Zombie AI Agent
Zombie AI Agent
An agent spun up for a project (often a proof-of-concept), still running and authenticated long after the project ended, holding API keys and access nobody is monitoring anymore. Coined by Martin Keen in Five AI Risks That Can Get You Fired (IBM Technology).
"Someone spins up an agent for, let's say, a proof of concept, and then the project ends. But the agent is still running, it's still authenticated. It's still maybe holding some API keys that everyone has kind of forgotten about by now. And now this zombie AI agent is an unmonitored backdoor into organization systems."
Why this happens
Agent creation is now cheap (cheap LLMs + low-code platforms + MCP connectors). Agent deactivation is high-friction by comparison — no one wakes up to decommission an agent the way they decommission a server. The half-life problem is structural, not behavioral.
Two distinct failure modes
- Active harm path — the zombie agent is exploited (e.g. via Prompt Injection or a compromised dependency) and uses its old privileges to exfiltrate data or take action
- Compliance path — the agent acts autonomously in violation of policy (e.g. on data it should no longer be touching, or under a regulatory regime that didn't exist when it was authorized)
Both routes end with the person who originally spun the agent up named as accountable, and the IT team without visibility named as also accountable.
Connection to Shadow AI / agentic sprawl
This is the security-sharp version of the agentic sprawl observation from Shadow AI:
- Cvent's data point (Governing AI Agents at Scale (Glean + Cvent, CXOTalk)): of 6,000 created agents, ~1,300 are actively used → ~4,700 inactive
- Keen's framing: those 4,700 inactive aren't dormant — they're running and authenticated, just no one is using them. From a security standpoint, that's worse than dormant.
The Glean/Cvent governance answer is the task catalog (AWARE Framework observability pillar) — an inventory of every agent and what it does, queryable by legal/privacy/security. Without that, you can't even count your zombies, let alone kill them.
What "kill" looks like operationally
Not covered in depth in the source, but the implicit picture is:
- Per-agent identity tied to a project owner; ownership transfers explicitly or the agent suspends
- Time-bounded credentials that expire unless renewed (rotate API keys regularly)
- Activity-based heartbeat: if an agent hasn't been invoked in N days, suspend pending review
- Mandatory decommissioning step in any PoC closeout
Worth a follow-up source if any vendor or framework names a concrete playbook here. Currently single-source.