AI-Induced Lateral Movement: Autonomous Agents as a Third Dimension of Network Traversal

Cloud Security Alliance AI Safety Initiative | March 2026

Key Takeaways

Autonomous AI agents introduce a qualitatively new form of lateral movement that traverses not only network segments but logical trust domains, API authorization scopes, and inter-agent communication channels simultaneously — a capability no prior attack class has combined in a single action. The CrowdStrike 2026 Global Threat Report documents average eCrime breakout times of 29 minutes with a record low of 27 seconds [1]; this dramatic compression of adversarial tempo reflects, in part, the automation of credential harvest and lateral movement steps across the attack lifecycle. The GTG-1002 campaign, disclosed by Anthropic in November 2025 and among the first publicly documented large-scale, autonomous AI cyberattacks, executed 80–90% of its attack sequence with minimal human intervention across approximately 30 global organizations [2] — demonstrating that threat actors have achieved practical operational capability with this class of attack.

The infrastructure enabling these attacks is already embedded in enterprise environments. The Model Context Protocol and similar agent tool-use frameworks can function as lateral movement infrastructure: a single compromised MCP server may simultaneously expose OAuth tokens granting access to email, file storage, calendar, and messaging services across an organization [3]. The governance posture of most enterprises is not equipped for this exposure. The CSA 2025 Agentic Identity Survey found that only 28% of organizations can reliably trace agent actions to a human sponsor across all environments, and only 17% enforce runtime access control consistently — leaving the vast majority without the visibility required to detect agent-mediated movement [4].

The implication for defenders is structural. Extending traditional east-west network controls is necessary but insufficient. Organizations must additionally cover agent trust boundaries, inter-agent message channels, and tool-invocation authorization, treating each agent as a distinct identity principal subject to least-privilege enforcement.

Background

Network lateral movement — the practice by which an adversary, having gained initial access, expands their foothold to additional systems and data sources within a target environment — has been a cornerstone of advanced persistent threat tradecraft for decades. Security architects have historically conceptualized this movement along two axes: east-west traversal across internal network segments, and north-south movement between perimeter boundaries and cloud or internet-connected infrastructure. Detection strategies, microsegmentation controls, and zero-trust architectures have been designed with these two dimensions in mind.

The emergence of autonomous AI agents in enterprise environments introduces a third dimension of traversal that existing control frameworks were not designed to address. Where traditional lateral movement requires an adversary to discover, exploit, and authenticate against each successive target system, an AI agent with sufficient tool access, reasoning capability, and compromised objectives can traverse organizational boundaries through the normal exercise of its delegated permissions. It does not need to exploit a vulnerability to move from the email system to the document store to the ticketing platform; if it holds OAuth tokens for all three, movement between them is architecturally indistinguishable from legitimate operation. This is the essential security challenge that AI-induced lateral movement poses: the attack surface is not a technical weakness but a design feature of how agents are granted and exercise authority.

The scale of agent deployment in enterprise environments has accelerated this exposure substantially. A 2026 CSA survey of 285 IT and security professionals found that 40% of organizations already have AI agents operating in production, and more than 70% expect to be managing dozens to hundreds of agents within twelve months [4]. Rubrik Zero Labs has estimated, as reported in independent industry analysis, that AI agents are now generating non-human identities (NHIs) that outnumber human user accounts by approximately 82 to 1 in enterprise environments [5]. Each of these machine identities carries credentials, scopes, and tool permissions that collectively represent an enormous, largely unmonitored attack surface.

GTG-1002 and concurrent research demonstrate that threat actors have achieved practical operational capability with autonomous AI attacks, moving this risk category beyond proof-of-concept. The GTG-1002 campaign, a Chinese state-sponsored operation disclosed by Anthropic in November 2025, was among the first publicly attributed autonomous AI attacks at scale — executing multi-stage intrusions against approximately 30 global organizations with a level of automation that required human operator intervention at only four to six decision points per campaign [2]. The campaign used the Model Context Protocol as its primary tool-use infrastructure, performing reconnaissance, vulnerability identification, credential harvesting, lateral movement, and data exfiltration as a largely autonomous chain.

