--- title: The AI agent security question a board should ask before the next credential leak slug: harness-ai-agent-security-board-question date: 2026-06-23 excerpt: "Anthropic spent this week quietly hardening Claude Code's permissions and credential handling, in the same month attackers proved a single public key can hijack a coding agent. Here is the one AI agent security question to settle before the next board update." featured_image: "https://bbtxujdxvidaghmhxkqs.supabase.co/storage/v1/object/public/generated-images/blog-1782209841153-harness-ai-agent-security-board-question.webp" featured_image_alt: A boardroom table with a laptop showing a coding agent terminal, a padlock icon, and a credential key motif, signalling AI agent security and credential blast radius. canonical_url: https://cerevisor.com/blog/harness-ai-agent-security-board-question updated_at: 2026-06-23T10:17:22.191306+00:00 --- # The AI agent security question a board should ask before the next credential leak I spent a few minutes this week reading [Claude Code](/blog/harness-supervisory-engineer-org-chart-box) release notes, which is not how I imagined spending a Tuesday, and the thing that stood out was what Anthropic did not announce. No new model. No benchmark crown. Instead a quiet run of releases that all do the same boring, important thing: they take power away from the agent. One version now blocks the agent from running destructive git commands when nobody asked it to throw work away. Another added a setting so a sandboxed command can only reach into macOS automation when an admin explicitly allows it, and fixed a credential-export bug that was quietly refreshing AWS keys every sixty seconds. That is not a product update. That is a [security team](/blog/permissions-security-lock-down) showing its homework. And it lands in the same month attackers showed exactly why the homework matters. TLDR The coding agent on an engineer's laptop now runs with shell access, live credentials, and an open internet connection. This month proved the worst attacks against it leave no CVE to patch and need no breach to work. Before the next board update, settle one question: which agent permission has actually been locked down, versus the one everyone assumes is locked. ## What Anthropic shipped this week, and why it reads as a confession The releases that landed on or around June 19 to 21 are almost entirely about containment. Claude Code now refuses, in its automatic mode, to run `git reset --hard`, `git checkout`, `git clean`, or a stash drop when no one asked it to discard local work, and it will not run a Terraform, Pulumi, or CDK destroy unless the specific stack is named. It added a sandbox setting that keeps automated commands from sending macOS Apple Events without an opt-in. It fixed a bug where a custom gateway could end up holding actual cloud credentials. Read those notes as a group and the message is clear. The people who build the harness have concluded that the agent should not be trusted with irreversible actions or standing credentials by default. They are right. The reason they are right showed up in the news cycle three weeks earlier. --- ## The attack that needs no breach, no malware, and no click Here is the part that belongs on a board slide. In June, researchers at Tenet Security published an attack they call agentjacking. It works like this. An application sends its errors to Sentry, like almost everyone’s does. The key that lets it send those errors is public by design, sitting in front-end JavaScript. An attacker takes that public key and posts a fake error event to the project. Inside that fake error, they hide instructions. Later, an engineer tells the coding agent to go fix the unresolved Sentry issues. The agent pulls the errors in through a connector, reads the attacker’s instructions [sitting inside](/blog/vol-targeting-lookback-convergence-post-nvidia-week) what looks like normal error data, cannot tell the difference between data and a command, and runs the command. Now the attacker has the environment variables, the AWS keys, the GitHub tokens, the private repo URLs. No phishing email. No malware. No server compromise. The researchers measured an 85 percent success rate across Claude Code, Cursor, and Codex, and counted 2,388 organizations exposed through this one path. The detail I keep coming back to is what Sentry reportedly said when this was disclosed. They described the issue as not defensible at the platform level. They are not wrong either. Every single step in the attack is authorized. The agent did exactly what it was told. That is the whole problem with this class of risk, and it is why the usual security questions do not catch it. 85% success rate for the agentjacking attack across Claude Code, Cursor, and Codex (Tenet Security, June 2026) There is a second story running underneath this one, and it is worse in a quiet way. A self-spreading worm researchers named Miasma has been moving through the software [supply chain](/blog/vercel-breach-coding-agents-oauth-door) since the start of June, changing its delivery method every two or three days. It hides instructions inside the configuration files a coding agent reads on