{"id":12261,"date":"2026-05-08T08:24:00","date_gmt":"2026-05-08T07:24:00","guid":{"rendered":"https:\/\/www.withsecure.com\/?p=12261"},"modified":"2026-06-08T08:25:58","modified_gmt":"2026-06-08T07:25:58","slug":"the-ai-you-cant-see-securing-whats-already-running-in-your-customers-environments","status":"publish","type":"post","link":"https:\/\/www.withsecure.com\/fi\/resurssit\/blog\/the-ai-you-cant-see-securing-whats-already-running-in-your-customers-environments\/","title":{"rendered":"The AI you can&#8217;t see: securing what&#8217;s already running in your customers&#8217; environments"},"content":{"rendered":"<section\n    class=\"wp-block-one-column-block edwp-block js-wp-block-one-column-block wp-block-one-column-block--content-1 layout--spacing-xxxl-top layout--spacing-xxxl-bottom\"\n    >\n    <div class=\"wp-block-one-column-block__container\">\n                                                                                                                            <div class=\"wp-component-content wp-component-content--default wp-block-one-column-block__content fade-in\">\n            <h1 class=\"wp-component-heading text--h2 wp-component-content__title\">\n    The AI you can&#8217;t see: securing what&#8217;s already <span class=\"blue-text\">running in your customers&#8217; environments<\/span><\/h1>                    <div class=\"wp-component-content__inner\">\n                                                    <div class=\"wp-component-content__meta\">\n                                                                            <span class=\"wp-component-content__meta-categories\">\n                                                                    <span class=\"wp-component-content__meta-category\">\n                                        AI                                    <\/span>\n                                                                    <span class=\"wp-component-content__meta-category\">\n                                        MSP                                    <\/span>\n                                                            <\/span>\n                                                                                                    <span class=\"wp-component-content__meta-date\">\n                                08.05.2026                            <\/span>\n                                                                    <\/div>\n                                            <\/div>\n                <\/div>                                                                            <div class=\"wp-component-image__wrapper wp-block-one-column-block__image fade-in\">\n                    <figure class=\"wp-component-image__figure\">\n                                            <img loading=\"lazy\" decoding=\"async\" width=\"800\" height=\"450\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/06\/WS_S2Y_26_Hero_1920x1080.jpeg.webp\" class=\"wp-component-image\n                            wp-component-image--desktop\n                            wp-component-image--mobile\n                            wp-component-image--ratio-content-25-1 wp-component-image--fit-cover\" alt=\"\" srcset=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/06\/WS_S2Y_26_Hero_1920x1080.jpeg.webp 800w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/06\/WS_S2Y_26_Hero_1920x1080-300x169.jpeg.webp 300w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/06\/WS_S2Y_26_Hero_1920x1080-768x432.jpeg.webp 768w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/06\/WS_S2Y_26_Hero_1920x1080-447x251.jpeg.webp 447w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/06\/WS_S2Y_26_Hero_1920x1080-700x394.jpeg.webp 700w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/06\/WS_S2Y_26_Hero_1920x1080-260x146.jpeg.webp 260w\" sizes=\"auto, (max-width: 800px) 100vw, 800px\" \/>                                                    <\/figure>\n                    <\/div>\n                                                                                <\/div>\n<\/section>\n\n\n<section\n    class=\"wp-block-one-column-block edwp-block js-wp-block-one-column-block wp-block-one-column-block--content-5 layout--spacing-xl-bottom\"\n    >\n    <div class=\"wp-block-one-column-block__container\">\n                                                                                                                            <div class=\"wp-component-paragraph wp-block-one-column-block__paragraph fade-in\">\n    <p class=\"text--p-medium\">AI has transformed how threat actors operate. At the same time, AI tools and agents are spreading through organisations faster than security teams can track. The challenge isn&#8217;t future-proofing \u2013 it&#8217;s dealing with what&#8217;s already here.