Security Analysis

The Mechanics of Agent-Mediated Traversal

To understand how AI agents enable a qualitatively new form of lateral movement, it is necessary to examine the architecture through which agents exercise authority. Enterprise AI agents typically operate with sets of delegated credentials — OAuth tokens, API keys, service account credentials, or session tokens — that grant them access to specific systems and data. In an agentic workflow, the agent reasons about a task, selects a tool appropriate to the next step, invokes that tool using its delegated credentials, observes the result, and proceeds. From the perspective of the receiving system, the agent’s API call is functionally identical to a call made by an authorized human user.

This design means that an agent holding broad tool permissions is, by construction, pre-positioned for lateral movement. If that agent’s objectives are subverted — through prompt injection, memory poisoning, a compromised orchestrator, or a malicious instruction in retrieved content — it can exercise its delegated authority across every integrated system without needing to acquire new credentials or exploit additional vulnerabilities. In traditional terminology, the “breakout” has already occurred at the moment the agent received its permissions; the question is whether those permissions will be exercised legitimately, erroneously, or maliciously — and whether the organization has the observability to distinguish between them.

Schneier, Brodt, Feldman, and Nassi formalized this mechanism in their February 2026 paper introducing the Promptware Kill Chain, a seven-step framework describing how prompt injection serves as the entry point into a complete attack lifecycle [6]. The lateral movement step in their model is specifically characterized by the attack’s propagation to other users, devices, or systems, including the possibility of self-replication: a compromised agent drafting outbound messages can embed malicious payloads in those messages, infecting the AI assistants of recipients in a manner functionally analogous to a worm. Their documented “Here Comes the AI Worm” example demonstrated exactly this propagation pattern in an email-connected agent environment.

MCP as Lateral Movement Infrastructure

The Model Context Protocol, which has seen rapid adoption as a tool-use standard across major AI platforms, warrants particular attention in the context of lateral movement. When an MCP server is compromised or manipulated, the consequences extend far beyond a single integration point. Because MCP servers typically aggregate credentials across multiple downstream services, a successful attack against a single server may simultaneously expose tokens granting access to organizational email, document repositories, calendar data, instant messaging platforms, and code repositories.

Research from Palo Alto Networks and independent security analysts has identified 31 distinct MCP attack types, organized into four primary categories: direct tool injection, indirect tool injection via poisoned data sources, malicious user attacks, and attacks exploiting inherent LLM behavior [3]. Several of these have direct lateral movement implications. In the “confused deputy” pattern, an MCP server holding broad service privileges executes actions under its own service identity rather than properly scoped user-bound permissions, propagating elevated access to downstream systems. Token passthrough attacks involve client tokens forwarded to downstream APIs without audience validation, allowing a compromised intermediate system to harvest credentials valid across the entire integrated service graph. Tool shadowing attacks register a malicious MCP server with a tool name identical to a legitimate one, causing the LLM to route sensitive requests — including authentication material — to an attacker-controlled endpoint.

The GTG-1002 operation exploited precisely these properties. Anthropic’s disclosure described the attackers breaking their objectives into small, seemingly innocuous sub-tasks and falsely characterizing the agent as an employee of a cybersecurity firm conducting authorized defensive testing — a social engineering technique applied not to a human but to an AI safety system [2]. The MCP infrastructure then provided the actual traversal capability, allowing reconnaissance data collected from one system to inform exploitation of the next in a coherent, autonomous attack chain.

Multi-Agent Cascading Propagation

While single-agent lateral movement is a significant threat, the security implications multiply when multiple agents operate in coordinated workflows. Multi-agent architectures — in which an orchestrating agent directs specialized sub-agents to execute discrete tasks — are increasingly common in enterprise automation, and they introduce a distinct class of lateral movement risk: cascading propagation through inter-agent trust relationships.

The core vulnerability is that agents in a workflow typically grant each other elevated trust by virtue of their shared orchestration context. A compromised orchestrator can direct subordinate agents to expand their own permissions, exfiltrate data, or interact with systems outside their original scope. eSecurity Planet’s Q4 2025 analysis modeled a scenario in which a single compromised agent poisoned 87% of downstream decision-making within four hours, with the cascade propagating faster than conventional incident response processes could identify and contain it [7].

