Likelihood: MODERATE
Impact: HIGH
Treatment: MITIGATE
Confidence: Moderate
Likelihood is moderate: exploitation is unconfirmed and requires an attacker to first obtain a dormant credential, but the 65.4% never-used rate across deployed agentic chatbots means the exposed attack surface is large and credentials are effectively unmonitored, lowering attacker friction significantly once access is gained. Impact is high because a single compromised AI agent credential grants production-level access to customer PII in Salesforce, financial data in Snowflake, source code in GitHub, and call recordings in Gong simultaneously, with no behavioral baseline to trigger alerting.
Treatment rationale: The threat stems directly from an internal governance gap — ungoverned credential issuance and absent lifecycle management — which is operationally correctable through identity controls and does not warrant avoidance or pure transfer.
Third-Party / Supply-Chain Risk
Significant third-party and shared-platform exposure exists across multiple SaaS and infrastructure providers: Salesforce, Snowflake, GitHub, Slack, and Gong each hold distinct data classes under separate trust boundaries. Under NIST SP 800-161, each integration represents an external dependency where the enterprise lacks visibility into how AI agent credentials are stored, rotated, or audited on the vendor side. MCP server integrations compound this by potentially bridging multiple downstream systems through a single credential surface. A compromise at any integration point propagates lateral access across the entire agentic mesh without requiring additional authentication steps.
Loss Exposure (illustrative)
Magnitude: high — illustrative $500K–$5M per incident, reflecting multi-system access scope and regulatory notification costs across potentially several data classes simultaneously
Frequency: For an enterprise with ungoverned AI agent deployment across these platforms, illustrative probability of at least one dormant credential being discovered and exploited within a 12-month window is moderate — estimated 10–25% annually, given the combination of broad credential surface, absence of alerting, and growing attacker focus on identity infrastructure
Annualized: Illustrative ALE: $50K–$1.25M annually (mid-range loss magnitude ~$1M × mid-range frequency ~15%); range is wide given uncertainty in attacker discovery probability
Basis: Loss magnitude derived from multi-system breach scope: simultaneous access to CRM, data warehouse, source code, and communications platforms elevates notification scope, forensic complexity, and potential regulatory exposure above a single-system incident. Frequency derived from exposure characteristics: 65.4% never-used credential rate, absence of behavioral baseline, and growing industry focus on non-human identity as an attack vector raise the probability above background for a typical enterprise-scale deployment. No third-party actuarial data cited.
Illustrative estimate — not actuarially derived.
Insurance / Contractual / Legal — Potential Obligations
Potential triggers, not legal determinations. Verify with counsel/broker before acting.
• Unauthorized access to customer PII held in Salesforce or call recordings in Gong may invoke state breach-notification obligations — verify with counsel.
• Financial data exposure in Snowflake could trigger contractual data-processing agreement breach provisions with enterprise customers — verify with counsel.
• Source code exfiltration via GitHub may constitute a material security event under cyber-insurance policy terms requiring prompt notice — verify with broker.
• Dormant privileged credential exposure across regulated data classes may implicate SOC 2, ISO 27001, or sector-specific compliance attestation obligations — verify with counsel and compliance leadership.
