Global Field CISO at Mimecast. Creator of Risk Reframing. 20+ years across intelligence agencies, cybersecurity, and executive leadership.

​Earlier this year, Austrian developer Peter Steinberger released an open-source AI agent called OpenClaw as a personal project. The software can autonomously orchestrate workflows across messaging platforms, email, calendars and local file systems using large language models. Within months, the project had gone viral, attracting well over 100,000 GitHub stars and leading OpenAI to hire its creator. At the same time, security researchers found thousands of exposed instances leaking credentials, and many running with no authentication at all.​

Bringing new technology into an enterprise normally involves friction, and deliberately so. Vendor contracts are negotiated. Security reviews are scheduled. Change management committees weigh in. Budget owners ask questions. Leadership signs off. That process exists because the decisions being made carry consequences that extend well beyond the individual making them.

Open-source AI agents can bypass many of those traditional gates. A developer or knowledge worker can often download and run a tool in minutes without procurement, a contract review or a formal vendor assessment. If the software is granted access to email, calendars, messaging platforms or local files, it may quickly become integrated into sensitive workflows before security teams are aware of its presence.

That possibility highlights a governance challenge. Before deploying a self-hosted AI agent with broad system permissions, organizations should consider architecture reviews, open-source software risk assessments and clear policies governing what data and systems the agent is allowed to access.​​​

That is the gap we keep missing. Not the controls, but the conditions that would make reaching for them feel automatic. Enterprises have spent two decades building infrastructure to govern what they buy. Almost nobody has built the infrastructure to govern what arrives before anyone decides to let it in.

The workforce has already changed. Our thinking has not.

​Across industries, machine identities now outnumber human employees by more than 80 to 1. These include service accounts, API integrations, bots and AI agents. These workers have identities. They have access. They touch sensitive data and execute actions at a scale no human worker ever could. And every one of them inherits the judgment of the human who created it.

We’ve instrumented everything except what matters most.

The security industry has spent two decades building instrumentation: networks, endpoints, identities, data flows—all monitored with increasing precision. We have mapped nearly everything except the layer making the most consequential decisions: the humans who create, configure and provision the non-human workers.

Non-human identity risk is downstream of human behavior. The orphaned service account exists because a human left without proper offboarding. The AI agent running across your communications stack could exist because a human provisioned it without a review process. Humans operating under pressure and at machine speed create risky automation, and many organizations have built nothing to identify those risky behaviors before it gets encoded into an agent.

Every significant organizational failure I have reconstructed over 20 years—spanning intelligence agencies and enterprise environments—had a human navigation layer nobody was reading, but not because the signals weren’t there. They always were. We call these events surprises because we weren’t reading the drift. It was rarely one decision that created the exposure; it was a series of small ones, each reasonable in isolation, accumulating into behavioral drift. We missed it because we have never built the infrastructure to navigate those signals.

The technical window is closing. The human window has never opened.

In early 2026, Anthropic announced Claude Mythos Preview—a model strikingly capable at computer security tasks—and launched Project Glasswing to use it to help secure the world’s most critical software. The signal was clear: If a single AI model can surface thousands of serious vulnerabilities across foundational software in a matter of weeks, the window between discovery and exploitation will keep compressing.

As AI compresses the technical attack surface, the layer that can’t be patched becomes the highest-leverage target: the people making ungoverned decisions about which AI tools to deploy, which agents to provision and what data those agents will touch.

What does instrumenting the human layer actually mean?

The human layer already generates behavioral signals. The question is whether your organization has built the capacity to read them.

That capacity starts with the right frame: behavioral drift, not behavioral monitoring. Monitoring produces data. Drift detection produces a diagnosis.

It requires three layers of comparison: an individual measured against their own baseline over time, against their peer cohort (in the same role, with comparable experience) and against the broader employee population. Only with all three can you calculate deviations worth acting on rather than logging. This is the same methodology banks apply to transaction fraud, and hospitals apply to patient risk—pattern recognition at the population level, not observation of individuals.

Now apply the same logic to your non-human workers. Every AI agent and service account has a behavioral baseline, including when it operates, what it accesses and how much data it moves. An agent accessing systems outside its documented purpose, moving data volumes beyond its normal range or establishing connections with no prior history is a signal. The three-layer model applies here, too.

Ask these two questions in your next leadership conversation.

Before an AI agent is provisioned, ask, “Who is making that decision?” and “What do you know about their behavioral state?” The provisioning decision is a governance event. Most organizations have not yet named it as one. That is the diagnostic gap.

How does your organization connect which humans are creating which non-human workers? If you cannot trace a line from an employee’s current risk profile to the agents they have provisioned, that is the structural gap and the place where your next significant incident is most likely to originate.

Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?

Share.
Leave A Reply

Exit mobile version