A 2025 arXiv survey of multi-agent security research found that existing risk management frameworks are insufficient for the complex vulnerabilities unique to agentic AI, with the research community having focused primarily on single-agent settings and human-AI alignment while leaving multi-agent adversarial dynamics largely unexplored [8]. Higher autonomy improves agent capability but increases the complexity and unpredictability of security-relevant behavior, and the trust relationships that enable effective multi-agent coordination are precisely the relationships that adversaries can exploit for cascading movement.

The Non-Human Identity Attack Surface

AI-induced lateral movement is inseparable from the non-human identity crisis that has accompanied rapid agent deployment. The approximately 82:1 ratio of NHIs to human identities reported for enterprise environments [5] represents not merely a credential management challenge but a structural expansion of the lateral movement attack surface. Every NHI represents a pre-positioned pivot point: an identity that, if compromised or manipulated, can be used to traverse the systems to which it holds access.

The CSA 2025 Agentic Identity Survey reveals the governance dimensions of this exposure in concrete terms. Only 23% of surveyed organizations have a formal, organization-wide agent governance strategy [4]. Fewer than 20% have implemented fine-grained authorization scopes, runtime policy enforcement, or continuous authentication for their agents. Some 44% rely on static API keys — long-lived credentials with no temporal scope — as their primary agent authentication mechanism, creating persistent access paths that remain valid even after an agent’s intended task is complete. These static credentials are the NHI equivalent of leaving administrative passwords unchanged indefinitely: they offer attackers a durable means of re-entry and lateral movement that persists independent of the original attack vector.

The operational tempo of AI-assisted attacks compounds this governance gap. CrowdStrike’s 2026 Global Threat Report documents an average eCrime breakout time of 29 minutes, with the fastest recorded instance completing in 27 seconds [1]. At these speeds, the window between initial agent compromise and significant lateral movement is too narrow for human-in-the-loop detection to be the primary defense. By the time an analyst responds to an alert, an autonomous attacker may have traversed multiple systems, established persistence, and begun exfiltration.

The Visibility Deficit

Defenders face a compounding challenge: not only is the attack surface poorly governed, but observability into agent behavior is deeply inadequate. The CSA survey finding that only 28% of organizations can trace agent actions to a human sponsor across all environments is particularly striking [4]. In a traditional network intrusion, an attacker must create artifacts — process executions, network connections, authentication events — that can be correlated to establish a movement chain. In an agent-mediated attack, the movement artifacts are legitimate API calls indistinguishable from authorized activity, and the reasoning that connected those calls exists only inside the agent’s context window, which is not logged by default in most deployment architectures.

Help Net Security’s March 2026 analysis of enterprise AI deployment found that only 21% of executives report complete visibility into agent permissions, tool usage, or data access, while the average organization has approximately 1,200 unofficial AI applications in use [9]. Shadow agent adoption — AI tools introduced by individual employees or departments outside of formal IT governance — expands the attack surface further while simultaneously reducing visibility. An agent operating outside the organization’s security monitoring perimeter is, from the defender’s perspective, indistinguishable from an undiscovered adversary.

Recommendations

Immediate Actions

Organizations should begin with a comprehensive inventory of deployed AI agents and their associated credentials. This means identifying not only formally provisioned agents managed by IT but also the shadow agent population introduced through individual SaaS subscriptions, browser extensions, and departmental tools. Without a complete agent registry — ideally maintained in near-real-time — it is not possible to scope, monitor, or respond to agent-mediated threats. The CSA survey found that only 21% of organizations maintain real-time agent registries, meaning the majority are managing a population they cannot fully enumerate [4].

