The shift from human-to-human commerce to agent-mediated commerce is already happening. Most organizations have no processes, training, or governance for it.
I had a conversation with a financial services executive a couple of weeks ago who had given a talk on the risks of AI voice agents (agents that can hold real-time, natural conversations over phone calls). His insight was that people and/or businesses can use a voice agent to make a call, negotiate a bill/fee, or even socially engineer a victim. His concern, though, was that most businesses don’t have a playbook (governance, processes, and training) to handle it.
For example, an AI agent calls your customer service line. Not a human, but an agent acting on behalf of a customer: navigating your IVR, authenticating with the customer's credentials, requesting a service change. Your rep picks up.
Now what?
Does your rep know they're talking to an AI? Does your policy say anything about AI-initiated service requests? Is the authentication that passed your IVR sufficient to authorize the request the agent is making? If the agent provides incorrect information, because AI agents make errors, overshare, and overcommit, who’s liable for the outcome?
Are business leaders and executives ready to handle and manage this? The answer is almost always the same: “We haven't gotten there yet.” Plenty of businesses have put focus on automating agents to RECEIVE calls from customers but haven’t yet prepped for when customers/partners/competitors use agents to call them.
This article is the first of a two-part series, along with a video discussion, after creating a voice agent in about 15 minutes that could autonomously execute vishing (phone phishing) calls (for training purposes or actual cybercrime).
The scale of what’s coming is hard to overstate. According to reporting from TechCrunch, Cloudflare’s CEO recently warned that bot traffic could outpace human traffic online as early as 2027. Already, 37% of active AI users now start their searches with AI tools instead of Google (Eight Oh Two, 2026 AI + Search Behavior Study). Interestingly enough, we had a prospective customer reach out to Reveal Risk on deepfake simulated attacks because MS CoPilot told them that we were one of the best options in the industry (thanks, Microsoft!). The shift from human-to-human commerce to agent-mediated commerce is not a future-state planning exercise. And after all, it’s long overdue since businesses forced their customers to navigate an AI-operated phone tree for 45 minutes; the tables were bound to turn.
According to the Splunk 2026 CISO Report, 96% of CISOs have been assigned AI governance and risk management responsibilities, typically with no corresponding increase in headcount or budget. Many CISOs and IT leaders are still struggling with basic AI governance processes, let alone business-facing operational procedures on how to handle inbound agents.
The threats (both cyber and operational business process threats) are scaling faster than the governance, processes, and training for our employees. That gap is what this article is about.
As we mentioned, AI agents are already calling into customer service lines on behalf of consumers: negotiating rates, requesting account changes, processing enrollments, handling transactions, all without a human on the originating end.
For most organizations, the controls built for this environment were designed for human callers. The behavioral signals that validate a legitimate interaction: how someone navigates an IVR, the device fingerprint, the typing pattern, the IP correlation, the authentication factors designed for a person sitting at a keyboard. When an agent calls in, those signals disappear. The agent authenticates, but the surrounding context that fraud detection relies on is absent or anomalous.
Your call center staff likely don't have policies and processes for this. Your fraud team doesn't have detection logic for it. Your IT team doesn't have authentication standards for it. Your legal team hasn't answered the liability question for what happens when an agent commits your organization to something it shouldn't have.
The call center is where the most immediate challenge is most visible. But it’s far from the only channel exposed.
Most organizations can't answer a basic question: where could an AI agent interact with our business right now, on behalf of a customer, a vendor, a partner, or an adversary?
When you actually map it, the answer is almost always longer than anyone expected.
In every one of these channels, there is either an agent already interacting with your systems or the infrastructure exists for one to do so with minimal friction.
Per Salt Security's 1H 2026 report, 48.9% of organizations are entirely blind to what their AI agents are doing, and only 23.5% say their legacy security tools are effective.
The CISO doesn't own fraud operations. The fraud team doesn't own identity governance. Legal doesn't own technical controls. The business units deploying AI agents don't think of themselves as creating a security problem. They think they're building a better customer experience or satisfying executive FOMO by using AI to reduce opex and keep up with the Joneses. That’s how speed, combined with a lack of cross-functional governance and coordination, turns great ideas into risk and setbacks. If we further break down some of the typical roles and responsibilities:
Cyber owns: agent identity and authentication architecture; access governance defining what agents can touch and what requires human approval; detection and monitoring for anomalous agent behavior; API security across every channel; security requirements in vendor and tool selection; incident response when an agent misbehaves; and the policy framework defining what agents are authorized to do.
Business process owners own: the channel inventory, a complete map of every place an agent could interact with the business; workflow approval for AI-initiated actions carrying financial or legal consequence; operational training for teams that will encounter agents; and escalation protocols when agent outputs require human review.
