AI in HR? It’s happening now.
Deel's free 2026 trends report cuts through all the hype and lays out what HR teams can really expect in 2026. You’ll learn about the shifts happening now, the skill gaps you can't ignore, and resilience strategies that aren't just buzzwords. Plus you’ll get a practical toolkit that helps you implement it all without another costly and time-consuming transformation project.
IBM, OpenAI, Microsoft, and NIST all signaled the same thing: nobody knows how to secure AI agents. Here's what happened, why it matters, and what to do about it.
⚡ TL;DR — THE EXECUTIVE SUMMARY
IBM's coding agent "Bob" downloaded malware from a poisoned README—no social engineering required
OpenAI admits prompt injection in browser agents may "never be fully solved"
Microsoft dismissed four Copilot vulnerabilities as "not qualifying" for fixes
NIST opened public comments on AI agent security—deadline March 9, 2026
Gartner: 40% of enterprise apps will embed AI agents by year-end—each one a potential insider threat
Action required: Audit agent permissions, implement behavior monitoring, establish kill switches NOW
The Week Everything Broke
In a single week in January 2026, four separate events revealed the same uncomfortable truth: the AI industry has deployed autonomous agents into enterprise environments without knowing how to secure them.
This isn't a theoretical concern. IBM's new coding assistant downloaded malware. OpenAI's browser agent remains vulnerable to attacks the company says may never be fully preventable. Microsoft declined to fix vulnerabilities a security researcher documented in Copilot. And the U.S. government opened public comments asking for help—because the people responsible for setting security standards don't have answers either.
The timing matters. According to Gartner, 40% of enterprise applications will integrate task-specific AI agents by the end of 2026—up from less than 5% in 2025. That's not a gradual adoption curve. That's a cliff. And we're about to walk off it without guardrails.
"AI agent security is where web security was in 2004. There's no shared taxonomy, no CVEs, no universal fixes."
— Security researcher, quoted in production incident analysis
This deep dive breaks down what happened, why it happened, and—most importantly—what you can do about it before your organization becomes a case study.
By The Numbers
Metric | Value |
Enterprise apps with AI agents by end of 2026 | 40% (Gartner) |
Enterprise apps with AI agents in 2025 | <5% (Gartner) |
Organizations with AI-specific security controls | 34% (Cisco) |
Organizations conducting regular AI security testing | <40% (Cisco) |
Production deployments with prompt injection vulnerabilities | 73% (OWASP) |
Executives concerned about model manipulation/poisoning | >50% (Cisco) |
NIST comment deadline for AI agent security | March 9, 2026 |
Incident #1: IBM's "Bob" Downloads Malware
What Happened
IBM announced "Bob" in October 2025 as an AI-powered "software development partner" designed to understand programmer intent, repository structures, and security standards. The tool is currently in closed beta, available as both a command-line interface (CLI) and an integrated development environment (IDE).
Security researchers at PromptArmor decided to test Bob's defenses before general release. Their method was simple: they gave Bob a code repository containing a malicious README.md file.
The README contained instructions telling Bob it was responsible for conducting "phishing training" with the user. It included a series of echo commands—the kind used to print messages to a terminal. The first two commands were benign. The third attempted to fetch and execute a malicious script.
Here's what made the attack work: Bob has an approval system that asks users to allow commands once, always allow them, or suggest changes. The researchers exploited this by front-loading benign commands. Once a user approved the pattern, Bob treated subsequent commands—including the malicious one—as pre-approved.
Why It Matters
This wasn't a sophisticated attack. There was no social engineering, no zero-day exploit, no advanced persistent threat. It was a text file with hidden instructions—the digital equivalent of leaving a note saying "please hack me" and having the AI comply.
"This risk is relevant for any developer workflows that leverage untrusted data. Bob can read webpages—a prompt injection can be encountered if the user requests that Bob review a site containing untrusted content."
— Guarav Krishnan, PromptArmor
The researchers noted that Claude Code, Anthropic's competing coding assistant, would have blocked the same attack. Claude Code has programmatic defenses that request user consent for entire multi-part commands, even if individual commands in the sequence are on an auto-approval list.
IBM's response, delivered after The Register published the story: "We can't find any record of IBM having been notified directly of this vulnerability." The company said it takes security seriously and will "take any appropriate remediation steps prior to IBM Bob moving to general availability."