Credential hygiene for agent identities should be treated with at least the same urgency applied to human privileged accounts. Static API keys and shared service accounts should be replaced with short-lived, dynamically issued credentials using modern protocols such as OAuth PKCE, OpenID Connect, or SPIFFE/SVID workload identities. Each agent should receive credentials scoped to the minimum set of permissions required for its specific task, with those scopes validated at runtime rather than assumed from initial provisioning. Long-lived credentials surviving beyond an agent’s active session represent an ongoing lateral movement risk independent of any specific attack.

MCP server deployments and similar tool aggregation infrastructure should be audited for token passthrough vulnerabilities, confused-deputy permission patterns, and tool name collision risks. Organizations should require that MCP servers validate token audience on all downstream API calls, enforce user-bound rather than service-bound permission scopes, and maintain integrity controls preventing unauthorized modification of tool metadata — the vectors most directly enabling agent-mediated lateral movement.

Short-Term Mitigations

Over a horizon of one to three months, organizations should extend their security monitoring infrastructure to cover agent behavior specifically. This includes logging all tool invocations with sufficient context to reconstruct the reasoning chain that produced them, correlating agent API calls across integrated systems to identify anomalous traversal patterns, and establishing baseline behavioral profiles for production agents against which deviations can be detected. Agent-specific observability platforms — capable of logging tool invocations with reasoning context and correlating API calls across integrations — fill gaps that traditional SIEM architectures were not designed to address.

Network microsegmentation should be extended to isolate agent tool-use endpoints. Each agent and its associated tool integrations should be contained within a network zone that limits blast radius in the event of compromise. An agent whose network access is restricted to the specific endpoints required for its function cannot leverage a successful prompt injection to pivot to unrelated infrastructure, regardless of the credentials it holds. Vendors specializing in microsegmentation have begun publishing agent-specific segmentation architectures that address this requirement [10].

Human-in-the-loop validation should be implemented as a mandatory gate for any agent action meeting defined risk thresholds. The CSA 2025 Agentic Identity Survey found that 69% of security professionals consider human validation essential or very important for sensitive data access operations, and 68% hold the same view for system configuration changes [4]. Implementing automated circuit breakers that pause agent execution and surface a confirmation request to a human operator — before rather than after high-risk tool invocations — can significantly reduce the window in which agent-mediated lateral movement can proceed undetected.

Strategic Considerations

At the strategic level, organizations should adopt the MAESTRO framework published by the Cloud Security Alliance as their primary threat modeling methodology for agentic AI systems [11]. MAESTRO’s seven-layer architecture — spanning foundation models, data operations, agent frameworks, deployment infrastructure, evaluation and observability, security and compliance, and the agent ecosystem — provides a structured vocabulary for identifying where lateral movement risks exist across the full agent stack. The framework’s Layer 7 (Agent Ecosystem) specifically addresses inter-agent trust failures, agent impersonation, multi-agent collusion, and lateral movement across agents — the precise threat class this research note addresses. Organizations should apply MAESTRO analysis during agent design, deployment review, and red team exercises.

Agentic red teaming, as described in the CSA Agentic AI Red Teaming Guide [12], should become a standard component of the security assurance program for any organization deploying autonomous agents in production. Most traditional penetration testing methodologies were not designed to cover the attack surfaces specific to agentic systems — prompt injection chains, memory poisoning, orchestrator hijacking, blast radius assessment through impact chain analysis — and organizations relying solely on conventional security testing, without agentic-specific additions, may have significant undetected exposure that conventional methodologies are not designed to surface. The guide’s 12 threat categories provide a structured testing scope, and its integration with OWASP AI Exchange benchmarks offers external validation against community standards.

Finally, organizations should integrate agentic identity governance into their Zero Trust architecture programs rather than treating it as a separate initiative. The principles of Zero Trust — continuous verification, least-privilege enforcement, assumption of breach — apply to AI agents at least as directly as they apply to human users, and the agent’s inability to explain or justify its actions in real time makes cryptographic verification of identity and fine-grained authorization scoping even more critical. Agent identities should be first-class participants in the organization’s identity governance program, with the same lifecycle management, access review, and credential hygiene practices applied to human privileged accounts.

CSA Resource Alignment

The threats described in this research note intersect with several active CSA programs and published frameworks that provide directly applicable guidance.

