Key Findings

• In September 2025, a state-sponsored threat actor deployed an AI coding agent that autonomously targeted 30 global organizations, handling 80-90% of tactical operations without human intervention

• AI agents operating inside corporate environments bypass traditional kill chain detection by leveraging legitimate access, permissions, and data workflows they were granted at deployment

• The OpenClaw crisis revealed that 12% of marketplace skills were malicious, with compromised agents able to access Slack messages, files, emails, and documents across persistent sessions

• Security detection tools fail against compromised AI agents because the threat activity appears normal—the agent accesses systems it always accesses and moves data it always moves

• Most organizations lack visibility into which AI agents operate in their environment, what systems they connect to, and what permissions they hold

Background

The traditional cyber kill chain, developed by Lockheed Martin in 2011, has defined how security teams think about defense for over a decade. The model assumes attackers must earn access step by step: initial compromise, establishing persistence, reconnaissance, lateral movement, privilege escalation, and finally exfiltration. Each stage creates detection opportunities where defenders can interrupt the attack sequence.

This framework worked because human attackers leave artifacts. Unusual login locations, odd access patterns, and deviations from baseline behavior signal something is wrong. Advanced threat groups like LUCR-3 and APT29 know this, which is why they invest weeks in stealth operations, trying to blend into normal network traffic. But even they eventually trip a wire.

Why AI Agents Are Different

AI agents operate under fundamentally different rules than human users. They're designed to work continuously across multiple systems, moving data between applications as part of their normal job function. An AI agent might pull from Salesforce, push to Slack, sync with Google Drive, and update ServiceNow—all in a single workflow cycle.

When deployed, these agents typically receive broad permissions, often admin-level access across multiple applications. This is intentional—they need wide-ranging access to do their jobs efficiently. But this also means they already possess the exact things an attacker would need to compromise your environment: a complete map of what data exists and where it lives, legitimate access to move between systems, and permissions that justify large-scale data movement.

The Detection Gap

If an attacker compromises an AI agent already operating inside your network, they don't need to follow the kill chain at all. They inherit everything the agent was given: the access, the permissions, the data maps, and most critically, the legitimate reason for their activity.

Security tools are engineered to catch abnormal behavior. A suspicious login from a foreign country triggers alerts. Unusual data access patterns raise flags. Sudden lateral movement across systems gets flagged. But when a compromised AI agent accesses the systems it always accesses and moves the data it always moves, every detection system sees exactly what it expects to see. The malicious activity looks identical to authorized operation because, technically, it is using authorized access.

This is the core problem: the kill chain assumes defenders can detect when attackers step out of line. It assumes abnormal behavior will create detectable artifacts. But a compromised AI agent never steps out of line. It never does anything abnormal. It simply does what it was always supposed to do, except now an attacker is directing it.

The OpenClaw Precedent

The OpenClaw crisis provided a real-world glimpse of this threat. Roughly 12% of skills available in the public marketplace were found to be malicious. A critical remote code execution vulnerability allowed one-click compromise of deployed instances. Over 21,000 instances were publicly exposed, creating a massive attack surface.

Once compromised, an agent connected to Slack and Google Workspace could access messages, files, emails, and documents with persistent memory across sessions. An attacker didn't need to break in, escalate privileges, or evade detection. They simply inherited the agent's existing permissions and used them.

What's Missing

The fundamental gap in current security infrastructure is visibility. Most organizations have no inventory of the AI agents operating in their environment, let alone which SaaS applications they connect to or what permissions they hold. These agents operate in shadow IT—deployed, forgotten about, and never properly accounted for in security posture assessments.

Without this baseline visibility, security teams can't establish what normal behavior looks like for each agent. They can't monitor for unauthorized permission changes. They can't detect when an agent suddenly starts accessing systems it shouldn't. The agent becomes an invisible pipeline between your most sensitive systems and a potential attacker.

Sources

• https://thehackernews.com/2026/03/the-kill-chain-is-obsolete-when-your-ai.html

• https://www.linkedin.com/posts/cyber-news-live_the-kill-chain-is-obsolete-when-your-ai-agent-activity-7442620391304355842-xs9V

• https://www.instagram.com/p/DWTrg5RjrhZ/

• https://www.cypro.se/2026/03/25/the-kill-chain-is-obsolete-when-your-ai-agent-is-the-threat/

• https://www.reddit.com/r/SecOpsDaily/comments/1s3a5ao/the_kill_chain_is_obsolete_when_your_ai_agent_is/