Germany’s BSI (Bundesamt für Sicherheit in der Informationstechnik) has declared 2026 the “Year of Attack Surface Management,” and AI agents are the reason the declaration was necessary. The agency’s latest threat report documented 119 new vulnerabilities per day, a 24% year-over-year increase, and singled out autonomous AI agents as the threat vector that existing defenses are least prepared to handle. Nearly half (48%) of cybersecurity professionals in a Dark Reading survey agree: agentic AI is the top attack vector heading into 2026, beating deepfakes, board-level awareness gaps, and passwordless adoption.
This is not the same message as BSI pushing governance rules for AI agents. This is BSI saying that AI agents, by their nature, create attack surfaces that most organizations cannot even see, let alone defend.
Why BSI Singled Out AI Agents Specifically
The BSI distinguishes AI agents from ordinary software because agents act autonomously, chain actions across systems, and create what security researchers call non-human identities (NHIs). A traditional application calls an API with fixed parameters. An AI agent decides which APIs to call, composes multi-step workflows on the fly, and accesses data stores it was never explicitly programmed to reach.
That autonomy creates three attack surface categories that existing security tools were not built to monitor.
Credential and Token Sprawl
Every AI agent needs API keys, OAuth tokens, or service account credentials. Kiteworks’ 2026 analysis found that non-human identities outnumber human users by 10:1 to 100:1 in typical enterprise environments. When agents proliferate, credential sprawl follows. Attackers who compromise a single agent token can pivot across every system that agent has access to.
Security-insider.de reports that automated token theft is emerging as a primary attack method in 2026: AI-steered malware extracts active session tokens from browsers and steals high-value tokens before they expire. Multi-factor authentication alone no longer stops this. BSI’s position is that hardware-based authentication and Zero Trust browser architectures are becoming mandatory.
Dynamic Infrastructure That Defies Inventory
Traditional attack surface management assumes you can enumerate your assets. AI agents break that assumption. They spin up temporary connections, access APIs dynamically, and interact with services that no human administrator explicitly configured. BSI’s attack surface monitoring page emphasizes the need for continuous, automated surface discovery because static asset inventories miss what agents create.
Germany’s web-reachable attack surface alone comprises 13.2 million .de domains. When AI agents add ephemeral API connections and dynamic tool integrations on top of that, the effective surface becomes unmappable by manual methods.
Agent-to-Agent Attack Chains
The risk compounds when agents interact with other agents. All-about-security.de documented how attackers can infiltrate agent orchestrations to manipulate transactions, extract data, or trigger extortion scenarios. An attacker who compromises one agent in a multi-agent pipeline does not just own that agent; they own every downstream system the pipeline touches. Gartner projects that 40% of enterprise applications will embed task-specific AI agents by 2026, up from less than 5% in 2025. Each integration point is another link in a potential attack chain.
The German Numbers That Make This Urgent
BSI’s warnings carry extra weight because Germany’s threat landscape is already severe. The Bitkom Economic Protection Study 2025 found that 81% of German companies were affected by data theft, industrial espionage, or sabotage. Germany ranks fourth globally for cyberattacks and is the most-targeted country in the EU, with companies facing an average of 1,223 attacks per week, a 14% year-over-year increase according to Cyble’s analysis.
BSI President Claudia Plattner summarized the agency’s stance: “Wer seine Angriffsflächen nicht schützt, wird Opfer.” Those who do not protect their attack surfaces become victims.
For SMEs, the numbers are worse. BSI specifically flagged small and medium enterprises as “too easily attackable.” They adopt AI agents to stay competitive but lack the security teams to monitor what those agents do. The result is exactly the uncontrolled attack surface expansion BSI is warning about.
Where AI Agent Risks Meet NIS2 and EU AI Act
This is not just a technical problem. It is a regulatory one. NIS2 is already in force in Germany, requiring critical infrastructure operators and “important entities” to implement continuous attack surface management. The EU AI Act’s high-risk provisions arrive in August 2026. AI agents that operate in regulated sectors (finance, healthcare, critical infrastructure) will face compliance requirements from both frameworks simultaneously.
BSI is positioning attack surface management for AI agents as the intersection of these two regulatory mandates. If an organization cannot inventory its AI agents, document their permissions, and monitor their behavior, it will likely fail both NIS2 audits and EU AI Act conformity assessments.
What BSI Expects Organizations to Do
BSI’s “Year of Attack Surface Management” framework translates into specific actions for organizations running AI agents.
Map Every Agent as an Asset
Every AI agent in production needs to appear in the organization’s asset inventory with the same rigor as a server or cloud instance. That means documenting which APIs each agent accesses, what credentials it holds, what data it can read and write, and what other systems it triggers. Kiteworks found that 63% of organizations cannot enforce purpose limitations on their AI agents and 60% cannot terminate misbehaving agents quickly. Both of those gaps start with not knowing what agents exist and what they can do.
Monitor Agent Behavior Continuously
Static security reviews do not work for autonomous systems. BSI’s guidance emphasizes continuous monitoring: logging every action, flagging deviations from expected behavior, and maintaining the ability to kill an agent mid-execution if something goes wrong. The BSI-ANSSI joint Zero Trust framework for LLM systems provides the architectural template.
Treat Agent Credentials Like Privileged Accounts
Agent API keys and tokens need the same lifecycle management as admin passwords: automatic rotation, just-in-time provisioning, and revocation on decommission. BSI’s warning about token theft makes this non-negotiable. If your agents use long-lived API keys stored in environment variables, attackers will find them.
Require Human Approval for Blast-Radius Actions
BSI’s consistent position is that critical decisions require human oversight. For AI agents, that means approval gates before actions that could affect production systems, exfiltrate data, modify security configurations, or escalate permissions across system boundaries.
Frequently Asked Questions
What did the BSI warn about AI agents in 2026?
Germany’s BSI declared 2026 the “Year of Attack Surface Management” and singled out AI agents as the fastest-growing attack surface in enterprise IT. The agency warned that autonomous agents create non-human identities, dynamic infrastructure, and agent-to-agent attack chains that traditional security tools cannot monitor.
Why are AI agents considered a new attack surface?
AI agents act autonomously, chain actions across systems, and require their own API keys and credentials (non-human identities). They create dynamic connections that do not appear in static asset inventories, and when they interact with other agents, a single compromise can cascade across entire pipelines.
How does the BSI AI agent warning relate to NIS2 and the EU AI Act?
NIS2 requires continuous attack surface management for critical infrastructure operators in Germany. The EU AI Act’s high-risk provisions (August 2026) add compliance requirements for AI agents in regulated sectors. BSI positions attack surface management as the framework that satisfies both regulatory mandates simultaneously.
What should German companies do to secure their AI agents?
BSI recommends mapping every AI agent as a formal asset, monitoring agent behavior continuously, treating agent credentials like privileged accounts with automatic rotation, and requiring human approval for high-impact actions. Organizations that cannot inventory their agents will likely fail NIS2 and EU AI Act audits.
How big is Germany’s cyber threat landscape in 2026?
Germany is the most-targeted country in the EU. BSI documented 119 new vulnerabilities per day (24% increase), 81% of German companies experienced cyberattacks according to Bitkom, and companies face an average of 1,223 attacks per week. SMEs are flagged as particularly vulnerable.