The Next Cyber Risk No One Modeled

AI companies are pitching 2026 as the year of agents.

These systems can read emails, browse the web, write code, move files, and execute multi-step tasks with minimal human input.

But that autonomy is also the problem.

Security experts warn that agents introduce a new class of vulnerability called prompt injection. A malicious instruction can hide inside an email or webpage, telling an agent to ignore prior rules and exfiltrate data. If the agent has access, it obeys.

CrowdStrike $CRWD ( ▲ 3.17% ) president Michael Sentonas put it bluntly. Prompts may become the new malware.

Software giants are racing ahead anyway.

Microsoft $MSFT ( ▲ 3.11% ) and Salesforce $CRM ( ▲ 1.4% ) are selling agents to automate workflows, even as they acknowledge defenses are imperfect. Anthropic disclosed that its own testing failed to stop a small percentage of attacks. In security terms, that counts as catastrophic.

The core issue is structural. Agents are useful because they have privileges. They read messages, access private data, and communicate externally. Influential technologist Simon Willison calls this the lethal trifecta. Remove those rights, and agents lose their value. Keep them, and risk explodes.

Cybersecurity firms are repositioning fast. Identity now matters as much as endpoints. Okta $OKTA ( ▲ 1.66% ) and CyberArk $CYBR ( ▲ 4.45% ) focus on defining what agents can access. Palo Alto Networks $PANW ( ▲ 4.19% ) and CrowdStrike are buying capabilities to monitor agent behavior directly.

The shift from human security to agent security is an inflection point. It favors incumbents with scale, but also invites new challengers. Investors looking to play the trend will want to keep their eyes peeled for both.