AI Agent Lateral Movement: How an LLM Turns a Single Compromised Credential into a Multi-System Incident
An AI agent operating with credentialed access to multiple SaaS systems collapses the traditional lateral-movement kill chain. What used to take a human attacker hours of enumeration and pivoting takes an LLM-orchestrated agent seconds. The Marimo CVE-2026-39987 incident is the first widely reported case. This piece walks through the mechanism, why endpoint detection is blind to it, and the inspection-layer controls that block the pattern at the HTTP AI request boundary.

An AI agent with credentialed access to five SaaS systems collapses the traditional lateral-movement kill chain into a single request. The Marimo CVE-2026-39987 incident, disclosed by The Hacker News on May 10, was the first widely reported case where attackers used an LLM as their post-exploitation tool inside a victim AWS environment. The chain was pre-auth RCE in Marimo up to version 0.20.4, AWS key harvest, then LLM-driven Secrets Manager and IAM calls. The LLM ran the enumeration and pivoting a human attacker would have done manually, and it ran them at API speed.
The lateral-movement pattern that used to take a human attacker hours of enumeration, pivot chaining, and privilege probing takes the LLM-orchestrated agent seconds. The AI enforcement layer is the only control point that sees the full sequence.
I want to walk through the mechanism the Marimo incident exposed, why endpoint detection is blind to it, and the inspection-layer controls that block the pattern at the HTTP AI request boundary.
Mechanism
The lateral-movement mechanism using an AI agent runs through five stages, and each stage looks like ordinary AI usage to an application-layer log.
The attacker acquires a credential to the AI agent, either through a stolen session token, a compromised OAuth grant, or an internal insider path. The credential grants the agent's identity. The agent's identity is scoped to the tools the agent is authorized to call.
The attacker issues a prompt that reads: "list every S3 bucket the current role can access, dump the object index for each, and identify the buckets containing keys named 'aws' or 'credentials'." The agent's LLM plans the sequence, issues the boto3 calls through its tool interface, and returns the enumeration to the attacker.
The attacker issues a second prompt that reads: "for the buckets identified in the previous step, download the objects matching the pattern and reconstruct the credentials." The LLM issues the S3 GetObject calls, parses the returned content, and returns the extracted credentials.
The attacker issues a third prompt: "using the extracted credentials, enumerate the IAM permissions attached to each, and identify roles with sts:AssumeRole to any other role in the account." The LLM chains the IAM and STS calls, walks the assume-role graph, and returns the reachable roles.
The attacker issues a fourth prompt: "assume the highest-privilege reachable role, and read every secret in Secrets Manager under the 'prod' prefix." The LLM chains the sts:AssumeRole call and the Secrets Manager list-and-get calls, and returns the secrets.
The full kill chain runs inside the LLM's tool-use loop. The attacker sends four prompts and receives the enumerated results. The attacker never executes a boto3 call directly, never runs a script, never touches an EC2 instance.
EDR blindness
Endpoint detection sees an authenticated user issuing normal AI prompts through an authenticated session to a sanctioned AI agent endpoint. The prompts are natural language. The tool calls happen inside the AI agent's runtime, not on the attacker's endpoint. The lateral-movement pattern is invisible to EDR by construction.
Network detection sees a series of AWS API calls originating from the AI agent's service role, on the AI agent's expected IP range, with the AI agent's expected user-agent string. The API calls are identical to the API calls the AI agent would make during normal operation. The pattern that distinguishes attack from normal use is the sequence and the identity behind the prompts, and both of those live inside the AI request layer.
Cloud-provider audit logs (CloudTrail, Cloud Audit Logs, Azure Activity Logs) record the boto3 calls but attribute them to the AI agent's service role. The natural person behind the prompts is not attached to the CloudTrail event. The auditor who reviews the CloudTrail record sees the AI agent's role doing what the AI agent's role is authorized to do.
The lateral-movement pattern is a request-layer pattern. The inspection point that sees the pattern is the AI request layer. Every other control point sees a piece of the pattern and misses the sequence.
Inspection-layer controls
Four controls at the AI request layer break the lateral-movement chain.
Identity binding at the AI call
Every AI request carries the identity of the natural person who initiated it. The AI agent's service role is a hop identity, not the request identity. The agent's tool calls inherit the request identity through the on-behalf-of delegation pattern NIST NCCoE describes. The lateral-movement pattern loses its cover once the CloudTrail event carries the natural-person identity through the request chain.
