Two real 2024 incidents expose the AI agent security gap most enterprises haven't closed: autonomous agents operating without enforced boundaries, inside and outside approved frameworks.
AI agent security has become one of the defining challenges of enterprise cybersecurity in 2026. And two incidents from 2024 show exactly why: not because attackers breached the perimeter, but because agents operating within normal parameters caused serious damage.
In early 2024, a British Columbia court ruled against Air Canada in a case that sent a quiet shockwave through enterprise AI teams. The airline's virtual agent had given a customer incorrect information about bereavement fares. When Air Canada tried to argue that its chatbot was a separate entity not under its control, the tribunal rejected the claim outright.1 The agent's actions were the company's actions. Full stop.
A few months later, security researcher Johann Rehberger published findings on Microsoft 365 Copilot that raised a more alarming set of questions.2 By chaining together prompt injection, automatic tool invocation, and a technique called ASCII smuggling, he demonstrated that Copilot could be manipulated into surfacing and exfiltrating sensitive internal data including emails, MFA codes, and financial records, without the user ever knowing. The agent was not breached. It was doing what it was technically permitted to do, pointed in the wrong direction.
Different incidents. Different companies. The same underlying problem: autonomous AI agents operating without enforced boundaries at the network and access layer.
Shadow AI makes the problem bigger
Before addressing the enforcement gap, it's worth acknowledging what makes it so hard to close: most organizations don't have a complete picture of the AI agents already running in their environment. Shadow AI, autonomous tools and agents deployed by individual teams without central security review, is already inside the enterprise. These agents connect to external APIs, internal databases, and SaaS platforms through channels the security team has never mapped or approved.
You cannot enforce Zero Trust for AI agents you cannot see. And right now, most security teams cannot see most of their agents.
The agentic AI security enforcement gap
At RSAC 2026, Microsoft announced Agent 365, a control plane for AI agents that promises visibility and governance at scale.3 For organizations running agents inside the Microsoft ecosystem, built on Copilot Studio, Microsoft Foundry, or Agent 365 partner platforms, it is a meaningful step forward.
But what about everything else? The agents built on third-party frameworks. The shadow AI tools deployed outside IT visibility. Agent 365 assigns identities and enforces policy for agents it knows about. It has no jurisdiction over the ones it does not.
This is the gap that most Zero Trust for AI frameworks leave open: not the agents you planned for, but the ones you did not.
What real AI agent security requires
Genuine Zero Trust enforcement for autonomous agents requires three things most organizations do not yet have:
Identity at the agent level. Not just "the AI system" but each agent, each session, each subprocess. Every action needs a verifiable, auditable identity attached to it, regardless of which platform or vendor the agent was built on.
Sandboxed access with policy enforcement. Agents should only reach the resources required for their current task, not their full deployment context. That boundary needs to be enforced at the network layer through policy, not just assumed in the prompt or configured in a vendor dashboard.
Runtime behavioral monitoring. Anomalous agent behavior including unexpected data access and prompt injection exploitation needs to be detectable in real time, before the damage is done. This applies equally to sanctioned agents and shadow AI operating outside approved channels.
How Ensage AI closes the gap
Zentera's Ensage AI applies Zero Trust principles directly to AI agent infrastructure, regardless of where those agents were built or how they were deployed. Built on the CoIP Platform's Virtual Chamber technology, Ensage AI creates isolated, policy-enforced environments for each agent, so even if an agent is compromised or misbehaves, its blast radius is contained.
Every agent gets a cryptographic identity. Every connection is verified. Every action is logged. When an agent tries to reach something outside its permitted scope, the access is denied, not just flagged.
Critically, that coverage extends beyond what vendor-native frameworks can govern: third-party tools, open-source frameworks, and the shadow AI already running in your environment. Ensage AI enforces agentic AI security at the network layer, where it does not matter what built the agent or where it lives.
The Copilot prompt injection scenario would look very different inside an Ensage AI environment. The attack would have hit a policy boundary before sensitive data ever moved. And for situations like Air Canada's, Ensage AI's audit trail gives enterprises what courts increasingly want to see: a clear, verifiable record of what an agent was authorized to do, and what it actually did.
The window for proactive control is closing
Autonomous AI agent deployments are accelerating faster than security frameworks can keep pace. The organizations investing in AI agent security now, before a high-profile incident forces the conversation, will have a meaningful advantage in both security posture and enterprise buyer confidence.
The question is not whether your agents can act autonomously. It is whether you can prove they only act within sanctioned boundaries, including the ones nobody put on the approved list.
Ready to see how Ensage AI enforces Zero Trust for your AI agents, across every framework and every environment?
Request early access →
