There is a non-human identity operating in your cloud right now. It has permissions. It is invoking a large language model, reasoning over the output, and taking actions across your infrastructure without a human authorizing each step. Your IAM dashboard sees it as just another service account. Nothing flags it. Nothing governs it. This is what an ungoverned AI agent looks like. In 2026, most enterprises have dozens of them.

The identity perimeter has shifted. Most security teams have not caught up.

Identity security has always had a clear mental model: govern your humans, govern your non-human identities, enforce least privilege, monitor activity. Most mature security teams got this right. Then agentic AI arrived and the model broke. A service account does not make decisions. An API key does not reason. An AI agent does both. It calls a foundation model on Bedrock or Vertex AI, interprets the response, and acts on it immediately: writing to databases, calling APIs, modifying cloud storage, querying sensitive data. Single execution cycle, zero human approval. The blast radius of a compromised or misbehaving AI agent is operational, quantifiable and is sitting in your cloud right now, invisible to every tool pointed at it.

Why AI agent discovery is harder than it looks

The core challenge is resemblance. At the infrastructure level, an AI agent looks identical to any other service account. It has a role, attached policies, and appears in your IAM inventory like everything else. Nothing about it indicates that it is calling a generative AI model and acting autonomously on the output. Effective discovery requires understanding what an agent actually is: a non-human identity that can both call an AI model and act on the output, with write or control permissions on storage, databases, infrastructure APIs, or SaaS systems. Either condition alone is not enough. Both together, bound to an autonomous runtime, is what makes an identity an AI agent. That distinction requires cross-signal correlation no traditional IAM tool performs. This is exactly what Unosecur's UIF Analyzer now does.

Introducing AI agent discovery in Unosecur's UIF Analyzer

Unosecur surfaces every AI agent across your AWS, GCP, Azure environments and answers the four questions that matter for security: what has it done, what can it do, what is wrong with it, and what can it reach.
‍

Event trail: What the agent executed, across which services, and when. Observed behaviour, as opposed to permitted entitlements. Activity evidence is what separates real governance from an audit exercise.
‍

Permissions analysis: The complete entitlement picture, including standing privileges the agent has never exercised. Overpermissioned agents are not an edge case. They are the default. Agents get provisioned under deadline pressure, scoped generously, and never revisited.
‍

Risk insights: The findings here go beyond posture hygiene. The insights surfaced for AI agents are things that cover toxic combinations—modifying IAM policies, stealing access tokens for service accounts, altering bucket access control lists, and manipulating cloud storage policies for credential theft. In a human identity context, any of these triggers immediate incident response. In an AI agent context, they are going undetected because no existing tooling correlates these signals right.

Accessible resources: Every data source, downstream system, and resource within the agent's operational scope, mapped and visible. Full attack path and blast radius made concrete.
‍

Unosecur goes deeper: The privilege escalation path hidden inside your agent's tools

Discovery is only the first layer. The more dangerous problem sits one level below it. The blast radius of an AI agent is almost never determined by the agent's own permissions. It is determined by the permissions of the tools the agent invokes. A Bedrock agent built to handle customer queries looks reasonably scoped on the surface. But it operates through action groups, Lambda functions that execute on its behalf, each running under its own IAM execution role. Those Lambda roles are where the real entitlements live. And in most production environments, they are significantly over-provisioned. A single Bedrock agent with three action groups, each backed by a Lambda with a moderately broad role, can silently have read and write access to dozens of DynamoDB tables, S3 buckets, and external APIs. Scale that across 20 to 50 agents in a production environment and the attack surface becomes substantial and entirely opaque.

This is the privilege laundering problem. An agent that appears scoped at the surface inherits, through its tool chain, a blast radius far larger than its intended purpose. Unosecur resolves the complete privilege chain for every agent and compares what each tool is entitled to do against what it has done. The gap between those two things is standing overprivilege. For the majority of agents, that gap is significant. Where over-privilege is found, Unosecur generates a right-sized least-privilege policy automatically, scoped to the specific actions and resources the agent's tools have invoked . This is a deployable policy, ready to apply..

The secrets sprawl problem that no one is monitoring

Discovery tells you what agents exist. Privilege analysis tells you what they can do. But there is a third problem that sits outside the identity layer entirely, and it is the one most likely to cause an immediate breach. AI agents handle credentials constantly. The secrets they use, API keys, OAuth tokens, bearer tokens, database connection strings, tend to end up in places with zero monitoring coverage. Agent instructions sometimes contain hardcoded credentials left by developers under deadline pressure. Lambda environment variables hold secrets that were never migrated to a secrets manager. Agent trace logs, the step-by-step reasoning record including every tool input and output, can expose credentials in plain text to anyone with log read access.

The exposure footprint is wide. The monitoring coverage in the majority of  environments is essentially zero. Unosecur monitors all of it at run-time. Agent instructions are scanned at discovery and on every update. Trace logs and Lambda invocation payloads are monitored in near real time. When a credential is detected, the alert includes the location where it was found, the credential type, severity based on exposure context, and specific remediation steps for that exact scenario.

Detected secret values are never stored in plaintext. Unosecur masks the value on detection and persists only the alert metadata. The security tool that finds your credential exposure does not itself become one.

One view. Every identity. No gaps.

The AI agent security capability in UIF Analyzer sits inside the same unified view that already governs your human identities and NHIs, with the same interface, the same cross-cloud and cross-SaaS activity tracking, and the same event trail spanning AWS, GCP, Azure, SaaS applications, and identity providers. AI agents operate across the tool silos that security programs are organized around. A single agent can be provisioned in AWS, invoke a model on GCP, write output to cloud storage, and trigger downstream SaaS activity in a single execution. That kill chain stays invisible when visibility is fragmented. UIF Analyzer assembles it continuously, for every identity type, in one place.

The window to get ahead of this is not staying open

Every enterprise running workloads on AWS, GCP, or Azure in 2026 has AI agents in their environment. The majority were not deliberately deployed as agents. They were deployed as features, accumulated standing privileges over time, and somewhere along the way crossed from service account into autonomous actor with no corresponding update to the security model around them. AI agent security is not a future problem. It is a current one, running in your cloud, carrying unmeasurable risk, taking actions you have not audited, with access to data your governance program has not accounted for. Unosecur's answer to that problem is already running. Teams who run a UIF Analyzer scan find AI agents they did not know existed. Book a demo and see what yours uncovers.

‍