A warning from a blockchain security firm is landing squarely in the middle of enterprise AI’s biggest blind spot. CertiK CEO Ronghui Gu told CoinDesk on May 29 that mass deployment of unvetted, unisolated AI agents is creating “a disaster waiting to happen.” While CertiK’s roots are in crypto security, the vulnerability class it’s describing has nothing to do with digital assets. It applies to every business racing to deploy AI agents right now.

The core problem is simple to state and hard to solve: businesses are handing AI agents access to local files, credentials, communication tools, and financial systems before those agents have been scanned, isolated, or validated. Each deployment adds to what Gu calls “security debt” — permissions and access points that accumulate quietly until something goes wrong.

CertiK’s research into early-stage agent structures found hundreds of critical security advisories, unpatched CVEs, and widespread exposure of credentials and session memories, all resulting from inconsistent boundary checks. The agents weren’t malicious. They were just not ready to be trusted with the keys to the business.

The Scope of the Problem Is Bigger Than Anyone Wants to Admit

This is not a niche concern. A Cloud Security Alliance survey from April 2026 found that 82% of enterprises have AI agents running in their environments that their security teams don’t know about. Not agents that slipped through a gap once — unknown agents, plural, running continuously. Two-thirds of those same organizations reported experiencing an AI agent-related security incident in the past 12 months.

Darktrace’s State of AI Cybersecurity 2026 report found 92% of security professionals are concerned about AI agents specifically. That’s not a generic “AI feels risky” concern — it’s a specific alarm about agents that operate autonomously, carry credentials, and take actions without human sign-off at each step.

The threat vector CertiK focuses on is prompt injection: an attacker embeds malicious instructions in data the agent processes — a document, an email, a web page — and the agent executes those instructions as if they came from the user. Pair that with a malicious plug-in that the business installed in good faith and the agent becomes a powerful insider threat the company built itself.

Why This Happens

Speed is the obvious answer, but it’s incomplete. Businesses are deploying AI agents quickly because the productivity gains are real and the competitive pressure is real. The security failure isn’t carelessness — it’s that most organizations don’t have a framework for thinking about agent risk at all.

Traditional security is built around users and systems. An agent is neither. It has user-level permissions but acts autonomously at machine speed. It persists across sessions, retaining memory and credentials. When it’s decommissioned, those permissions often remain — what one analysis calls “retirement debt.” The access doesn’t expire just because the task does.

This is compounded by what’s becoming known as “shadow AI agents”: tools installed by individual teams without going through IT or security review. The CSA survey’s finding that 82% of enterprises have unknown agents isn’t a finding about poor discipline — it’s a finding about how fast the category is moving relative to governance.

What This Means for Business

If you’ve deployed AI agents — or if teams in your business have deployed them without your knowledge — there are three immediate questions worth asking.

What access do your agents have? The principle of least privilege applies here as much as anywhere else in your security posture. An agent that handles scheduling doesn’t need access to financial systems. An agent that drafts customer communications doesn’t need access to internal HR records. Auditing what permissions agents actually hold, versus what they need, is the starting point.

How are your agents isolated? Running agents in sandboxed environments with defined data access boundaries is the baseline mitigation against prompt injection. An agent that can only see the data it needs for its task is far harder to weaponize than one with broad access.

Who knows they exist? Shadow AI agents are the largest uncontrolled variable in this picture. A policy that requires IT visibility into any agent deployment — even lightweight ones — is far more practical now than cleaning up after an incident.

The productivity argument for AI agents is well established at this point. The security argument for slowing down and reviewing what’s running in your environment is just as strong.

CertiK’s warning is coming from crypto. The problem it’s describing lives everywhere AI agents have been deployed — including, very likely, in your business.