AI agents keep running after their job is done, credentials and all

The Cloud Security Alliance found that 65% of organizations experienced at least one cybersecurity incident caused by an AI agent in the twelve months to April 2026. Data exposure was the most common result, reported by 61% of affected firms, followed by operational disruption at 43% and unintended actions in business processes at 41%. A third of those firms reported financial losses. The agents behind these incidents were frequently not rogue systems — they were tools that had been deliberately deployed and then abandoned.

Unlike a conventional software service, an agent accumulates access over time: credentials to internal APIs, hooks into business systems, permissions to read and write sensitive data. When a team moves on or a project closes, the agent often stays running. It still holds every permission it was given when it was useful. The CSA found that only one in five organizations has a formal process for retiring AI agents — meaning four out of five have no systematic way to revoke access when an agent's task ends.

The CSA documented cases where decommissioned agents were still active inside enterprise networks months after their official purpose had ended, still holding database credentials and API keys. Large organizations that build agents across separate business units face an additional layer: no central team owns the inventory of what is running or when each agent was last reviewed. As of April 2026, most organizations could not name every agent operating in their network, let alone confirm which ones had been audited in the past year.