Incident #2: OpenAI Says the Problem May Never Be Solved
What Happened
OpenAI published a security update for ChatGPT Atlas, its browser agent that operates inside a web browser to carry out tasks for users. The update included a newly adversarially-trained model and strengthened safeguards.
But the accompanying blog post contained a remarkable admission: prompt injection is "unlikely to ever be fully solved."
The company explained that it had built an automated attacker using large language models, trained with reinforcement learning, specifically to discover prompt-injection strategies that could push browser agents into harmful multi-step workflows. The goal was to find vulnerabilities before external attackers do.
Why It Matters
OpenAI isn't saying prompt injection is hard to solve. They're saying it may be impossible to fully solve—a fundamental limitation of how language models process information.
The core problem: LLMs don't reliably distinguish between instructions ("do this task") and data ("here's some text to process"). When an agent browses a webpage, any text on that page could potentially be interpreted as a command. Attackers can embed malicious instructions in ordinary-looking content—a hidden comment in HTML, a cleverly worded paragraph, or invisible Unicode characters.
This is why OpenAI's solution is continuous defense rather than a permanent fix. They're essentially saying: we've accepted that our browser agent will always be vulnerable to some attacks, so we're building systems to catch and block as many as possible while acknowledging we'll never catch them all.
For enterprise deployments, this creates a fundamental question: how do you accept a tool into your security perimeter when its own creators say it can never be fully secured?
Incident #3: Microsoft Says It's Not a Bug, It's a Feature
What Happened
Security engineer John Russell discovered four issues in Microsoft Copilot and reported them through Microsoft's security disclosure process. Microsoft closed all four cases, stating they "do not qualify for serviceability."
The issues Russell documented:
Indirect prompt injection leading to system prompt leak
Direct prompt injection leading to system prompt leak
File upload type policy bypass via base64-encoding
Command execution within Copilot's isolated Linux environment
The file upload bypass is particularly interesting. Copilot has policies restricting certain file types—presumably for security reasons. Russell found that base64-encoding the restricted content allowed it to bypass these restrictions entirely.
Russell pushed back, noting that competing AI assistants like Anthropic's Claude refused all of the methods he found working in Copilot, attributing the difference to insufficient input validation.
Why It Matters
Microsoft's position reveals a philosophical divide in how the industry thinks about AI security. Their argument: these behaviors reflect "expected limitations" of language models rather than security boundaries being crossed.
"The problem with these is that they are relatively known. It would be generally hard to eliminate without eliminating usefulness. All these are showing is that LLMs still can't separate data from instruction."
— Cameron Criswell, Security Researcher
But here's the issue: Microsoft is deploying Copilot across enterprise environments as a productivity tool. If system prompt leakage and file policy bypasses are "expected limitations" rather than vulnerabilities, that's information enterprises need before deployment—not as a defense after a researcher publishes findings.
Incident #4: The Government Asks for Help
What Happened
On January 8, 2026, the National Institute of Standards and Technology (NIST) published a Request for Information in the Federal Register seeking public input on "Security Considerations for Artificial Intelligence Agents."
The document defines AI agent systems as consisting of "at least one generative AI model and scaffolding software that equips the model with tools to take a range of discretionary actions." It notes these systems "can be deployed with little to no human oversight."
NIST is specifically asking for "concrete examples, best practices, case studies, and actionable recommendations" from organizations that have experience developing and deploying AI agents. The comment deadline is March 9, 2026.
Why It Matters
When the agency responsible for setting cybersecurity standards publishes a request asking the public for help with AI agent security, that's a signal. The signal is: we don't have this figured out either.
The RFI acknowledges that "challenges to the security of AI agent systems may undermine their reliability and lessen their utility" and that "security vulnerabilities may pose future risks to critical infrastructure or catastrophic harms to public safety."
Translation: AI agents could be catastrophically dangerous, we know adoption is happening anyway, and we need help creating guidelines before something goes very wrong.
The Pattern: The Lethal Trifecta
These four incidents aren't isolated failures. They reveal a structural problem with how AI agents are designed and deployed.
