AI agents with access to your bank account and credit card could cause chaos

Born to flex, diamonds on the neck—there’s nothing AI agents like more than (no) checks (on their power).

Yes, yes, we know, AI agents can’t “like” anything. But as the technology is given expanded permissions to shop for users and organizations, we could see attackers manipulate agentic access.

Let me in. It comes down to permissions, said Jordan Mauriello, CTO at SHI. Major providers like Mastercard and Visa, as well as online systems like Google, have given AI agents the ability to make purchases on behalf of users. But sellers haven’t necessarily restricted what those agents can do.

“People will try to solve a very specific problem with agentic AI,” Mauriello said. “They’ll open up permissions to solve that problem and then forget to go back and lock those permissions down, and now the agent has access to things that maybe it should not have access to.”

What’s also important, Torii CEO Uri Haramati told IT Brew, is identity access management. Agents are hopefully acting with some form of limited access capacity—knowing which human to alert if something goes wrong is helpful.

“It all comes down to governance, and that can be broken down to many different parts, but one of them is obviously access,” Haramati said. “With access, it’s not just limiting permissions, it’s also understanding ownership. And at the end of the day, every agent has some human owner.”

Covering the bases. Avoiding disaster relies on a few select tactical decisions, said Agustin Huerta, Globant SVP of digital innovation. IT teams need to ensure they can rely on technical documentation and scanning for vulnerabilities and breaches to ensure that even when permissions are overextended, there’s no one to take advantage of the mistake.

“In terms of the actions that agents can do, not many organizations are giving them a lot of freedom,” Huerta said. “They can go and consume records from many applications within the enterprise, yes, and retrieve information and create a summary for you or draft some information for you, but they don’t go on.”

Developers in charge of managing purchasing agents will need to focus on fixing these bugs proactively, Mauriello told IT Brew. And it’s going to take trial and error to get to the point where protection is a matter of course. IT pros can help the process along by getting ahead of it, but it won’t be perfect.

“We’re probably going to see a lot of horror stories before we see people releasing mechanisms by which to get this right—the right authorizations, the right automatic timeouts,” Mauriello said. “Where we see banks beginning to integrate into their software the ability to link agents, but then automatically deprecate those permissions out, these are going to be controls that are going to have to be provided by providers, not just expected from the user.”