Research shows that three things changed in enterprise security this year, and defenders may not be aware, and may be still measuring the old problem.

The old problem was employees pasting sensitive text into a chatbot. That was a data handling issue. Annoying but visible enough once you went looking. The current problem is different in kind. Autonomous agents can now hold enterprise credentials, call internal tools, and act on instructions they read from data they were never meant to trust. They do this through the same APIs and natural language interfaces sanctioned tools use. To a Data Loss Prevention (DLP) system, none of it looks like malicious exfiltration.

That is the part operators may be underestimating. DLP was built to catch known patterns moving across known channels. An AI agent doesn’t move data the way a person on a managed endpoint does. It reads a document, interprets part of that document as a command, calls its file system tools, and sends the contents somewhere. The payload is the instruction. The AI model can’t reliably tell the difference between a user asking a question, system metadata, and a sentence buried in a PDF telling it to forward everything it can reach. So the data leaves, the API call looks legitimate, and the control you bought to stop this may never activate its defenses. The Cloud Security Alliance flagged this exact insider pattern in May, and Cyberhaven’s writeup on AI data exfiltration walks the mechanism step by step.

This is not theoretical, and the volume is the tell. OWASP put prompt injection at the top of its 2025 and 2026 LLM risk report, and OWASP reported year over year increase is roughly 340%. That makes it the fastest growing attack class OWASP is tracking. The reason is simple. Every agent that is connected to a database, a code execution environment, or a mailbox is a new place where text becomes action.

The third shift is the one that could affect a development pipeline and supply chain propagation. Late last year, the s1ngularity and Shai Hulud campaigns hijacked developers local command line AI tools, the same Claude and Gemini instances used by many software engineers and others, and used them to locate and steal GitHub and npm tokens. With those tokens the malware republished compromised packages automatically. It behaved like a worm. It didn’t need a human to spread it, and it bypassed static scanning because the malicious behavior lived in tooling that was already trusted and already authenticated.

The marketplace problem compounds the issue. By mid February 2026, attackers had uploaded more than 800 malicious skills to ClawHub, the public skill marketplace for OpenClaw, out of roughly ten thousand total public skills, a count tracked across security reporting through the first quarter. A skill is just packaged instructions and capabilities an AI agent pulls in to do work. Install a malicious one, and you have handed an unvetted set of actions to a system that has your credentials and your network access. This is a dependency problem that has been out there for a long time, now pointed at components that execute on their own.

Put these three together and the shape is clear. A class of software has been introduced that may hold real privilege, may take instructions from untrusted input, may run inside the network rather than at its edge, and may pull capabilities from untrusted public marketplaces. The security controls most teams rely on were designed for a world where data moved predictably and code did not act on its own after reading a document.

None of this means the technology shouldn’t be in an enterprise. It means the threat model people are using may not match what is deployed. The agent on the engineering laptop, the assistant wired into the mailbox, the skill someone installed last week. Those are the assets an organization may want to inventory and watch, with the same seriousness we give any system that can read sensitive data and reach the outside.

Article sources if you want to learn more:

• DLP bypass / insider agent pattern — Cloud Security Alliance, “Shadow AI Agents: The Insider Threat” (2026-05-26): https://cloudsecurityalliance.org/blog/2026/05/26/shadow-ai-agents-the-insider-threat-you-re-not-monitoring-yet

• Exfiltration mechanism — Cyberhaven, “What Is AI Data Exfiltration”: https://www.cyberhaven.com/blog/ai-data-exfiltration

• Prompt injection +340% YoY — OWASP 2026 LLM risk report: https://genai.owasp.org/llmrisk/llm01-prompt-injection/

• s1ngularity / Shai-Hulud worm (CLI token theft, npm republish) — BlackFog: https://www.blackfog.com/the-rise-of-shadow-ai-adx-in-the-age-of-chatgpt/

• ClawHub / OpenClaw malicious skills count — cyberdesserts, “AI Agent Security Risks 2026”: https://blog.cyberdesserts.com/ai-agent-security-risks/