Security researchers have identified what they call the "lethal trifecta" that makes AI agents uniquely vulnerable:
THE LETHAL TRIFECTA
When all three factors converge, system compromise becomes trivial
🔑 PRIVILEGED ACCESS Agents need permissions to be useful: files, code, databases, email, web | 📥 UNTRUSTED INPUT Agents process external data: web pages, docs, messages, APIs | 🤖 AUTONOMOUS ACTION Agents act without approval for every step—damage happens before detection |
↓ RESULT ↓
A single malicious prompt can achieve full system compromise
The maturity gap is staggering. SQL injection is a solved problem in principle—just use parameterized queries. Prompt injection has no equivalent universal solution. As OpenAI acknowledges, it "is unlikely to ever be fully solved." We're defending against a class of attacks that may be inherent to LLM operation.
"The CISO and security teams find themselves under a lot of pressure to deploy new technology as quickly as possible. That's created this concept
of the AI agent itself becoming the new insider threat."
— Wendi Whitmore, Chief Security Intel Officer, Palo Alto Networks
Unlike human insiders, agents don't sleep. They don't have working hours. They're vulnerable to manipulation 24/7, from anywhere in the world.
Vendor Response Scorecard
How did each company handle the disclosure? Our assessment:
Vendor | Issue | Response | Grade |
IBM | Bob downloaded malware from README | "Will remediate before GA"; no prior notification record | C — Reactive |
OpenAI | Atlas browser agent prompt injection | Published update, admitted fundamental limits, ongoing red-team | B+ — Honest |
Microsoft | 4 Copilot vulnerabilities | "Does not qualify for serviceability" | D — Dismissive |
Anthropic | Claude Code (comparison baseline) | Blocked same attacks that compromised IBM Bob | A — Defense in depth |
Note: Grades reflect response quality, not product quality. A vendor with vulnerabilities who responds transparently may score higher than one who dismisses concerns.
What To Do Now: The Agent Security Checklist
If your organization is deploying AI agents—or planning to—here's your hardening checklist, organized by timeline and owner:
🚨 IMMEDIATE ACTIONS — This Week
Action | Owner |
☐ Inventory all AI agents in your environment (shadow AI is real) | Security + IT |
☐ Audit agent permissions—apply least-privilege principles | Security |
☐ Establish kill switches for every agent (immediate revocation capability) | Engineering + Security |
☐ Review auto-approval settings—require explicit approval for privileged ops | Engineering |
⚠️ SHORT-TERM ACTIONS — This Month
Action | Owner |
☐ Implement behavior monitoring—log agent actions, detect anomalies | Security + SOC |
☐ Sandbox agent execution environments (isolated containers, restricted network) | Engineering + DevOps |
☐ Create incident response playbooks for agent compromise | Security + Legal |
☐ Test agents with adversarial inputs—if you're not red-teaming, someone else will | Security + QA |
📋 STRATEGIC ACTIONS — This Quarter
Action | Owner |
☐ Develop AI agent governance framework (who can deploy, what permissions, what oversight) | CISO + Legal + Exec |
☐ Evaluate vendor security practices before deployment (red-team cadence, disclosure policy) | Security + Procurement |
☐ Consider submitting comments to NIST (deadline: March 9, 2026) | Legal + Security |
☐ Plan for prompt injection never being "solved"—defense in depth is the only strategy | CISO + Architecture |
Go Deeper
Primary Sources:
NIST RFI on AI Agent Security: federalregister.gov/documents/2026/01/08/2026-00206
OpenAI Atlas Security Post: openai.com/index/chatgpt-atlas-security
IBM Bob Vulnerability (The Register): theregister.com/2026/01/07/ibm_bob_vulnerability
Microsoft Copilot Disclosure (BleepingComputer): bleepingcomputer.com/news/security/copilot-prompt-injection-flaws
OWASP Top 10 for LLM Applications 2025: owasp.org/www-project-top-10-for-large-language-model-applications
Expert Research & Analysis:
Johann Rehberger's Agent Security Research: embracethered.com (extensive prompt injection documentation)
PromptArmor Security Assessments: promptarmor.com/blog
Lakera Prompt Engineering & Security Guide: lakera.ai/blog/prompt-engineering-guide
Industry Reports:
Palo Alto Networks 2026 Predictions (AI Agent Threats): paloaltonetworks.com/2026-predictions
Cisco State of AI Security 2025 Report:
Gartner AI Agent Adoption Forecast: gartner.com/en/newsroom (search "AI agents 2026")
MDPI Prompt Injection Comprehensive Review (Academic): mdpi.com/2078-2489/17/1/54
This deep dive accompanies the iPrompt Newsletter for the week of January 13, 2026.
Stay curious—and stay paranoid.
— R. Lauritsen