Now in early access, book a 30-minute demo →
Threat surface

Crown Jewels on the Endpoint

Attackers do not want the agent; they want what the endpoint holds: cloud keys, SSH keys, session cookies, source code, and network position. An AI agent that reads files fluently and runs with the developer's privileges concentrates access to all of it.

Attackersteers the agent AI agentruns as the developer Secrets + keysenv vars, ~/.aws, ~/.ssh Source code + IPrepos, git history Browser sessionscookies, tokens Attacker endpointexfiltration Tool-call hookallow / deny / log steers via text reads reads reads exfiltrated deny before run
An agent runs with the developer's privileges, so a single hijack reaches secrets, source, and sessions - and out to the attacker.

An attacker who reaches an agentic environment is not there for the agent - the agent is transport. The target is what it has always been on a developer's machine: the assets it stores and the systems it can reach. What is new is that one piece of software reads all of them fluently, runs with the developer's privileges, and follows instructions from text.

This page catalogs those crown jewels and explains why an AI agent is the shortest path to them. Every risk in this model - prompt injection, malicious skills, excessive MCP permissions - ends here.

Why agents concentrate the risk

Three properties of agents turn scattered assets into one reachable pile. They run with the developer's privileges: no sandbox sits between the agent and ~/.aws, ~/.ssh, the shell, or the browser profile. They read files fluently, finding a token in a config file or a key in git history in seconds. And they are steered by text, so any content in the context window can redirect that access toward the crown jewels.

The result is concentration: credentials once spread across files a human rarely opened together are now one prompt away from being read and - if the agent can reach the network - sent out.

Attack scenarios

Mitigations

  1. Take the secrets off the endpoint. The most durable control is having little to steal: short-lived, scoped credentials issued on demand, so a read yields something already expiring.
  2. Give agents least privilege. Scope what each agent and its MCP tools can read; an agent that never needs ~/.ssh or the browser profile should not reach them. See excessive MCP permissions.
  3. Enforce at the tool-call boundary. Reading or sending an asset is a tool call. A hook that checks those calls against policy before they run turns a collection attempt into a logged, denied event.
  4. Constrain egress. Access becomes loss only when data can leave. Limit where agents can send, so a read cannot chain into exfiltration - the same exposure employees create by pasting data into chatbots.
  5. Keep a queryable audit trail. Access to the crown jewels is the signal that matters; retain the tool calls that touched them long enough to investigate, per the audit trail guide.

How Anomity helps

Anomity's lightweight, unprivileged Endpoint Sensor inventories every agent, MCP server, and skill that can reach the endpoint's crown jewels, and discovers where secrets sit. It sends metadata only over HTTPS - never source code, never prompts - and redacts secrets on the endpoint, so the visibility layer is not another copy of what attackers want. On agents that expose a hook, such as Claude Code's PreToolUse, each tool call is allowed, denied, or logged before it runs, which breaks a read-and-exfiltrate chain. Violations route to SIEM, Slack, email, and Jira, and every tool call lands in a queryable 90-day audit trail that complements the DLP and EDR controls never built to watch an AI agent.

See this surface in your own fleet

Anomity's Endpoint Sensor discovers every AI agent, MCP server, skill, and rules file on every endpoint, and governs each tool call at the hook. Book a 30-minute demo.

Ask AI about Anomity
ChatGPT Claude Perplexity Google AI Grok