<\/p>\n<p><strong>Key Takeaways:<\/strong><\/p>\n<ul>\n<li>Threat actors adopted AI quickly and are now using it to run campaigns with minimal human involvement<\/li>\n<li>The rush to bring AI into organisations has created serious, under-managed security risks<\/li>\n<li>AI security challenges fall into three tiers: tools, infrastructure, and autonomous agents<\/li>\n<li>Securing agents requires visibility, guardrails, and a new capability \u2013 monitoring agent intent in real time<\/li>\n<\/ul>\n<h2 class=\"text--h6\">The threat actor has changed<\/h2>\n<p>November 2022 was a turning point. When large language models became accessible through natural language interfaces, AI moved from the domain of specialists to something anyone could use. That included people who had no interest in using it responsibly.<\/p>\n<p>Within months of ChatGPT&#8217;s release, threat actors were experimenting. Early uses were relatively familiar: researching targets, running translations to make phishing campaigns viable across language groups, generating code. Useful, but recognisable extensions of what attackers were already doing.<\/p>\n<p>That phase didn&#8217;t last long.<\/p>\n<p>What we&#8217;re tracking now is meaningfully different. Threat actors are using AI not just to assist individual tasks, but to coordinate, orchestrate, and execute entire campaigns \u2013 with near-zero human involvement in the loop. Research published by Anthropic last year documented a Chinese threat actor that used AI to run end-to-end campaigns affecting multiple organisations and government entities.<\/p>\n<p>The threat actor of 2025 is not the threat actor of 2022. The techniques are different. The scale is different. The speed is different. Defending against this requires a different mindset \u2013 and different tools.<\/p>\n<h2 class=\"text--h6\">The other side of the problem<\/h2>\n<p>There&#8217;s a second challenge that gets less attention, but it&#8217;s just as consequential.<\/p>\n<p>In the rush to adopt AI, most organisations didn&#8217;t stop to think carefully about how to do it safely. A few months after ChatGPT launched, engineers at Samsung \u2013 talented, technically sophisticated people \u2013 uploaded sensitive material to the tool, effectively leaking intellectual property. It was an early, high-profile example of a risk that has only grown since.<\/p>\n<p>The technology stack of a typical organisation now includes AI-powered SaaS applications, models embedded in productivity tools, and increasingly, autonomous agents running in cloud infrastructure \u2013 accessing data, using internal tools, making decisions, often without IT or security teams having any clear picture of what&#8217;s there.<\/p>\n<p>This complexity is an attack surface. And it&#8217;s expanding faster than most teams can map it.<\/p>\n<h2 class=\"text--h6\">Three tiers of AI security risk<\/h2>\n<p>The security challenges that come with AI adoption fall into three distinct categories.<\/p>\n<p><strong>AI tools.<\/strong> The tools employees use \u2013 both the ones IT has approved and the ones they haven&#8217;t. Shadow AI is real and widespread. The first step toward managing it is knowing what&#8217;s actually running.<\/p>\n<p><strong>AI infrastructure.<\/strong> The environments where agents live and operate. Cloud infrastructure, typically, with varying levels of access control and security configuration. Guardrails \u2013 the controls that govern what goes into an agent and what comes out \u2013 are critical here. Without them, agent behaviour becomes difficult to predict and impossible to reliably secure.<\/p>\n<p><strong>Autonomous agents.<\/strong> The agents themselves. Unlike a traditional application, an agent doesn&#8217;t follow a fixed, deterministic path. It makes decisions. It takes actions. It can be given \u2013 or acquire \u2013 significant access to systems and data. And unlike a human, it can act very, very fast.<\/p>\n<h2 class=\"text--h6\">What WithSecure Elements addresses today<\/h2>\n<p>WithSecure Elements already addresses these three tiers in concrete ways.<\/p>\n<p>For AI tools, browsing protection now includes the ability to set policy on AI websites and web-based AI tools \u2013 blocking unapproved tools, logging usage, and creating exceptions for tools that have been vetted. This gives MSPs and their customers genuine visibility into what&#8217;s actually being used, not just what&#8217;s been sanctioned.<\/p>\n<p>For AI infrastructure, Elements has expanded its cloud security posture capabilities to include rules specifically targeting AI guardrails. These rules can detect when guardrails are missing entirely, or when they&#8217;re applied inconsistently across an organisation&#8217;s cloud environment. Initial coverage is in AWS, with other cloud environments to follow.<\/p>\n<p>For agents, the starting point is identity. Every asset in an organisation should have an identity \u2013 and that now includes AI agents. Elements already brings in identity visibility from Microsoft Entra, including agents created in Copilot Studio. That means security teams can start to see agents in their environment, understand what access they carry, and build appropriate controls around them.<\/p>\n<h2 class=\"text--h6\">The problem with agents: they can be turned<\/h2>\n<p>Here&#8217;s a scenario worth understanding, because it illustrates something genuinely new.