The rise of autonomous AI agents has fundamentally changed the enterprise security landscape, and most organisations are not keeping pace. That is the warning from Tim Wedande, Senior Vice President and Field CTO at Saviynt, who argued that identity governance must evolve urgently to account for threats that traditional frameworks were never designed to handle.
The most significant shift heading into 2026, according to Wedande, is the emergence of AI-powered malware deployed by threat actors as autonomous agents. "Speed really is the game changer," he said. "The attacker can move through their kill chain a lot faster compared to traditional malware."
The UK's National Cyber Security Centre has flagged two particularly concerning attack patterns: high-speed credential stuffing that conventional security detection software struggles to throttle, and AI-driven social reconnaissance that synthesises employee data into fraudulent personas. "This could be deepfake audio agents, or impersonating the likes of a CFO and an entire team to convince a finance employee to carry out a number of high-value transactions," Wedande said.
Governance gaps that attackers exploit
Wedande identified a common and dangerous assumption among organisations: that existing security frameworks are sufficient. "The reality is relying on them alone can leave you caught off guard due to the autonomous nature of AI agents,” he said.
The core problem is standing access. AI agents built to streamline workforce productivity are typically granted broad permissions across CRMs, ERPs, and internal databases. "When that agent is compromised, an attacker gets their hands on," Wedande said. That access and can move laterally through the environment until the account is shut down.
Audit trail design is another critical gap. Traditional logs record who accessed a resource and when. With AI agents, Wedande argued organisations also need to capture intent. "When forensics or an audit inspection takes place after an incident, it needs to include: was the action legitimate, was there a hallucination, or was it compromised by a threat actor?"
What Australian organisations need to know
Australia's regulatory environment is tightening around AI. Privacy Act reforms taking effect this year will require organisations to document how AI reached decisions that significantly affected individuals. The AI Safety Institute, established in 2026, mandates continuous testing and guardrails for high-risk AI. Wedande said that voluntary frameworks still carry teeth: "The ACCC and the OAIC are updating their powers to target areas including serious security data privacy breaches," he said.
"It's time to move from just protecting the data to governing the autonomy of the identity," Wedande added. "AI identities need to be treated as first-class citizens and not just software tooling."
.jpg&h=140&w=231&c=1&s=0)
iTnews State of Security Breakfast
iTnews State of Data & AI Breakfast
Forrester's AI Forum Sydney
The 2026 iAwards
.jpg&w=120&c=1&s=0)
Integrate 2026
.jpg&h=271&w=480&c=1&s=1)
.jpg&h=271&w=480&c=1&s=1)
_(1).jpg&h=140&w=231&c=1&s=0)
