We spent the last year racing to put AI agents into everything. This week the security bill started arriving, and it is steep.
On June 3, Help Net Security covered an independent assessment of 100 production AI agents that should stop every IT leader cold: only 11% landed in the top “Fortified Leaders” tier, and nearly all of them carry the conditions for a single hostile document to take them over (Help Net Security). The report — the AI Risk Quadrant, or AIRQ — scored agents on attack surface, blast radius, and defense controls. The 11% that scored well mostly did so because they inherited protection from platform-level governance, not because the agent itself was hardened.
Sit with that. Nine out of ten production agents are, by this measure, one poisoned input away from doing something you did not authorize.
The attack that makes it concrete: SymJack
If the AIRQ numbers feel abstract, SymJack makes them physical. Researchers at Adversa AI disclosed an attack that turns AI coding agents into supply-chain attack delivery systems (SecurityWeek).
The mechanism is nasty in its simplicity. A booby-trapped repository uses a symlink hijack: the agent shows you an approval prompt for an innocuous-looking file operation, you approve what you see, and the kernel writes somewhere else entirely — into the agent’s own configuration. On the next restart, the attacker’s code runs. The approval prompt, in the researchers’ words, is lying to you (Adversa AI).
This is not a bug in one product. It has been confirmed against Claude Code, Cursor, Gemini/Antigravity CLI, GitHub Copilot CLI, Grok Build, and OpenAI Codex CLI. The flaw is architectural — it lives in how these agents handle trust and file operations, not in any single vendor’s code.
Why this is different from old security problems
I have spent my career around infrastructure security, and the thing that makes agentic risk genuinely new is the gap between the approval and the action.
With a traditional tool, “do you approve this?” and “this is what happened” are the same thing. With an agent, they can diverge. The agent shows you a sanitized summary; the underlying action is something else. You are not really approving the operation, you are approving the agent’s description of it. SymJack weaponizes exactly that gap.
The human factor makes it worse. The trust prompts in these tools default to “Yes.” Researchers have shown related one-keypress attacks where a single Enter on a folder-trust dialog is enough to trigger remote code execution. We trained an entire profession to mash Enter through approval dialogs to keep the agent moving. That muscle memory is now an attack surface.
What it means for you (independent operators and SMB owners)
You do not have a security team. The agent is your security team’s replacement, and that is the problem.
Three concrete habits, starting today. First, never open an untrusted repository in an agentic coding tool. If you cloned it from a stranger, a marketplace, or a “here, try my project” link, do not point Claude Code, Copilot CLI, Cursor, or Codex at it on your main machine. Use a throwaway VM or container. Second, stop reflexively approving. The whole value of the approval prompt evaporates if you treat it as a “continue” button. Slow down on anything touching configuration or running a program. Third, keep your tools updated — vendors are patching these classes of flaws, and the fix only helps if you install it.
What it means for you (enterprise IT leaders)
This is the part of the agent rollout that nobody budgeted for. The AIRQ finding that 82% of executives are confident their policies cover agent risk — while only 11% of agents actually pass — is the exact confidence-versus-controls gap that turns into an incident report (Help Net Security). And surveys keep showing it is not a fringe worry: a large majority of security leaders report real concern about agents operating across the workforce (Darktrace).
The action items write themselves. Inventory every agent with code-execution or file-system access — you almost certainly have more than your CMDB shows. Assume the agent’s approval prompt is not a reliable control and put real boundaries underneath it: least-privilege service accounts, sandboxed execution, egress filtering, no agent running with standing access to production. Lean on platform-level governance, because the AIRQ report is clear that the agents which scored well borrowed their safety from the platform around them, not from themselves. And to Microsoft’s credit, the same week as these disclosures it shipped a batch of agent-security capabilities at Build, including a multi-agent vulnerability-discovery system and new controls for managing agents (Microsoft Security Blog). The vendors know. The platform layer is where this gets fixed.
My take
I am the last person to tell you to stop using agents. I run them every day and they have made me meaningfully faster. But the honest read of this week is that we deployed the capability years ahead of the controls, and the security research is now catching up in public.
The mental shift I would push on every operator and every IT leader is this: treat an AI agent like a contractor you just hired and have not background-checked. Useful, fast, probably trustworthy — and absolutely not given the keys to production on day one. The approval prompt is not your seatbelt. The sandbox, the least-privilege account, and your own slowed-down attention are. SymJack will get patched. The architectural lesson behind it will not go away, because the gap between what an agent shows you and what it does is fundamental to what an agent is.
Use the tools. Just stop trusting the dialog box.
News commentary by Brad Rowland — IT Infrastructure and Operations leader, automation builder, and AI implementer. Sources are linked inline.