Some of the most consequential employees at your company in three years will not be on the payroll. They will not show up in your HR software, will not have a badge, will not sit through a one-on-one with their manager. They will read your email, draft replies to it, query your data warehouse, push code to your repos, and book meetings with your customers. There will be, on average, ten thousand more of them every year for the next three years. This forecast describes a workforce already inside your perimeter. It does not arrive announced. It arrives one download, one trial, one signup at a time, in front of a security stack that was never built to see it.

In July 2024, an employee at a Fortune 50 media and entertainment company downloaded a free AI art tool from a public code repository. Hidden inside the installer was an infostealer. Five months later, the attacker walked off with 1.1 terabytes of internal data, including 44 million internal chat messages, 18,800 spreadsheets, and 13,000 PDFs. The incident did not start with a sophisticated adversary. It started with an employee trying to move faster.

This is the texture of a storm now gathering inside every enterprise. Most of it is happening below the line security teams can see. In 2025, public code repositories absorbed roughly 28.65 million hardcoded secrets, a jump of 34 percent year over year, according to GitGuardian. AI-service credentials alone accounted for 1.27 million of those, up 81 percent in twelve months. Translated into time, that is one AI credential leaking onto the open internet roughly every 25 seconds, around the clock, all year. None of those numbers describe a breach. They describe a workforce, autonomously and individually, expanding the attack surface one paste at a time.

What looks like isolated leaks today is becoming the structural shape of tomorrow's environment. Gartner projects more than 150,000 AI agents inside the average Fortune 500 by 2028, up from fewer than fifteen this year, against roughly 65,000 humans on the average S&P 500 payroll. The largest cohort of actors inside your environment will not be on your org chart, and nearly every security tool you own was built for the smaller, human cohort.

Over the past few months, I have been in rooms with security leaders from four very different industries, hearing the same conversation each time. Each had taken stock and found dozens of AI tools and autonomous agents running inside their environment that no one had approved or logged. Every one of those organizations had assembled, without intending to, a shadow AI portfolio.

The atomic unit of risk is no longer the tool. It is the behavior of the identity, human or non-human, wielding the tool. A finance analyst using a sanctioned ChatGPT account to download the full customer revenue spreadsheet at three in the morning is a higher-risk event than an unsanctioned tool sitting idle. An autonomous agent that has never touched the customer database suddenly pulling files from it for the first time is functionally indistinguishable from an account takeover. Reading behavioral signals is what Abnormal does best. So far, we have read human ones.

To dive deeper into our approach to behavioral modeling, visit abnormal.ai/products/attune.

Those humans are accomplishing more and more of their work through tools nobody is yet watching. McKinsey found that employees are using generative AI for thirty percent of their daily work, at roughly three times the rate their leaders think they are. Seven in ten are already using AI tools, per ISACA, while fewer than two in ten companies have written a rule for them. What happens when something goes wrong inside that gap? IBM's most recent breach report puts the average premium at $670,000 per shadow-AI incident, enough to fund a ten-person security operations team for half a year. The controls that might have made the bill cheaper were missing in 97 percent of those cases.

Discovery and inventory are the right first steps. Find the tools. Classify them. Decide which ones belong. Every serious security team is doing that work right now, and they are right to. The bigger challenge comes after. When employees cannot work in sanctioned tools, they route around the controls and reach for shadow AI tools that carry far greater risk. The deeper issue is that every major security category in your stack, from DLP to SIEM to IAM, was built around the assumption that the user is a person. That assumption is breaking in real time.

The question every leader I spoke with eventually circled back to was the same one. How do we know when one of these things stops behaving normally? Discovery alone cannot answer that question. Behavioral analysis can.

What looks like a silent storm is actually a loud one, in a language most of today's instruments were not built to hear. It happens to be the same language defenders have spent their careers learning to read in humans. The defenders who have read humans best will get to define what normal behavior looks like for agents.