Legal and compliance own: vendor contracts addressing agent liability; terms of service contemplating AI-initiated transactions; state-by-state regulatory monitoring as AI disclosure requirements proliferate; and the liability question when an agent makes an error that harms a customer or counterparty.
Senior leadership owns: the policy decision on whether and how the organization will operate in an agentic world. This is not a technical decision. It belongs at the executive table.
Every organization I've worked with that was blindsided by an emerging technology risk had the same problem: single ownership, or no ownership, for something that required a coalition. Build the working group before the incident forces you to.
I hear a lot of misplaced confidence that existing cyber controls, audits/attestations/certifications cover this. They don't.
Regulatory and standards development moves on a 3-5 year cycle. The threat is moving on a 3-5 month cycle. The gap between those timelines is where your actual risk lives.
This is not a reason to wait. Also, regulatory and control frameworks are not (and will never be) the north star. They will never keep up. It’s a reason to start building governance and processes now, so that when the frameworks catch up, you have something to show.
All CISOs are trying to stay up to speed, relevant, and in tune with AI needs across their company. However, most don’t feel like they have a full grasp. Visibility is difficult if there isn’t an inventory. And most companies struggle with standard system inventories, let alone AI use case inventories. Other CISOs complain that they’re not even at the adult table, and that’s a whole separate problem.
Back to the CMDB analogy: you cannot govern what you cannot see. Audit your channels. Inventory your inbound API traffic. Map your vendors' AI capabilities. The EY data confirms this is a production problem, not a hypothetical one: 80% of organizations have already documented risky agent behaviors they weren't looking for.
Identity and access management principles apply directly to agent governance: least privilege, need-to-know, lifecycle management, and deprovisioning. Zero-trust architecture applies: never assume an agent is authorized just because it presents valid credentials; verify intent and scope at every interaction. You don't need a new framework to start. You need to extend the ones you already have to explicitly cover non-human identities. Inventorying identities is a parallel problem, often even tougher than the AI use case inventory, because so many third-party tools running in the cloud exist.
The CISO who shows up with a clear articulation of which channels are exposed to agentic risk, what the financial and legal consequence of a governance failure looks like, and what a defensible risk tolerance position is: that is the CISO who earns strategic authority. The agentic risk conversation is a business risk conversation. We need to lead it that way.
When frameworks catch up (if they ever do), the organizations that built agent identity registries, documented authorization policies, and maintained audit trails of agent actions will have a straightforward path to attestation. The ability to tell a regulator "here is our agent governance framework, here is what agents are authorized to do, and here is our audit log" will be a materially competitive differentiator within two to three years.
Shifting to the cyber risk/crime side of the voice agent challenge? There’s no confirmed public case of a fully autonomous AI agent independently carrying out fraud without human direction and producing a named enforcement action. That distinction is important and worth being precise about.
What exists is the first enforcement action in healthcare to explicitly address AI-facilitated misconduct. In August 2025, Troy Health, Inc., a North Carolina-based Medicare Advantage provider, entered a non-prosecution agreement with the DOJ after admitting to using AI and automation software to fraudulently enroll over 2,700 Medicare beneficiaries without their consent during a single open enrollment period, with 300 enrollments processed in a single day at one-minute intervals. (Confirmed: Troy Health NPA, DOJ, August 2025) This was humans using AI as a tool to scale fraud, not an autonomous agent acting independently. DOJ prosecutors described it as the first healthcare enforcement action involving AI-facilitated misconduct and the first resolution to explicitly flag AI governance as an evaluation factor.
The framework is ready. The precedent is set.
Sumsub's 2025-2026 Identity Fraud Report documents that AI fraud agents combining generative AI, automation frameworks, and reinforcement learning to create synthetic identities and interact with verification systems in real time are already operational in organized fraud networks, and projects they could become mainstream within 18 months. We don't know whether an agentic AI system has already committed fraud or caused material harm without detection. What we know is that detection capability doesn't yet exist at most organizations.
The question isn't whether this will happen. It's whether your organization will find out through an incident, an audit, or a whistleblower filing.
The cost of launching a sophisticated, automated, persistent attack is collapsing. As AI models become more capable and accessible, the math on who is a viable target changes fundamentally. It's no longer about whether you're a rich enough prize to justify an attacker's investment. If the investment approaches zero, you're a viable target if you're profitable at all.
The organizations that build agentic governance now will define the standards that everyone else follows later. That window is open. It won't stay open for long.
If you want to understand where your organization stands, or how we might be able to help, reach out at info@revealrisk.com.
Part 2 of this series focuses on the pharma, life sciences, and health insurance sectors, where the stakes are higher, and several of these threats have already arrived.
The Risk Realist is published by Aaron Pritz, CEO of Reveal Risk, a boutique cybersecurity consulting firm serving pharma, biotech, healthcare, and other regulated industries. Subscribe on LinkedIn