Shared API keys: the Achilles' heel of AI agents
69% of companies expose their agent fleets by sharing credentials, according to VentureBeat
July 9, 2026 · 5 min read
TL;DR: 69% of companies share credentials among AI agents, allowing a compromised agent to access all workflows. Only 32% assign unique identities. Acquisitions by Palo Alto Networks, CrowdStrike, and Cisco total over $22 billion to address this risk.
What happened?
VentureBeat published the results of its June 2026 Pulse Research survey, based on a poll of 107 companies with more than 100 employees. The key finding: 69% of organizations share credentials (API keys, service accounts, or human accounts) among their AI agents. Only 32% assign each agent its own identity with limited scope. 48% have some agents with bounded identities, but many still share credentials, and another 32% operate mostly with shared keys (percentages add up to more than 100% because respondents could select multiple options).
Additionally, 54% of companies have already experienced a security incident related to agents: 18% confirmed a breach and 36% detected a near miss in time. These numbers reflect an alarming reality: most organizations have not yet implemented basic identity controls for their AI agents, even though the risk is tangible and growing.
Why is it important?
Sharing an API key among multiple agents eliminates traceability: if one agent is compromised, the attacker inherits the permissions of all workflows using that key. No forensic record remains of which agent did what, complicating incident response. This risk scales with the number of agents: CyberArk reports that non-human identities outnumber human ones by a ratio of 80 to 1. In this context, the lack of granular identities is like having all doors open with a single master key.
The security industry reacted with massive acquisitions: Palo Alto Networks completed its purchase of CyberArk on February 11 for $21.1 billion (announced in July 2025 for about $25 billion, the largest in the company's history). CrowdStrike closed the acquisition of SGNL for $740 million and, by June 15, launched the first product from the deal: Continuous Identity for AI Agents, which validates each agent action in real time based on who owns it, who invokes it, and the device's risk posture. Cisco announced on May 4 its intention to acquire Astrix Security for $400 million. These investments, totaling more than $22 billion, target the agent identity layer, precisely where most companies have yet to implement controls.
Historically, human identity management (IAM) took years to mature; now, with the explosion of AI agents, the industry faces a similar but accelerated challenge. The key difference is that agents operate at a scale and speed that surpass human capabilities, multiplying the impact of any vulnerability. This phenomenon recalls the transition from perimeter security to zero trust, but with the added complexity that non-human identities cannot authenticate with biometric factors or traditional MFA.
Consequences for companies
For security directors, this survey is a board-level issue. Companies that share credentials face an elevated risk of privilege escalation attacks, lateral movement, and data breaches. The lack of granular identities also violates the principle of least privilege and complicates auditing. A concrete example: if an AI agent with access to a shared API key is compromised via a prompt injection attack, the attacker can use that key to access databases, third-party APIs, or internal services, leaving no trace of which specific agent performed each action.
Emerging solutions, such as CrowdStrike's, validate each agent action in real time based on who owns it, who invokes it, and the device's risk posture. However, adoption is nascent: only one-third of companies have fully managed identities. This creates a significant security gap, especially in regulated sectors like finance, healthcare, and government, where audit and compliance requirements are strict. The VentureBeat survey also reveals that companies with higher agent security maturity are those that have already assigned unique identities with minimal scope to each agent.
The market impact is clear: security vendors that integrate non-human identity management (NHIM) into their platforms will have a competitive advantage. Startups offering specialized solutions, like Astrix Security, are being acquired at high prices, indicating that the market considers this area critical. For companies, investing in NHIM is not optional but a necessity to avoid incidents that could cost millions in fines, reputational damage, and operational harm.
What should readers know?
If your company deploys AI agents, you should immediately audit how credentials are managed. Shared API keys are a critical attack vector. The market trend points to non-human identity management solutions as the standard. Investing in these tools now can prevent major incidents. The VentureBeat survey also reveals that companies with higher agent security maturity are those that have already assigned unique identities with minimal scope to each agent. The path to security begins with eliminating shared credentials.
Practical recommendations: (1) Conduct an inventory of all AI agents and the credentials they use. (2) Implement a non-human identity management system that assigns each agent a unique identity with minimal permissions. (3) Establish key rotation policies and continuous activity monitoring. (4) Evaluate solutions like CrowdStrike Continuous Identity for AI Agents or similar. (5) Train the security team on the specific risks of AI agents, which differ from traditional human identity risks.
The future of enterprise security will depend on the ability to manage non-human identities with the same rigor as human ones. The VentureBeat survey is a wake-up call: 69% of companies are already exposed, and 54% have suffered incidents. Ignoring this problem is not an option.