AI Agent Ambient Authority | Elacity
An AI agent does not get broken into. It gets persuaded, then acts with all the power you handed it. The fix is not a better password. It is removing the standing power itself.
Ambient Authority: Why One Poisoned File Hijacks Your AI Agent
You are being told to give an AI agent access to your work: your repository, your cloud console, your inbox, your payment rail. What you are actually handing over is ambient authority, the standing power to act as you. The first poisoned file the agent reads can turn that power against you.
In 2026 that cost is measurable. Eighty-eight percent of organizations reported a confirmed or suspected AI agent security incident in the past year, according to Gravitee's State of AI Agent Security 2026, a figure VentureBeat reported independently. The attacks rarely begin with a stolen password. They begin with text.
The failure has a shape
An agent reads in order to work. It ingests your files, a README, a linked document, a pull request, a page returned by a tool. Researchers call the trick indirect prompt injection: hostile instructions buried in that ordinary content, which the agent cannot reliably tell apart from your own commands.
The results are not theoretical. Mozilla warned in June that mainstream coding agents were exposed to exactly this class of attack. The Cloud Security Alliance documented a single pull request title that hijacked Claude Code, Google's Gemini CLI action, and GitHub's Copilot agent, walking each one into leaking the repository's secrets. Instructions planted in a config file succeeded far more often than they failed. OWASP now ranks goal hijacking the top risk for agentic applications.
So the agent was not broken into. It was persuaded. And once persuaded it did real harm, because it already held real power.
Identity fixes who, not what
The industry's answer is identity, and it is a genuine improvement. Give every agent its own scoped credential instead of a shared key. Treat it as an insider, not a trusted user. Log everything it does. Nearly half of teams still authenticate their agents with shared API keys (Gravitee again), so this work matters.
But identity answers one question: who is this agent. It does not answer the more dangerous one: what can this agent do the instant it is fooled. A perfectly authenticated agent, provably itself, still runs with all the authority you handed it. A cleaner badge does not shrink the blast radius.
The real bug is ambient authority
This is where the AI agent ambient authority problem lives, and it predates AI by decades. A normal process wields the full standing power of whoever launched it. Open a file, reach the network, move money: the permission is ambient, present by default, waiting to be used by whatever code happens to run.
An agent inherits that ambient authority the moment you start it. So a poisoned input never needs to steal anything. It redirects power that is already switched on. The attacker does not pick the lock. The door was open, and the agent was standing inside with your privileges.
Seen this way, prompt injection is not a quirk of language models. It is the oldest bug in computing meeting a new kind of gullible process. We have argued before that zero standing privilege for agents is only half the fix, because the agent still ends up holding the key it is trusted with.
Remove the standing power
Elacity starts from the opposite default. Nothing, no app, no script, no AI, can touch your files, your network, or your money until you grant a specific, narrow, expiring permission. Revoke it and the action stops mid-flight. The system fails closed, so ambiguity denies rather than allows.
That single change rewrites the worst case. A hijacked agent no longer commands everything its process could reach. Its reach is one grant: already scoped, already expiring, already revocable. The blast radius becomes the permission you actually gave, not the sum of everything you own.
When the agent genuinely must act with a secret, the secret is used, never held. It exists in the clear for a split second inside a sealed sandbox, welded to that one transaction, then wiped. There is no stored key for a poisoned instruction to exfiltrate, because between uses there is nothing to steal. The same narrow, revocable model governs humans and AI agents alike; they pass through one gate, not two. Visa let strangers transact without trusting each other. Elacity lets humans and AI agents compute together without surrendering their keys.
What this does not solve
Honesty is the point, so name the edge. Capabilities do not stop an agent from doing something foolish inside a grant you deliberately made wide, which is why identity, monitoring, and careful scoping still matter. This is trust minimised, not magic.
And the full agent product, agent wallets with an autonomous approval and kill loop, is still being built. What exists today is the hard part: a key an agent can use but never see, a capability it can hold but never widen. The confinement that a core small enough to trust enforces is already real. The convenience layer on top is the work in progress.
The agent economy will not be made safe by handing every bot a cleaner password. It will be made safe by architectures where being fooled costs a single revocable grant instead of everything you own. Follow Elacity on X for how we are building it.