A new study finds that corporate workers leave 96 percent of their application access dormant, leading to a systemic risk of assigning existing and unused permissions and profiles to AI agents, which operate continuously, at machine speed, and without judgment.
The research from Oso, an agent permissions posture company, and AI Security Platform Cyera, analyzed permission usage across 2.4 million workers and 3.6 billion application permissions.
For human workers, unused permissions largely stay dormant. Time, judgment, and professional accountability constrain the damage that any one person can do. However, AI agents operate with none of those constraints. They run continuously, interact directly with APIs and data systems, and will exercise every capability available to them.
“Agentic AI is a new species of user – one that follows intent and operates at machine speed,” says Jason Clark, chief strategy officer at Cyera. “This research proves that dormant permissions are no longer just a bad habit; they are an existential risk. In the age of agents, if you don’t secure the data, you can’t secure AI. Period.”
Among the report’s findings over 80 percent of SaaS access is managed through static profiles, with one in four users relying on these broad, difficult-to-audit bundles that accumulate over time. Humans never interact with 91 percent of the sensitive data available to them, yet 13 percent of the workforce maintains standing access to regulated PII, financial, and health records. In addition 31 percent of users have the power to modify or delete sensitive data.
“For humans, overpermissioning was a bad habit we could live with. Humans sleep. They work business hours. They don’t want to get fired. There’s only so much damage a person can do before they have to go to bed,” saiys Graham Neray, co-founder and CEO of Oso. “That bargain just expired. Agents don’t sleep, they don’t stop, and they have no concept of consequences. The 96 percent of permissions that humans never touch are the next agent-induced incident waiting to happen. Bear in mind these findings come from organizations that already invest in access and data security. The gap at the average enterprise is almost certainly worse.”
You can see the full research on the Oso site.
Image credit: BiancoBlue/depositphotos.com