<\/p>\n<p>An autonomous customer support agent is handling tickets. It reads incoming messages, analyses the problem, generates a response, and replies. Straightforward enough.<\/p>\n<p>One day it receives a ticket with hidden text \u2013 invisible to a human reader, but perfectly readable by the agent. The hidden text contains instructions: export the customer database and send it to an external address. The agent has no way to distinguish between the original instructions it was given and the new ones embedded in the email. It follows them.<\/p>\n<p>This is a prompt injection attack. No system was hacked. No credential was stolen. The agent was simply given new information and acted on it \u2013 because that&#8217;s what it was built to do.<\/p>\n<p>This class of attack has significant implications for any organisation running autonomous agents. And it points toward a capability that doesn&#8217;t yet widely exist: the ability to monitor what an agent is actually trying to do, in real time, and catch it when its behaviour diverges from its original purpose.<\/p>\n<h2 class=\"text--h6\">Where this is heading: intent monitoring for agents<\/h2>\n<p>WithSecure&#8217;s research team is working on exactly this problem.<\/p>\n<p>The concept \u2013 currently in development, not yet a product commitment \u2013 is what we&#8217;re calling intent monitoring for agents. The approach is to capture the agent&#8217;s initial intent (read a ticket, identify the problem, reply to the customer), let it execute, then compare its new intent against the original. When those two things diverge significantly, that&#8217;s a signal that something has changed \u2013 and a basis for blocking the action and raising an alert.<\/p>\n<p>A pending patent covers this method. The research is active. We&#8217;re working through how to make this reliable and scalable across the variety of ways agents are being deployed today.<\/p>\n<p>This is where AI security needs to go. Not just visibility into what agents exist, but understanding of what they&#8217;re doing \u2013 and whether that matches what they&#8217;re supposed to be doing.<\/p>\n<h2 class=\"text--h6\">Frequently asked questions<\/h2>\n<p><strong>Q:<\/strong> How do I know what AI tools are running in a customer&#8217;s environment right now?<br \/>\n<strong>A:<\/strong> WithSecure Elements&#8217; browsing protection can identify and log AI tool usage across web-based applications. Combining this with cloud posture management and identity visibility gives a substantially clearer picture than most organisations currently have.<\/p>\n<p><strong>Q:<\/strong> Are guardrails required for every AI deployment?<br \/>\n<strong>A:<\/strong> Not legally required in most contexts, but they&#8217;re foundational to any defensible AI security posture. Elements now includes cloud security posture rules that specifically check for guardrail presence and consistency.<\/p>\n<p><strong>Q:<\/strong> How is an AI agent different from a standard application from a security perspective?<br \/>\n<strong>A:<\/strong> An application follows deterministic logic \u2013 it does what it&#8217;s programmed to do. An agent makes decisions, takes actions, and can behave differently depending on the inputs it receives. That non-determinism makes it harder to predict and easier to manipulate.<\/p>\n<p><strong>Q:<\/strong> What&#8217;s the practical risk of prompt injection for businesses running agents?<br \/>\n<strong>A:<\/strong> Significant. An agent with admin access to a CRM, a cloud environment, or internal systems can cause serious damage if its instructions are manipulated. The risk scales directly with the permissions the agent carries.<\/p>\n<h2 class=\"text--h6\">AI is here. The question is how you manage it.<\/h2>\n<p>There&#8217;s no putting this technology back. It&#8217;s embedded in the tools organisations use, in the workflows their teams rely on, and increasingly in the autonomous systems running in their infrastructure.<\/p>\n<p>For MSPs, that&#8217;s both the challenge and the opportunity. Customers need help understanding what AI assets they have, how those assets are configured, and whether they&#8217;re being protected appropriately. Most of them don&#8217;t have that picture yet.<\/p>\n<p>WithSecure is building toward a world where MSPs can provide exactly that clarity \u2013 and where AI-powered defences are meeting AI-powered threats on equal footing.<\/p>\n<p><em>This blog is based on Paolo Palumbo and Klas Kindstr\u00f6m&#8217;s keynote at SPHERE2YOU Helsinki in April 2026. Watch the full session at<\/em> <em><a href=\"https:\/\/youtu.be\/oP10YIU144g\" target=\"_blank\" rel=\"noopener\">https:\/\/youtu.be\/oP10YIU144g<\/a>.