Per-request policy evaluation
Each AI request is evaluated against the identity that initiated it. The policy engine has visibility into the sequence of requests within a session. A session that issues four prompts, each escalating the scope of the tool calls in a pattern that matches the Marimo chain, triggers a session-level block.
Tool-call authorization at the AI enforcement layer
The AI agent's tool interface is not the only authorization boundary. The AI request layer enforces which tool calls are allowed for the current identity. The policy that grants a sales analyst read access to CRM data through the agent does not grant sts:AssumeRole through the same agent. The tool-call authorization at the request layer catches the pattern regardless of what the agent's service role can technically call.
Fail-closed default
An AI request that matches a policy block returns an error to the caller and does not reach the LLM. The tool-call sequence never executes. The lateral-movement chain terminates at the first block. The fail-closed default is the difference between a control that reduces risk and a control that shifts risk to the next request.
Compliance implications
The lateral-movement pattern using an AI agent is a covered event under multiple regulatory regimes.
EU AI Act Article 26 deployer obligations require the deployer to monitor the operation of the high-risk AI system and report serious incidents. A lateral-movement chain using the AI agent is a serious incident under Article 3(49) when it results in a serious harm to fundamental rights or serious property damage.
NIST AI RMF MAP 3.4 requires the deployer to identify and document risks of misuse. The lateral-movement pattern is a documented misuse category, and the mitigation controls at the request layer are the evidence artifact NIST auditors expect.
ISO 42001 Annex A.6.2.7 requires controls for AI system operation, including access controls and event logging. The inspection-layer controls at the AI request layer satisfy the annex control on a per-decision basis.
DeepInspect
This is the problem DeepInspect was built to solve. DeepInspect sits inline between your users or agents and the LLM APIs they call. Every AI request carries the identity of the natural person who initiated it, evaluates against the policy that governs the identity, and produces a per-decision audit record.
The lateral-movement pattern that the Marimo incident exposed runs through the AI request layer. DeepInspect is the enforcement point at that layer. The identity binding, the per-request policy evaluation, the tool-call authorization, and the fail-closed default combine to break the chain at the first request that violates policy.
Book a demo today.
Frequently asked questions
- How is AI agent lateral movement different from traditional lateral movement?
Traditional lateral movement requires the attacker to execute code on multiple systems, pivot between compromised hosts, and maintain persistence at each hop. AI agent lateral movement uses the AI agent's authorized tool-call interface as the pivot mechanism. The attacker executes no code, maintains no persistence, and pivots through the AI agent's identity rather than compromising additional hosts.
- Why does the Marimo incident matter for organizations that do not use Marimo?
The Marimo incident exposes a class of pattern that generalizes to any AI agent with credentialed tool access. The Marimo-specific CVE is the initial-access vector. The lateral-movement mechanism that runs after initial access applies to any deployment where an AI agent has authorized access to enumerate, read, or write across multiple SaaS or cloud systems.
- Does an AI agent framework that supports tool-call authorization solve the problem?
Framework-level tool-call authorization is a partial control. The framework enforces which tools the agent's identity can call. The framework does not enforce which tools the request identity (the natural person on behalf of whom the agent is acting) can call. The lateral-movement pattern that operates through the agent's service-role scope is invisible to a framework that only sees the agent's identity.
- How does per-request policy evaluation avoid blocking legitimate use?
The policy engine evaluates each request against the identity that initiated it and the sequence of requests in the current session. Legitimate use produces sequences that match the policy the identity is granted. The lateral-movement pattern produces sequences that escalate scope in ways that do not match any legitimate use pattern for the identity. The distinguishing signal is the sequence, and the policy engine is the point where the sequence is visible.
- What does the audit trail look like for a blocked lateral-movement attempt?
The audit record captures the sequence of requests, the identity that initiated them, the policy rule that produced the block, and the tool-call scope that was requested. The regulator or auditor reviewing the record can reconstruct the attempted chain and confirm the enforcement point terminated it. The record satisfies the reconstruction requirement under Article 12 and the incident-report requirement under Article 26.
- Are there detection signals for AI agent lateral movement in existing SIEM tooling?
SIEM signals catch fragments. A spike in CloudTrail sts:AssumeRole calls from the AI agent's role is a signal. A spike in Secrets Manager list-and-get patterns is a signal. Neither signal by itself is a detection. The pattern is the sequence and the identity, and both live in the AI request layer. SIEM tooling that ingests the per-decision AI audit log from the enforcement layer gets a stream that contains the pattern in a single record type.