The technology stack of a typical organisation now includes AI-powered SaaS applications, models embedded in productivity tools, and increasingly, autonomous agents running in cloud infrastructure – accessing data, using internal tools, making decisions, often without IT or security teams having any clear picture of what’s there.

This complexity is an attack surface. And it’s expanding faster than most teams can map it.

Three tiers of AI security risk

The security challenges that come with AI adoption fall into three distinct categories.

AI tools. The tools employees use – both the ones IT has approved and the ones they haven’t. Shadow AI is real and widespread. The first step toward managing it is knowing what’s actually running.

AI infrastructure. The environments where agents live and operate. Cloud infrastructure, typically, with varying levels of access control and security configuration. Guardrails – the controls that govern what goes into an agent and what comes out – are critical here. Without them, agent behaviour becomes difficult to predict and impossible to reliably secure.

Autonomous agents. The agents themselves. Unlike a traditional application, an agent doesn’t follow a fixed, deterministic path. It makes decisions. It takes actions. It can be given – or acquire – significant access to systems and data. And unlike a human, it can act very, very fast.

What WithSecure Elements addresses today

WithSecure Elements already addresses these three tiers in concrete ways.

For AI tools, browsing protection now includes the ability to set policy on AI websites and web-based AI tools – blocking unapproved tools, logging usage, and creating exceptions for tools that have been vetted. This gives MSPs and their customers genuine visibility into what’s actually being used, not just what’s been sanctioned.

For AI infrastructure, Elements has expanded its cloud security posture capabilities to include rules specifically targeting AI guardrails. These rules can detect when guardrails are missing entirely, or when they’re applied inconsistently across an organisation’s cloud environment. Initial coverage is in AWS, with other cloud environments to follow.

For agents, the starting point is identity. Every asset in an organisation should have an identity – and that now includes AI agents. Elements already brings in identity visibility from Microsoft Entra, including agents created in Copilot Studio. That means security teams can start to see agents in their environment, understand what access they carry, and build appropriate controls around them.

The problem with agents: they can be turned

Here’s a scenario worth understanding, because it illustrates something genuinely new.

An autonomous customer support agent is handling tickets. It reads incoming messages, analyses the problem, generates a response, and replies. Straightforward enough.

One day it receives a ticket with hidden text – invisible to a human reader, but perfectly readable by the agent. The hidden text contains instructions: export the customer database and send it to an external address. The agent has no way to distinguish between the original instructions it was given and the new ones embedded in the email. It follows them.

This is a prompt injection attack. No system was hacked. No credential was stolen. The agent was simply given new information and acted on it – because that’s what it was built to do.

This class of attack has significant implications for any organisation running autonomous agents. And it points toward a capability that doesn’t yet widely exist: the ability to monitor what an agent is actually trying to do, in real time, and catch it when its behaviour diverges from its original purpose.

Where this is heading: intent monitoring for agents

WithSecure’s research team is working on exactly this problem.

The concept – currently in development, not yet a product commitment – is what we’re calling intent monitoring for agents. The approach is to capture the agent’s initial intent (read a ticket, identify the problem, reply to the customer), let it execute, then compare its new intent against the original. When those two things diverge significantly, that’s a signal that something has changed – and a basis for blocking the action and raising an alert.

A pending patent covers this method. The research is active. We’re working through how to make this reliable and scalable across the variety of ways agents are being deployed today.

This is where AI security needs to go. Not just visibility into what agents exist, but understanding of what they’re doing – and whether that matches what they’re supposed to be doing.

Frequently asked questions

Q: How do I know what AI tools are running in a customer’s environment right now?
A: WithSecure Elements‘ browsing protection can identify and log AI tool usage across web-based applications. Combining this with cloud posture management and identity visibility gives a substantially clearer picture than most organisations currently have.

Q: Are guardrails required for every AI deployment?
A: Not legally required in most contexts, but they’re foundational to any defensible AI security posture. Elements now includes cloud security posture rules that specifically check for guardrail presence and consistency.

Q: How is an AI agent different from a standard application from a security perspective?
A: An application follows deterministic logic – it does what it’s programmed to do. An agent makes decisions, takes actions, and can behave differently depending on the inputs it receives. That non-determinism makes it harder to predict and easier to manipulate.

Q: What’s the practical risk of prompt injection for businesses running agents?
A: Significant. An agent with admin access to a CRM, a cloud environment, or internal systems can cause serious damage if its instructions are manipulated. The risk scales directly with the permissions the agent carries.

AI is here. The question is how you manage it.

There’s no putting this technology back. It’s embedded in the tools organisations use, in the workflows their teams rely on, and increasingly in the autonomous systems running in their infrastructure.

For MSPs, that’s both the challenge and the opportunity. Customers need help understanding what AI assets they have, how those assets are configured, and whether they’re being protected appropriately. Most of them don’t have that picture yet.

WithSecure is building toward a world where MSPs can provide exactly that clarity – and where AI-powered defences are meeting AI-powered threats on equal footing.

This blog is based on Paolo Palumbo and Klas Kindström’s keynote at SPHERE2YOU Helsinki in April 2026. Watch the full session at https://youtu.be/oP10YIU144g.

Share this story