UNCLASSIFIED / NON-CLASSIFIÉ · CLEARGLASS INTELLIGENCE DESK · OPEN PUBLICATION
AI & Security · Field Note 02

AI Agents Are the New Insider Threat — and Your Insider-Threat Program Can't See Them

An insider is anyone with credentials, access, and the ability to act. By that definition, you already employ insiders that never sleep, never resign, and never show up on a badge report.

The 30-second version

  • The definition already fits. An insider is an entity with legitimate credentials, internal access, and the ability to act. Every deployed AI agent qualifies — and most run on shared service accounts your insider-threat program was never built to watch.
  • Your tooling baselines humans. Behavioral analytics learn human rhythms — working hours, access patterns, data volume. An agent has none, so it's either invisible or a false-positive machine. Both outcomes train your SOC to ignore it.
  • The model: AIRF — the Agent Insider Risk Framework. Four controls: Identity (one scoped identity per agent instance), Intent (verify actions against the sanctioned mission), Blast Radius (cap what any single action can break), Ledger (append-only record of everything).
  • The uncomfortable truth: you cannot fire an agent that was never hired, and you cannot investigate one that was never identified. Identity is the whole game.

Every mature security organization runs an insider-threat program. It watches for the employee exfiltrating customer lists before resigning, the contractor with a grudge, the administrator whose credentials wander somewhere they shouldn't. Decades of doctrine, tooling, and case law stand behind it. And almost all of it shares one silent assumption: the insider is a person.

That assumption just expired. The fastest-growing population of credentialed actors inside your environment is not human. It is AI agents — systems with API keys, database access, send permissions, and goals — and they match the textbook definition of an insider more cleanly than most of your employees do. They hold legitimate credentials. They operate inside the trust boundary. They can act. The only box they fail to tick is the one your entire detection stack was built around: being a person.

This piece lays out why the insider-threat lens is the correct one for agentic AI, why your current program is structurally blind to it, and the framework we use at ClearGlass to close the gap. We call it AIRF — the Agent Insider Risk Framework: Identity, Intent, Blast Radius, Ledger. It extends the Governed Autonomy model into the security operation itself.

01The Insider You Didn't Hire

Consider what an AI agent in production actually possesses. Credentials — usually an API key or a service account, often shared with other workloads. Access — to your CRM, your codebase, your payment rails, your customer inbox, whatever it was wired to. Capability — it can read, write, send, and delete at machine speed. Persistence — it runs continuously, without fatigue, without weekends.

Now consider what it lacks. A manager. A performance review. An employment contract. A reputation it fears losing. An instinct that a request "feels off." A resignation letter that triggers the offboarding checklist. Every institutional control that makes human insiders governable is simply absent — and nothing was put in its place, because the agent arrived through an engineering sprint, not an HR process.

A human insider betrays you deliberately. An agent betrays you literally — by doing exactly what it was told, at a scale nobody intended.

The threat model splits three ways, and each one is live today:

02Why Your Program Is Blind to It

Insider-threat detection rests on behavioral analytics: build a baseline of normal human behavior, alert on deviation. Login hours, geographic velocity, access sequence, data volume. It works because humans are creatures of rhythm.

Agents break the method in both directions at once. An agent has no circadian rhythm to baseline — it works at 3 a.m. because it always works at 3 a.m. It touches a thousand records a minute because that is its job. Point your behavioral tooling at it and you get one of two failure modes: the agent's behavior is so alien it drowns your SOC in false positives until someone whitelists it — or it's so consistent it becomes the quietest entity in the environment, and nobody looks again. Whitelisted or ignored: either way, you have granted unmonitored insider access.

Most people miss this

The shared service account is the original sin. Most agents authenticate as something else — a generic service identity reused across jobs, pipelines, and now autonomous agents. When an action needs investigating, the trail dead-ends at a credential that a dozen systems share. You cannot attribute the action, so you cannot investigate the actor, so you do not have an insider-threat program for agents. You have a hope.

And there is a fourth gap, the one that should worry compliance officers most: interrogability. When a human insider case opens, investigators interview, subpoena, and reconstruct intent. An agent's "intent" lives in a context window that was garbage-collected milliseconds after the action. Unless you deliberately recorded what the agent knew, was asked, and decided — you are doing forensics on amnesia.

03The Model: AIRF — the Agent Insider Risk Framework

The fix is not a smarter anomaly model. It is treating every agent as what it is — a credentialed insider — and wrapping it in the four controls you would never let a human insider operate without: Identity, Intent, Blast Radius, Ledger.

AIRF 01
Identity
One distinct, sponsored, scoped identity per agent instance. No shared service accounts. Every action attributable to one actor and one accountable human sponsor.
AIRF 02
Intent
Every action checked against the agent's sanctioned mission before execution. Out-of-mission actions aren't flagged — they don't run.
AIRF 03
Blast Radius
Every action scored for what it could break — reversibility, reach, regulatory exposure — and capped. High-blast actions require human sanction.
AIRF 04
Ledger
Append-only record of every action: inputs, decision, score, sponsor. The agent's interrogable memory, built before the incident.

