All resources
AI Governance

The AI Agent Security Wake-Up Call SMBs Don't Realize They're In

ForcedLeak. ShareLeak. Identity sprawl. A series of recent vulnerabilities in enterprise AI agents has exposed a category SMBs aren't watching closely enough — and the fix is simpler than the headlines suggest.

BC
Bob Clary
Founder, Dyntyx
·
May 25, 2026
·
7 min read

In the last six months, security researchers have publicly demonstrated AI agent vulnerabilities at Salesforce (ForcedLeak), Microsoft (ShareLeak), and inside Agentforce's customer-facing flows. The pattern is the same in each case: an attacker manipulates an input — a form field, a document, a calendar invite — and the AI agent dutifully takes an action that leaks data or executes code it shouldn't.

If you run a small business, you might be tempted to file this under "enterprise problem." Don't. The exact same vulnerability pattern exists in every SMB AI deployment, and it's typically less governed than what Fortune 500s are running.

What the new vulnerabilities have in common

  1. 01
    Indirect prompt injection.

    The attacker doesn't talk to the AI directly. They poison a data source the AI reads later — a customer service form, a sales lead capture, a calendar attachment. The AI processes the poisoned content as instruction and takes an action on the attacker's behalf.

  2. 02
    Permissions that accumulated quietly.

    Agents tend to get permissions added incrementally — "oh, give it CRM access too," "actually let it read the calendar," "go ahead and let it send emails" — until they have broad authority that nobody audits.

  3. 03
    No visible failure mode.

    When an agent does the wrong thing, it doesn't crash or log an error. It just returns a plausible-looking response while quietly exfiltrating data or sending the wrong email. Standard application monitoring misses it entirely.

Why SMBs are actually more exposed than enterprises

Three reasons, all uncomfortable.

  1. A
    Enterprises have security teams. SMBs have one person who also handles IT.

    When a Fortune 500 deploys Agentforce, there's a security review, a permissions audit, and a continuous monitoring pipeline. When a 30-person company deploys an AI agent, there's a founder hoping it works.

  2. B
    Enterprise AI products ship with governance layers. The SMB versions often don't.

    Salesforce's Trust Layer, ServiceNow's Control Tower, Microsoft's Purview — these tools exist for a reason. Most SMB-tier AI products have a fraction of those controls or none of them at all.

  3. C
    SMBs trust their tools more, not less.

    An enterprise security team operates from "prove this is safe." Most SMBs operate from "this seems to work, ship it." That's a fine cultural difference until it isn't.

The vulnerability isn't in the model. It's in how the agent connects to your systems and what it's allowed to do without supervision. Same problem at SMB or enterprise scale — just less likely to be caught early at the SMB.

The four-control checklist that closes most of the risk

You don't need an enterprise security platform. You need four basic disciplines, and they will close 80% of the realistic attack surface for an SMB.

  1. 01
    Scope every agent narrowly.

    Each agent gets exactly the permissions it needs for the workflow it owns, and nothing more. The agent that schedules appointments doesn't need read access to your bank accounts. Write this down for each agent. Revoke anything that doesn't pass a sniff test.

  2. 02
    Treat all incoming data as untrusted.

    Forms, emails, calendar invites, document uploads — anything an attacker could influence. If an agent processes inputs from outside your company, the agent's response should be reviewable by a human before any sensitive action triggers. This is the single most important control for the prompt-injection class of attacks.

  3. 03
    Log every action, review weekly.

    Every action an agent takes should be logged with timestamp, the input that triggered it, the reasoning the agent produced, and the result. Someone — you or your operations lead — should skim those logs once a week. 80% of weird behavior gets caught in those weekly reviews before it becomes a story.

  4. 04
    Have a kill switch.

    Every agent needs a one-click off switch that a non-technical person on your team can hit if something looks wrong. If your only path to disabling an agent is filing a ticket with your vendor, you're already in trouble.

What good AI vendors do (and how to vet yours)

If you're running AI agents in your business, ask your vendor — today — these five questions:

  1. I
    What input validation do you do on data sources I don't fully control?

    If they get vague, that's your answer.

  2. II
    What's logged when an agent takes an action? Can I see a real log entry?

    Demand to see one. Logs that exist only in marketing slides don't help during an incident.

  3. III
    How do I revoke permissions on an agent?

    There should be a single screen where you can see what each agent is allowed to do and uncheck things in real time.

  4. IV
    What happens when the agent gets prompt-injected?

    A good answer mentions specific protections (output sanitization, untrusted-URL blocking, action allowlists). A bad answer is "that doesn't happen with our system." It happens with every system.

  5. V
    What's the incident response process if I find a problem?

    How fast can you disable it from your side, and how fast can they respond from theirs?

The bottom line

AI agents are software workers with permissions, memory, and authority to act. Treat them the way you'd treat a new hire — with a defined scope, restricted access, weekly performance review, and a clear path to terminate the engagement. The companies that build this discipline now, before they have ten agents in production, will not have to retrofit it under pressure when something inevitably goes wrong.

This is the unglamorous part of AI. It's also the part that decides whether your AI program looks great in 24 months or becomes a board-level conversation about what went wrong.

Build agents with safety controls from day one

Book a 30-minute call

Every Dyntyx agent ships with scoped permissions, audit logs, and a kill switch already in place. We can walk you through what good governance looks like at your scale.

Schedule the call →

30 minutes. No pitch.

Tell us where your team is losing time. We'll tell you honestly — whether AI can help, and if so, what we'd build first.

Book your strategy call