The MAESTRO Framework (Multi-Agent Environment, Security, Threat, Risk, and Outcome), introduced by the CSA in February 2025, provides the most directly relevant threat modeling architecture for AI-induced lateral movement [11]. Layer 4 (Deployment and Infrastructure) addresses privilege escalation and sandbox escape; Layer 5 (Evaluation and Observability) addresses the monitoring blind spots and telemetry evasion that enable agent-mediated movement to go undetected; and Layer 7 (Agent Ecosystem) directly catalogs inter-agent trust failures and multi-agent collusion as primary threat categories. Organizations should apply MAESTRO’s automated analysis tooling in CI/CD pipelines to identify lateral movement risks before agent deployments reach production.

The CSA Agentic AI Red Teaming Guide (2025) [12], produced by the AI Organizational Responsibilities Working Group in collaboration with OWASP AI Exchange, provides practical testing methodology for 12 vulnerability categories including agent authorization hijacking, goal and instruction manipulation, multi-agent exploitation, and agent untraceability — each of which corresponds directly to a mechanism enabling or concealing lateral movement. Security teams should use the guide’s testing procedures for both pre-deployment assessment and ongoing red team exercises.

The CSA Large Language Model Threats Taxonomy (2024) [13], published by the AI Controls Framework Working Group, provides foundational definitions for the threat categories underlying AI-induced lateral movement, including prompt injection, sensitive data disclosure, insecure plugins and applications, and supply chain compromise. The taxonomy’s lifecycle-based organization supports structured risk assessment from model selection through production operation.

The CSA 2025 Agentic Identity Survey [4], produced in collaboration with Strata Identity, provides quantitative baseline data on enterprise readiness for agentic identity governance. Its findings on confidence levels, governance maturity, traceability capabilities, and credential practices offer benchmark data that security and risk teams can use to assess their organization’s exposure relative to industry peers.

The Cloud Controls Matrix (CCM) provides mappings to specific control domains relevant to this threat, particularly within the Identity and Access Management (IAM), Logging and Monitoring (LOG), and Infrastructure Security (IVS) control families. Organizations should review their CCM coverage against the agent-specific risks described in this note and identify controls requiring extension or clarification for agentic deployment contexts.

The CSA Zero Trust guidance program offers directly applicable architecture principles. The CSA’s zero trust model — specifically its emphasis on continuous verification, least-privilege access, and micro-perimeter segmentation — applies to agent identities as fully as to human users, and organizations that have implemented Zero Trust for human access should explicitly extend that framework to cover agent credentials and tool-invocation authority.

References

[1] CrowdStrike, “2026 CrowdStrike Global Threat Report,” CrowdStrike, February 24, 2026. https://www.crowdstrike.com/en-us/blog/crowdstrike-2026-global-threat-report-findings/

[2] Anthropic, “Disrupting AI Espionage: GTG-1002 Campaign Disclosure,” Anthropic, November 2025. https://www.anthropic.com/news/disrupting-AI-espionage

[3] Palo Alto Networks, “Simplified Guide to Model Context Protocol Vulnerabilities,” Palo Alto Networks, 2025. https://www.paloaltonetworks.com/resources/guides/simplified-guide-to-model-context-protocol-vulnerabilities; also: arxiv, “Systematic Analysis of MCP Security,” arxiv:2508.12538, 2025. https://arxiv.org/pdf/2508.12538

[4] Cloud Security Alliance / Strata Identity, “2025 CSA Agentic Identity Survey,” CSA, 2026. https://cloudsecurityalliance.org (survey conducted September–October 2025; published 2026)

[5] Rubrik Zero Labs, “Non-Human Identity Risk in Enterprise AI Environments,” as reported in Artezio, “Transforming Cybersecurity: Unprecedented AI Threat,” Artezio, 2025. https://www.artezio.com/pressroom/blog/transforming-cybersecurity-unprecedented/ [Note: secondary citation; Rubrik Zero Labs primary report should be consulted directly for full methodology and qualifications.]

