There is a quiet but important shift buried in Gartner's recent AI-agent research, and it deserves more attention than the headline number it comes wrapped in. The widely cited prediction is that through 2029, more than 50% of successful attacks against AI agents will exploit access-control issues, using direct or indirect prompt injection as the attack vector. The percentage is the part that gets quoted. The part that actually matters is the word "access-control."
That single framing reassigns where the problem lives. For two years the agentic AI security conversation has fixated on the model — its guardrails, its alignment, its susceptibility to clever jailbreaks. Gartner is saying, in effect, that the model is not where most of the damage will originate. The damage will come from what the agent is allowed to do once an attacker gets a foothold. Prompt injection is just the way in. The blast radius is determined by entitlements.
The Prediction, Read Carefully
It is worth separating the two claims inside the prediction, because they point in different directions for defenders.
The first claim is about the vector: direct or indirect prompt injection. Direct injection is the obvious case — a user, or someone impersonating one, types instructions that override the agent's intended behavior. Indirect injection is the more dangerous and less discussed case. The malicious instructions arrive inside content the agent ingests as part of doing its job: a web page it summarizes, a support ticket it triages, a document in a shared drive, an email in an inbox it has been told to manage. The agent cannot easily tell the difference between data it should act on and instructions hidden in that data. That ambiguity is structural, not a bug to be patched.
The second claim is about the consequence: access-control failure. This is the part security teams can actually do something about. A prompt injection that lands against an agent with read-only access to a single low-sensitivity system is an annoyance. The same injection against an agent holding a broad OAuth token, standing service credentials, and write access to production is an incident. The injection didn't change. The entitlements did.
Gartner's broader 2026 messaging reinforces the framing. The firm has repeatedly flagged AI application compromise, prompt injection, deepfakes, and software supply chain threats among the areas demanding urgent improvement, and has separately predicted that by 2028 a meaningful share of enterprise generative-AI applications will experience recurring security incidents. It has also forecast that by 2029 more than 25% of enterprises will deploy "guardian agents" to monitor and constrain other agents. The through-line across all of it is that agentic systems expand the attack surface faster than most identity programs have adapted.
Why Access Control Is the Hard Part
The reason access control keeps surfacing is that AI agents break the assumptions identity systems were built on.
Traditional IAM models a human or a service with a relatively stable, auditable set of permissions. An AI agent is neither. It acts on behalf of a user but is not the user. It chains tools together at runtime in combinations nobody enumerated in advance. It frequently runs with credentials that were provisioned generously "to get the demo working," and those credentials rarely get tightened afterward. And it often inherits the union of permissions across every system it touches, which means a single agent can quietly become the most privileged identity in the environment.
OAuth token theft and over-scoped tokens sit right at the center of this. Agents authenticate to downstream services with tokens, and those tokens are exactly the kind of standing credential prompt injection is good at abusing — not by stealing the token off disk, but by tricking the agent that holds it into using it for the attacker's purposes. The attacker never needs to exfiltrate a secret if they can convince the legitimate holder to act on their behalf. That is what makes this an authorization problem more than a credential-hygiene problem.
Shadow AI makes it worse. When teams stand up agents outside any central review — wired into SaaS apps and internal APIs through personal tokens and quick integrations — the organization loses the inventory it would need to reason about exposure at all. You cannot apply least privilege to an agent you do not know exists.
What Actually Reduces the Risk
If the consequence is an access-control failure, then the mitigations are mostly access-control mitigations, applied to a new kind of principal. A few hold up well against the way these attacks actually work.
Treat every agent as a first-class identity. Each agent should have its own scoped identity, its own credentials, and its own audit trail — not a shared service account and not a borrowed human token. You cannot enforce least privilege on something you cannot name.
Authorize the action, not just the session. The most effective control Gartner and others keep pointing to is real-time authorization inside the agent's execution loop. Instead of granting the agent a broad token at startup and trusting it for the rest of the session, each consequential action gets evaluated against policy at the moment it is attempted. A summarization agent that suddenly tries to issue a refund or modify an IAM role should be stopped at that step, regardless of what instructions it believes it received.
Assume prompt injection will succeed, and contain it. Input filtering and model-side guardrails are worth having, but they are probabilistic and attackers are creative. The durable assumption is that some injection will eventually land. Zero-trust principles — narrow scopes, short-lived credentials, human approval gates on high-impact actions, and segmentation between what an agent can read and what it can change — limit what a successful injection can actually accomplish.
Keep an inventory and watch behavior. You need to know which agents exist, what they can reach, and what normal looks like for each, so that an agent acting outside its envelope is visible quickly. This is also the honest answer to shadow AI: discovery first, governance second.
None of these are exotic. They are the same disciplines that have always defined good access control. The difficulty is that AI agents force you to apply them to a principal that is fast, autonomous, and easily manipulated through its inputs — which is precisely why the old "set the permissions once and forget" approach fails.
A Note on the Number
A word of caution on the 50% figure itself. It is a directional forecast about a category of systems that barely existed two years ago, not a measured rate. Treat it as a statement of where Gartner expects the weight of incidents to fall, not as a precise probability you can put in a risk register. The useful signal is not "more than half." The useful signal is "access control, not the model." That reframing survives even if the exact share turns out higher or lower.
How Safeguard Helps
Safeguard treats AI agents as governed identities inside the software supply chain, not as magic boxes you point at production and hope. Our policy gates and vendor policy registry let you define what an agent is permitted to do and enforce those decisions at the action level, while AIBOM and provenance give you the inventory and attestation you need to find shadow agents and trace what each one can reach. Because the platform is model-agnostic, you can plug in components like Anthropic Mythos or OpenAI Daybreak and still keep authorization and verification in the orchestration layer above the model — which is exactly where access-control decisions belong. If you are trying to get ahead of the agentic AI attack surface before it gets ahead of you, reach out.