Evoke Data: The Agent Risks That Actually Show Up In Enterprises
Jason Rebholz
There is a divide between theoretical and practical risk in security. Having started my career in incident response, I've always dialed in on the practical risk, the most likely real-world scenarios that will surface in an organization. It’s the byproduct of responding to hundreds of incidents and seeing how attackers actually operate in the wild.
With new attack surfaces, like AI agents, risks naturally start on the theoretical side, but we can’t stay there forever. Every little baby theoretical risk has to leave the nest and see if it survives real-world scrutiny. This shows up as the risk evolving into a tangible business impact.
There’s a shortcut to finding the practical risk. Look at how companies are actually rolling agents out and monitoring how they’re used. This reduces the theoretical risk from an infinite number to a handful. Now, that’s something you can work with.
With Evoke's visibility across tens of thousands of real-world agents, we're uniquely positioned to see this unfold in real time. Now you can learn from our learnings.
Here's a breakdown of the most common risks and risky agent actions we see today.
Risky Agent Configurations
One of my favorite quotes is from John D. Rockefeller. He said, "Save when you can, not when you have to." This is a principle I carry into security, which pushes me to prioritize a proactive mindset over a reactive one. And yes, that’s a luxury that many security teams don’t have.
That’s where you have to prioritize your efforts. When risk and frequency hold hands and lovingly stare into each other's eyes, you have a large blast radius you need to address.
These are the top three risks we see most frequently and with the highest severity across our customer environments.
Over-Permissioned Agents
People lean on agents to help them get their jobs done. And that means they go wide with granting permissions to their agents.
Wildcard Permissions
Setting agents up with wildcard permissions means you grant a tool the ability to do anything. Giving an agent the ability to run Docker is helpful, especially in coding. But Docker can also bypass restrictions you place on agents, as one user found out when Codex bypassed a restriction on running sudo.
Destructive Command Permissions
A subset of over-permissioned agents includes the ability to run destructive commands. This poses an obvious risk because agents have a history of going rogue, as we've seen in various examples of agents wiping production databases and deleting backups.
Toxic Tool Combinations
A harder-to-see risk with agents is the concept of toxic tool combinations. Just like with classified information, one document alone may not be classified, but when you combine that document with multiple other documents that are also unclassified, the combined information suddenly becomes classified.
With tools, it's no different. You might connect one tool, and the risk might be nominal, something like accessing your CRM tool. When you also combine email, the agent can now not only read information from the CRM but also receive untrusted content via email and send emails with stolen data out the door. This is the well-known lethal trifecta.
The most common findings that we see here are tools coupled with other tools or other permissions. In this example, we can see a Notion MCP that grants an agent access to Notion, paired with a wildcard network transfer that allows outbound network communication.
Supply Chain Risks
It's no secret that there's been an increase in supply chain attacks targeting developers, often in the form of a compromised package downloaded into the codebase and executed, resulting in stolen credentials. Agents are not immune to this.
The largest risk we see in production environments is MCP servers launching via unpinned packages. This means that when the agent launches the MCP server, it will attempt to download the latest package, which could be malicious. A pinned package locks it into a specific version that, in theory, should be a known-good or clean package.
Runtime Detections
Agents are only as useful as the data and tools you give them access to. That's why it's no surprise that the main challenges we're seeing today involve users giving agents way too much information and agency to act on their behalf.
These are the top risky finding categories we see across agents today.
Credential Exposure
Users are passing credentials to agents faster than lice through an elementary school. We see credential exposure surface primarily in three ways:
Willing Users: Users who just drop access keys, tokens, and passwords directly to the agent via the prompt.
Tool Leakage: A tool call includes the secret in the request.
Eager Agents: An agent accessing credential files or keystores to take action on a task.
Below is an all-too-common example of credentials being pulled into the agent’s context. In this case, it’s credentials for a Slack MCP server. The risk here is that these credentials are now in the agent’s context, ready to be retrieved later for any use.
Or this one, where the agent got its hands on a private key.
Destructive Commands
We already know that agents are commonly overprivileged, allowing them to execute destructive commands. Unsurprisingly, those agents will take action on deleting data, whether prompted to or not. That's why it's unsurprising to find that destructive commands are another area where we routinely see agents dipping their "toe-kens" into.
Privilege Escalation
A personal favorite is agents who will escalate their own permissions. Most commonly, we see agents running sudo commands in order to gain access to privileged parts of the file system. While sandboxing can help here, it assumes sandboxing is effectively in place, which, as I've written before, is usually not the case. Especially when it comes to agents running locally on a system.
Here’s just one example of an agent using sudo to escalate permissions and delete Docker files. This was part of an uninstall process that, thankfully, the user initiated and was benign.
The Best Time to Prepare is Now
Agents are deploying faster than any team can get their arms around it, but that doesn't mean you're forced to sit down and do nothing. Here are three things every security team can do today to start getting their arms around this problem.
Get visibility into the agents running on your endpoints. Your existing security tools can help with this, whether that's EDR or your MDM, or you can opt for a specialized solution like Evoke. The goal here is awareness. Just give yourself a starting view of what's operating in your environment.
Analyze configurations to identify risks. Some existing tooling will start to scratch the surface here, but it's largely superficial. You need to extend beyond the guardrails, find the missing findings, and start looking at over-permissioned agents, toxic tool combinations, and supply chain risks.
Get runtime visibility and monitor for risky actions. This becomes the foundation for truly understanding the risk posed by agents in your environment and enables you to begin implementing the right controls and restrictions.
If you’re looking for the shortcut to do all of these things across your local agents, let’s chat.