The Attack is Coming from Inside the API: Surviving the Rogue Agent Era
99% of AI-era attacks come from authenticated sources. The agent already has the credential. This is what that breaks, and why every security vendor is racing to name the category first.
TL;DR
Salt Security’s 1H 2026 report found that 99% of AI-era attack attempts come from authenticated sources and 92% of organizations lack the security maturity to defend AI agents. The attackers are using credentials you issued on purpose. IBM, Salt, and every other security vendor is now racing to name this category before CISOs open a budget line for it. Whoever names the problem defines the spend.
What the numbers say
Salt Security’s 1H 2026 report, released April 8 and drawn from 327 security professionals, puts one figure at the centre of everything else: 99% of analyzed attack attempts came from authenticated sources. 92% of organizations say they lack the security maturity to defend AI agents. 76% have no automated API inventory. 65% of incidents still trace back to basic misconfiguration. But the 99% is the number that reframes the problem.
For twenty years, security programs assumed the attacker was outside trying to get in. Keep them out and you win. That model treated the credential as the prize. Steal one, you were inside.
Agents quietly inverted that. The agent already has the credential. Authenticating and acting on behalf of someone is the thing it was built to do. So when the Salt data says 99% of attacks come from authenticated sources, the story is not that phishing is winning. The story is that the attack surface has moved inside the door. What calls your API is already on the guest list. The only open question is whether it should be asking for what it’s asking for.
The rogue agent problem
Salt’s CEO Roey Eliyahu framed the threat as “rogue agents operating with legitimate credentials but no human oversight, no rate limiting, and no behavioral guardrails.” That phrase is engineered for the board deck and it will land there.
An over-permissioned agent with a valid token and an unbounded request rate can do in seconds what used to take an attacker weeks of lateral movement: enumerate the API, find the endpoints that leak customer records, and drain them at machine speed. The human who would have noticed three thousand API calls in a minute isn’t in the loop. The rate limiter that would have stopped a human user was tuned for human cadence. The audit log that would flag a suspicious user session shows a single well-behaved service account doing exactly what it was told.
This is why Salt’s data keeps security teams awake. The tools that work today, WAFs, bot detection, user behavior analytics, mostly assume humans doing human things. Agents do machine things at machine speed with human permissions. The old controls are tuned to a world that no longer exists.
The vocabulary war
The two vendor responses this month read best against each other.
Salt is pitching the Agentic Security Graph. It maps relationships between three layers: the LLM (reasoning), the MCP server (tool execution), and the API (action). The argument is that you cannot secure agents by inspecting any single layer. A clean LLM calling a poisoned MCP tool still causes damage. A hardened MCP server forwarding a confused LLM’s request still causes damage. The threat lives in the interactions, not the components.
IBM announced an autonomous security service, positioned as the defender-side answer to AI-accelerated attack speed. The pitch reduces to: agents attack at machine speed, so your defense runs at machine speed too. The announcement itself is light on product detail and heavy on category positioning, which is the tell. IBM is not describing a product so much as reserving a seat in the category.
Both vendors are doing the same thing. They are trying to be first to name the problem. The CISO buying in 2026 is not buying a product, they are buying a model for a risk they barely understand yet. Whichever vendor sells them the model sells them every tool that fits it.
Zero Trust was not a product. It was a framing. Once Forrester and the vendor ecosystem aligned on the name, every security tool became a Zero Trust tool whether it was or wasn’t. The agentic security category is five minutes into that same cycle.
What this changes about the security program
Security leaders should read this moment as a category shift, not a tooling refresh. The instinct to buy the newest detection product is the wrong one. Salt’s data names a visibility problem. When 76% of organizations do not have an automated API inventory, they do not know which agents are calling which endpoints with which permissions. No detection product fixes a visibility gap it cannot see.
The posture that actually holds up here is one most IT programs already understand. Treat every agent like a contractor with a badge. Short-lived credentials, scoped access, an audit trail that links a request back to the agent that made it and the reasoning model that asked for it. Nothing exotic. It is the control set mature programs apply to third parties, re-pointed at a category of actor most organizations have been issuing unlimited tokens to for the past year.
The harder question is architectural. If the threat lives in the interactions between the LLM, the MCP server, and the API, and Salt is right that it does, then the monitoring has to live there too. Most organizations log at the endpoint. The behavior is in the path between endpoints. Closing that gap is a multi-year program for most teams, and the vendors naming the category today are pre-selling the platform that will claim to do it tomorrow.
The part nobody is saying
The quiet insight in the Salt data is not that attacks are getting smarter. It is that organizations have been deploying the AI agent equivalent of a teenager with a platinum Amex and no curfew, and looking surprised when the bill arrives. The controls to prevent that are not exotic. They are the same ones any mature program applies to third parties, now applied to a category of actor that thinks faster than any human and holds real permissions while doing it.
If your security program cannot answer the question “which of my agents can read customer data right now, and why”, the vendor category is not the problem. The visibility is.
Sources
- Salt Security, 1H 2026 State of AI and API Security: Navigating the Agentic Era (April 8, 2026): https://finance.yahoo.com/sectors/technology/articles/salt-security-research-ai-agents-120000419.html
- aibusiness.com, “As AI Infosec Woes Heighten, IBM Intros Autonomous Security Service” (April 16, 2026): https://aibusiness.com/agentic-ai/ai-infosec-woes-heighten-ibm-autonomous-security-service
- MarkTechPost, “Top 19 AI Red Teaming Tools (2026): Secure Your ML Models” (April 17, 2026): https://www.marktechpost.com/2026/04/17/top-ai-red-teaming-tools/