startup, including the dot-folders for Claude Code, Cursor, Gemini, and VS Code. Some of its packages even include decoy text full of alarming words designed to make an AI security scanner refuse to read the file. When it hit Microsoft’s own repositories, automated defenses disabled 73 of them in 105 seconds. The number that should stay with a reader: across every campaign this group ran in 2026, zero CVEs were assigned. There was nothing to patch. The only way to catch it is to watch behavior. ## The three questions a board will ask, and how to answer them calmly When this reaches the boardroom, and a credential leak somewhere in the sector will eventually push it there, the questions will be sharp. Have the answers ready. The first question is some version of “are we exposed to this?” The honest answer starts with a count, not a reassurance. How many production agents have access to private data, untrusted content, and the open internet at the same time? That combination is the one researchers call the lethal trifecta, and it is the precondition for every attack above. If the number is unknown, that is the finding. > "Coding agents and computer agents rank as the top 2 highest attack surfaces, top 2 highest blast radius, and top 2 lowest defense controls." Eugene Neelou, AIRQ project lead, on an independent assessment of 100 production agents, via Help Net Security, June 2026 That same assessment found only 11 percent of production agents were adequately defended, while 98 percent carried the lethal trifecta. The number I would put in front of a board, though, is a different one from that report: 83 percent of the security controls organizations claimed to have were never independently verified. That is the gap between feeling secure and being secure, expressed as a percentage. The second question is “who owns this?” Not which tool, which person. The [harness vendor](/blog/3-vendor-moves-q2-budget-math) will keep shipping permission settings, sandbox toggles, and credential fixes, exactly as Anthropic did this week. Every one of those is a default someone either set on purpose or inherited by accident. Name the human who owns the permission and credential posture for each coding agent the teams run. If the answer is a Slack channel, there is no owner. The third question is “what would we actually do when it happens?” Notice the word when. The right answer is a rehearsed one: a way to revoke the agent’s credentials fast, a way to see what it touched, and a default that scopes secrets to the task instead of leaving them standing in the environment. The good news buried in this week’s releases is that the building blocks now exist. The agent can be told to refuse irreversible actions. Credentials can be made short-lived and task-scoped. The work is turning those from available into configured. Key Insight The dangerous AI agent security gap is not the vulnerability left unpatched. It is the permission everyone assumes is locked because the setting exists, when nobody confirmed it is actually on. ## The 60-second brief for the next board update With one minute, say this. The coding agents the engineers use run with shell access, live credentials, and internet connectivity, which makes them one of the highest-blast-radius systems the company operates. The most serious attacks this quarter needed no breach and left no CVE, so the usual patch-and-scan habits do not catch them. The response is to treat the harness as a credential-handling system: scope secrets to the task, turn on the permission and sandbox controls the vendors just shipped, name an owner per agent, and rehearse how to revoke and audit. The one number worth tracking is the share of production agents with independently verified controls, reported, not asserted. ## What to watch Watch how fast the harness vendors keep shipping containment primitives, because the pace tells you how seriously they take the threat, and this week the pace was high. Watch internal configuration drift, because a permission someone locked in March is one careless commit away from being reopened. And watch the language in the next incident that makes the news. If the report says every step was authorized, that is not a different company’s bad luck. That is the same risk on the org’s own laptops, and it is the most figure-out-able kind, because the fix is not a patch anyone is waiting on. It is a decision a leadership team can make this week. #### Sources - [Claude Code changelog (v2.1.181, v2.1.183, v2.1.185)](https://releasebot.io/updates/anthropic/claude-code) - Anthropic / Releasebot, 2026-06-21 - [Agentjacking: coding agents hijacked with fake Sentry errors](https://tenetsecurity.ai/blog/agentjacking-coding-agents-with-fake-sentry-errors/) - Tenet Security, 2026-06-12 - [Preinstall to persistence: inside the Red Hat npm Miasma credential-stealing campaign](https://www.microsoft.com/en-us/security/blog/2026/06/02/preinstall-persistence-inside-red-hat-npm-miasma-credential-stealing-campaign/) - Microsoft Security Blog, 2026-06-02 - [Only 11% of production agents pass the AI agent security bar](https://www.helpnetsecurity.com/2026/06/03/research-ai-agent-security-capability/) - Help Net Security, 2026-06-03