<\/em><\/p>\n<\/div>\n                                                                                <\/div>\n<\/section>\n\n\n<section\n    class=\"wp-block-sharing-icons edwp-block wp-block-sharing-icons--content-5 layout--spacing-xxxl-bottom\"\n    >\n    <div class=\"wp-block-sharing-icons__container\">\n        <div class=\"wp-block-sharing-icons__inner\">\n                            <p class=\"wp-block-sharing-icons__title fade-in\">\n                    Share this story                <\/p>\n                        <div class=\"wp-component-socials wp-component-socials--dark-mode\">\n    \n            <a href=\"https:\/\/www.linkedin.com\/shareArticle?mini=true&#038;url=https:\/\/www.withsecure.com\/fi\/resurssit\/blog\/the-ai-you-cant-see-securing-whats-already-running-in-your-customers-environments\/&#038;title=The%20AI%20you%20can&#8217;t%20see:%20securing%20what&#8217;s%20already%20running%20in%20your%20customers&#8217;%20environments\" target=\"_blank\" rel=\"noreferer noopener\" class=\"wp-component-socials__link\" title=\"Jaa LinkedIniss\u00e4\">\n            <svg class='edwp-icon edwp-icon--xlg js-icon ' aria-hidden='true'>\n                <use xlink:href='#linkedin'><\/use>\n            <\/svg>        <\/a>\n    \n            <a href=\"http:\/\/x.com\/share?text=The AI you can&#8217;t see: securing what&#8217;s already running in your customers&#8217; environments&#038;url=https:\/\/www.withsecure.com\/fi\/resurssit\/blog\/the-ai-you-cant-see-securing-whats-already-running-in-your-customers-environments\/\" target=\"_blank\" rel=\"noreferer noopener\" class=\"wp-component-socials__link wp-component-socials__link--twitter\" title=\"Jaa X:ss\u00e4 (Twitter)\">\n            <svg class='edwp-icon edwp-icon--xlg js-icon ' aria-hidden='true'>\n                <use xlink:href='#x'><\/use>\n            <\/svg>        <\/a>\n    \n    \n    <\/div>\n        <\/div>\n    <\/div>\n<\/section>\n","protected":false},"excerpt":{"rendered":"","protected":false},"author":3,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[430,166],"tags":[],"content_type":[],"class_list":["post-12261","post","type-post","status-publish","format-standard","hentry","category-ai","category-msp"],"acf":[],"card":"<div class=\"wp-component-card-insight js-card-link wp-component-card-insight--highlighted\">\n    <div class=\"wp-component-card-insight__image-wrapper\">\n        <img width=\"618\" height=\"440\" src=\"https:\/\/www.withsecure.com\/wp-content\/uploads\/2026\/05\/placeholder.jpg\" class=\"wp-component-card-insight__image\" alt=\"\" decoding=\"async\" loading=\"lazy\" srcset=\"https:\/\/www.withsecure.com\/wp-content\/uploads\/2026\/05\/placeholder.jpg 618w, https:\/\/www.withsecure.com\/wp-content\/uploads\/2026\/05\/placeholder-300x214.jpg 300w, https:\/\/www.withsecure.com\/wp-content\/uploads\/2026\/05\/placeholder-447x318.jpg 447w, https:\/\/www.withsecure.com\/wp-content\/uploads\/2026\/05\/placeholder-205x146.jpg 205w\" sizes=\"auto, (max-width: 618px) 100vw, 618px\" \/>                    <p class=\"wp-component-card-insight__content-type\">Blogi<\/p>\n            <\/div>\n    <div class=\"wp-component-card-insight__content\">\n                    <div class=\"wp-component-card-insight__meta\">\n                <div class=\"wp-component-card-insight__categories\">\n                                            <span class=\"wp-component-card-insight__category\">AI<\/span>\n                                            <span class=\"wp-component-card-insight__category\">MSP<\/span>\n                                    <\/div>\n            <\/div>\n                            <h3 class=\"wp-component-card-insight__title\">The AI you can&#8217;t see: securing what&#8217;s already running in your customers&#8217; environments<\/h3>\n                                                    <div class=\"wp-component-card-insight__button-wrapper\">\n                <a class=\"wp-component-button btn btn--primary btn--dark wp-component-card-insight__button btn--small\" href=\"https:\/\/www.withsecure.com\/fi\/resurssit\/blog\/the-ai-you-cant-see-securing-whats-already-running-in-your-customers-environments\/\">Lue lis\u00e4\u00e4<\/a>            <\/div>\n            <\/div>\n<\/div>","_links":{"self":[{"href":"https:\/\/www.withsecure.com\/fi\/wp-json\/wp\/v2\/posts\/12261","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.withsecure.com\/fi\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.withsecure.com\/fi\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.withsecure.com\/fi\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/www.withsecure.com\/fi\/wp-json\/wp\/v2\/comments?post=12261"}],"version-history":[{"count":1,"href":"https:\/\/www.withsecure.com\/fi\/wp-json\/wp\/v2\/posts\/12261\/revisions"}],"predecessor-version":[{"id":12266,"href":"https:\/\/www.withsecure.com\/fi\/wp-json\/wp\/v2\/posts\/12261\/revisions\/12266"}],"wp:attachment":[{"href":"https:\/\/www.withsecure.com\/fi\/wp-json\/wp\/v2\/media?parent=12261"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.withsecure.com\/fi\/wp-json\/wp\/v2\/categories?post=12261"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.withsecure.com\/fi\/wp-json\/wp\/v2\/tags?post=12261"},{"taxonomy":"content_type","embeddable":true,"href":"https:\/\/www.withsecure.com\/fi\/wp-json\/wp\/v2\/content_type?post=12261"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}