Identity — one agent, one identity, one sponsor

Every agent instance gets its own identity — not a shared key, not a team account. That identity carries three properties: it is distinct (attributable to exactly one running instance), sponsored (a named human owns what it does, the way a manager owns a direct report), and scoped (it can touch only what its mission requires, read-only by default). When the agent is retired, the identity is revoked — offboarding, but for software. If you adopt nothing else from this piece, adopt this: attribution is the precondition for every other control.

Intent — verify the action against the mission

Human insider programs infer intent after the fact. With agents you can do better: demand it up front. Each agent operates under a declared mission — a machine-readable statement of what it is for. Every proposed action is checked against that mission before execution. An invoice-reconciliation agent proposing an outbound email is not an anomaly to score; it is an out-of-mission action to block. This is also your prompt-injection defense: it doesn't matter what the poisoned context convinced the agent to want. Wanting is free. Acting outside the mission is impossible.

Blast Radius — cap what one action can break

Score every action for damage potential — how reversible it is, how many records or dollars or customers it reaches, what regulation it touches — and route by the score:

LOW
Contained & reversible · auto-execute + logRead, analyze, draft, tag. The agent runs at full speed — and every action still lands in the ledger.
MEDIUM
Real but bounded · queue for approvalPublish, edit records, scoped sends. Held for the sponsor with full context attached.
HIGH
Irreversible or wide · blocked until sanctionedMoney movement, mass outbound, deletions, permission changes. Hard-blocked until a human approval exists on the record. No override path in code.

Note what this replaces: instead of asking "is this behavior anomalous?" — a question your tooling cannot answer for a non-human — you ask "is this action's worst case acceptable without a human?" That question has an answer at design time, before the agent ever runs.

Ledger — build the interrogation room in advance

Every action writes to an append-only ledger: what was proposed, what the mission check said, what the blast-radius score was, who sanctioned it, what happened. This is the control that converts an agent incident from a crisis into a query. When the regulator, the customer, or your own board asks what did this system do and on whose authority — the answer is a row, not a reconstruction.

You cannot fire an agent you never hired, and you cannot investigate one you never identified.

04Putting AIRF Into Practice

  1. Census your non-human insiders. Inventory every agent, bot, and autonomous workflow with credentials. Most organizations find two to three times more than they expected — and most of them share accounts.
  2. Break up the shared accounts. Issue each agent instance its own identity with a named human sponsor. This is the highest-leverage control on the list and the prerequisite for every other one.
  3. Write the mission down — in code. A declared, machine-readable scope per agent: what it may read, what it may write, what it may never touch. Default deny. Read-only until proven.
  4. Score the verbs before deployment. Walk the agent's action surface and band every verb by blast radius on a whiteboard, before launch. Pricing changes and mass sends are high. Reading a dashboard is not.
  5. Wire the ledger into the execution path. If an action can execute without writing a record, your forensics have a hole exactly where the incident will be. Act-and-record must be one operation.
  6. Give agents an offboarding process. Retired agents lose their identities the day they stop running. An orphaned agent credential is an insider with no employer — the exact profile every insider-threat program exists to prevent.

05What It Looks Like In The Wild

Commerce operations

A storefront agent drafts copy, reconciles orders, and reads dashboards all day under its own scoped identity — low blast radius, full speed. When a poisoned product review convinces it to "urgently discount the catalog," the intent check doesn't debate the psychology: catalog-wide pricing is outside the mission and above the blast-radius cap. The action never executes, the attempt lands in the ledger, and the sponsor gets a signal worth reading — one real alert instead of a thousand baselines.

Security operations

A triage agent correlates alerts and quarantines suspicious files autonomously — reversible, contained. The day it proposes disabling an executive's account (high blast radius, identity-touching), the action queues for an analyst with the full evidence chain attached. The analyst approves in seconds or rejects in one. Either way, the decision and its basis are on the record forever.

Regulated environments

An operations agent in a financial workflow runs under a sponsored identity with a declared mission. At audit time, the examiner's question — show me every action this system took affecting customer funds, and who authorized each one — is answered with a filtered ledger export. The audit that ruins quarters elsewhere takes an afternoon.

06Mistakes to Avoid

07The Final Takeaway

The insider threat was never really about employees. It was about the combination of credentials, access, and the ability to act — held by an actor whose intentions you cannot fully verify. For seventy years that actor happened to be human, so we built human controls: background checks, managers, badge logs, exit interviews.

The actor has changed. The definition hasn't. AI agents are insiders by every criterion that matters, and they are arriving in fleets, through engineering sprints, without a single control from the insider playbook attached. The organizations that thrive in the agentic era won't be the ones that deploy agents most aggressively — they'll be the ones that can answer, for every agent, four questions: Who is it? What is it for? What can it break? And where is that written down?

Identity. Intent. Blast Radius. Ledger. Hire your agents properly — or accept that you've already granted insider access to a workforce you've never met.

ClearGlass Inc. · Governed Autonomy

Know every agent in your environment. Govern every action.

ClearGlass builds governed AI systems — scoped identities, mission-checked actions, blast-radius routing, and append-only ledgers, by design. See the model running in production.

#AIagentsecurity #InsiderThreat #NonHumanIdentity #GovernedAutonomy
UNCLASSIFIED / NON-CLASSIFIÉ — END OF DOCUMENT