Bỏ qua đến nội dung chính
Back to home
AI tools-ai Tech 3 min read

Study: 69% of Enterprises Face Security Risks Due to Shared API Keys for AI Agents 🛡️

A new VentureBeat study reveals a major security gap as 69% of enterprises allow AI agents to share API keys, exposing systems to cascading cyberattacks.

Tier 2 · sources 56% confidence Reviewed
Sources venturebeat.com

A new study released by VentureBeat in July 2026 highlights an alarming security flaw in the enterprise adoption of artificial intelligence. Specifically, 69% of surveyed organizations run AI agents using shared credentials or API keys. Sharing these resources means that if a single AI agent is compromised, an attacker immediately inherits access to all workflows and interconnected systems that the API key touches.

Diễn biến chi tiết

VentureBeat's June 2026 Pulse Research survey of 107 enterprises reveals that only 32% of organizations assign dedicated, managed identities to each AI agent. Notably, more than half of the respondents (54%) admit they have already experienced an agent security incident or a near-miss. The incident rate is particularly severe at larger companies with over 1,000 employees (climbing to 63%), while sandbox isolation capabilities at these same enterprises move in the opposite direction, dropping to just 20%. This situation has fueled a massive wave of acquisitions in non-human identity security, totaling over $22 billion by giants like Palo Alto Networks, CrowdStrike, and Cisco over the past year.

Phân tích kỹ thuật & Công nghệ

From a technical perspective, sharing API keys destroys digital forensic trails during security incidents. When multiple agents operate under a single account, the system cannot distinguish which agent performed a specific action. This risk is amplified as the ratio of machine-to-human identities reaches 82:1, according to data from CyberArk. Furthermore, enterprises' heavy reliance on default prompt and output filters from model providers (such as OpenAI, Google, and Microsoft) only addresses problems at the natural language layer. According to CrowdStrike's analysis, language-layer filters cannot determine the actual intent of an agent, which can only be effectively resolved through runtime authorization and network isolation.

Ý kiến chuyên gia & Nhận định

Adam Meyers, Senior Vice President of Counter Adversary Operations at CrowdStrike, told VentureBeat that current authorization mechanisms are highly complex because users frequently delegate their personal identities to AI to act on their behalf, blurring the boundaries of accountability. Sharing this view, Merritt Baer, former Deputy CISO at AWS and current Chief Security Officer at Enkrypt AI, noted that enterprises mistakenly believe they have 'approved' secure AI vendors, but they have actually approved only the interface, not the underlying dependency systems, which are the ones that fail under stress.

Tác động & Tương lai

This security report is expected to trigger a major restructuring in how global and Vietnamese enterprises approach cybersecurity for the AI agent era. Currently, up to 59% of enterprises plan to adopt, add, or replace agent security tools within the next 12 months. Experts advise security directors to immediately inventory all AI agent credentials, eliminate shared API keys, and prioritize sandboxing for high-risk agents handling sensitive data to limit the blast radius of any potential compromise.