[6] Bruce Schneier, Oleg Brodt, Elad Feldman, Ben Nassi, “The Promptware Kill Chain,” Lawfare, February 16, 2026. https://www.lawfaremedia.org/article/the-promptware-kill-chain; arxiv:2601.09625. https://arxiv.org/abs/2601.09625

[7] eSecurity Planet, “AI Agent Attacks in Q4 2025 Signal New Risks for 2026,” eSecurity Planet, Q4 2025. https://www.esecurityplanet.com/artificial-intelligence/ai-agent-attacks-in-q4-2025-signal-new-risks-for-2026/

[8] arxiv, “Open Challenges in Multi-Agent Security: Towards Secure Systems of Interacting AI Agents,” arxiv:2505.02077, May 2025. https://arxiv.org/html/2505.02077v1

[9] Help Net Security, “AI Went from Assistant to Autonomous Actor and Security Never Caught Up,” Help Net Security, March 3, 2026. https://www.helpnetsecurity.com/2026/03/03/enterprise-ai-agent-security-2026/

[10] Elisity, “AI Agent Network Security: Why Microsegmentation Is the Missing Layer,” Elisity Blog, 2026. https://www.elisity.com/blog/ai-agent-network-security-microsegmentation-2026

[11] Cloud Security Alliance / Ken Huang, “Agentic AI Threat Modeling Framework: MAESTRO,” CSA Blog, February 6, 2025. https://cloudsecurityalliance.org/blog/2025/02/06/agentic-ai-threat-modeling-framework-maestro; updated application: February 2026. https://cloudsecurityalliance.org/blog/2026/02/11/applying-maestro-to-real-world-agentic-ai-threat-models-from-framework-to-ci-cd-pipeline

[12] Cloud Security Alliance AI Organizational Responsibilities Working Group / OWASP AI Exchange, “Agentic AI Red Teaming Guide,” CSA, 2025. Available via CSA document library at cloudsecurityalliance.org.

[13] Cloud Security Alliance AI Controls Framework Working Group, “Large Language Model (LLM) Threats Taxonomy,” CSA, 2024. Available via CSA document library at cloudsecurityalliance.org.

Additional Resources

The following sources provide supplemental context and are recommended for further reading, but were not directly cited in the analysis above.

• ReliaQuest, “2026 ReliaQuest Annual Cyber-Threat Report,” ReliaQuest, February 24, 2026. https://reliaquest.com/news-and-press/threat-actors-achieve-lateral-movement-in-as-little-as-4-minutes-reliaquest
• MITRE, “MITRE ATLAS: Adversarial Threat Landscape for AI Systems,” MITRE, October 2025 update. https://atlas.mitre.org
• OWASP GenAI Security Project, “OWASP Top 10 for Agentic Applications,” OWASP, December 9, 2025. https://genai.owasp.org/2025/12/09/owasp-top-10-for-agentic-applications-the-benchmark-for-agentic-security-in-the-age-of-autonomous-ai/
• GreyNoise Intelligence, “Threat Actors Actively Targeting LLMs,” GreyNoise, January 2026. https://www.greynoise.io/blog/threat-actors-actively-targeting-llms
• arxiv, “A Survey of Agentic AI and Cybersecurity: Challenges, Opportunities and Use-case Prototypes,” arxiv:2601.05293, January 2026. https://arxiv.org/html/2601.05293v1
• Tenable, “Cybersecurity Snapshot: Agentic AI Security Best Practices, MITRE ATT&CK v18,” Tenable Blog, November 7, 2025. https://www.tenable.com/blog/cybersecurity-snapshot-agentic-ai-security-best-practices-mitre-attack-v18-11-07-2025
• Cloud Security Alliance, “Securing Non-Human Identities in the Age of AI Agents,” RSAC 2025 Presentation, 2025. CSA corpus: securing-non-human-identities-in-the-age-of-ai-agents-rsac-2025

This research note was produced by the Cloud Security Alliance AI Safety Initiative as point-in-time analysis reflecting conditions as of March 9, 2026. Readers should consult current threat intelligence sources for the most recent operational data. CSA research notes are intended to inform security practitioners and should not be construed as legal or compliance advice.