AI agents are the new insider threat

Steve Wilson has spent more than two decades building enterprise software at companies including Sun Microsystems, Oracle, and Citrix. But it was a chance conversation with OWASP founder Jeff Williams at application security startup Contrast Security — right as ChatGPT was capturing the world's attention — that set him on a path to becoming one of cybersecurity's leading voices on AI risk.

Wilson went on to co-chair the OWASP Gen AI Security Project, co-author the widely cited OWASP LLM Top 10, and publish The Developer's Playbook for Large Language Model Security (O'Reilly, 2024). Today, as Chief AI and Product Officer at Exabeam, he sits at the intersection of machine learning, agentic AI, and enterprise threat detection.

In a recent episode of the Conversing Labs podcast, Wilson shared how security organizations can harness AI to detect abnormal behavior, automate investigations, and stay ahead of a rapidly evolving threat landscape — while managing the new class of risks that AI itself introduces.

Here are key takeaways from the ConversingLabs conversation with Steve Wilson.

[ See the full ConversingLabs episode with Steve Wilson ]

From UEBA to agentic AI: Applying ML at scale

Wilson explains that Exabeam's roots lie in what the company originally called User and Entity Behavior Analytics (UEBA) — a discipline that, as he noted, "if you invented today, you would call it AI for cybersecurity." The platform builds machine learning models that baseline normal behavior for every user, group, and system on a network, enabling detection of insider threats, compromised credentials, and anomalous activity that rule-based systems routinely miss.

More recently, Exabeam has layered generative and agentic AI on top of that foundation. The result is a family of six agent types embedded in the platform, capable of automatically investigating potential breaches, evaluating security posture, and surfacing recommendations for security leadership—dramatically reducing the human effort required at each stage of threat detection, investigation, and response.

"We long ago surpassed what you can handle with a human doing SQL-like commands to search through log files. We stack AIs on top of that to get rid of a lot of the human work."
—Steve Wilson

AI agents: Not just tools — they're digital workers

One of Wilson's most pointed arguments is that the security industry is applying the wrong mental model to AI agents. Viewing them purely through an application security (AppSec) lens that is focused on vulnerabilities, patching, and code review. Those capabilities are necessary but insufficient to address modern threats.

"The more agency these (AI agents) get, meaning access to tooling, the more autonomy they have. We're used to thinking about insider threats as being humans. What do you do when they're not humans anymore?"
—Steve Wilson

Wilson draws a direct parallel between the traditional categories of insider risk — malicious insiders, negligent insiders, compromised credentials — and an emerging taxonomy for AI agents:

• Malfunctioning agents that behave incorrectly due to bugs or flawed training
• Misaligned agents built or configured in ways that diverge from intended behavior
• Subverted agents that have been hijacked and are operating as a "confused deputy" on behalf of a threat actor

His prescription: treat AI agents as digital workers. Assign them dedicated credentials, monitor their network behavior, log their activity, and establish baselines for what "normal" looks like—then flag deviations. Wilson has coined the term agent behavior analytics to describe this discipline, modeled explicitly on the well-established field of user behavior analytics.

"If I built an agent that's truly a digital worker and I've given it credentials, I've given it a job, I've given it access to some applications—how do I understand what's normal for that thing? If it's processing 10 times as many tokens today as it processed yesterday, maybe it's been hijacked. Whatever it is, I probably want to know about it."
—Steve Wilson

The AI supply chain is already under attack

Asked about the threats facing AI systems, Wilson flagged several concrete and active supply chain threats —many of which directly mirror the software supply chain risks ReversingLabs tracks in the broader ecosystem:

• Malicious machine learning models: Opaque by design, with no known technology to scan them for embedded vulnerabilities or malicious payloads. Wilson noted that this risk has led Exabeam to rely on commercially managed models—specifically Google's Gemini—rather than open-source alternatives for mission-critical workloads.
• Model Context Protocol (MCP) abuse: MCP, the emerging standard for giving AI agents access to external tools, operates without central governance. "People just publish these; you get them from who knows where," Wilson said. Malicious MCP servers have already been documented in the wild.
• Rogue OpenClaw skills: Wilson personally audited the skills repository for the OpenClaw agentic platform and estimated that up to 50% of available skills were toxic or outright malicious.
• Fake browser plugins: Searching the Chrome Web Store for an OpenClaw browser plugin, Wilson found four visually identical options from different publishers—with no official, verified source. "If you went to the Chrome Store, you 100% got a really questionable piece of software right in the middle of everything that your agent was trying to do."

The pattern is familiar to anyone tracking software supply chain attacks: high download counts manufactured through automation, near-identical packaging designed to impersonate legitimate tools, and a largely ungated distribution infrastructure.

Key AI agent security recommendations

Based on Wilson's frameworks — including the OWASP Agentic Top 10 and his RAISE (Responsible Artificial Intelligence Software Engineering) methodology — security organizations should prioritize the following:

• Implement agent behavior analytics: Baseline AI agent activity across tokens processed, applications accessed, and credentials used. Treat anomalies as potential indicators of compromise.
• Apply least-privilege principles to AI agents: Scope agent permissions tightly to the tasks they are designed to perform. Avoid deploying agents with access to credentials or systems beyond their defined function.
• Treat AI models as untrusted third-party components: Vet the provenance of every model, MCP server, skill, and plugin integrated into agentic workflows. Prefer commercially managed models with defined supply chain accountability over ungated open-source alternatives.
• Extend runtime monitoring to AI systems: Log files, network access patterns, and token consumption are all valid telemetry for detecting misbehaving or compromised agents. This is not solely an AppSec function—it belongs in the SOC.
• Read the OWASP Agentic Top 10: Wilson described it as the most important update to the original LLM Top 10, shifting focus from tactical prompt injection risks to broader concerns like goal hijacking and autonomous agent behavior.
• Embrace AI augmentation without abandoning existing pipelines: AI should stack on top of proven, high-throughput detection infrastructure—not replace it. "I'm not going to replace the pipeline that scans terabytes of data every day. I need to do that in real time with harder algorithms. But I stack AIs on top of that to get rid of a lot of the human work."

See the full ConversingLabs episode featuring Steve Wilson. Connect with Steve Wilson on LinkedIn, and pick up a copy of The Developer's Playbook for Large Language Model Security.