Strategic Report  ·  2026-07-13

When AI Agents Attack: Autonomous Cyber Operations and Europe's Governance Gap

Strategic ReportHigh impactEuropean Union
Carnegie Europe fellows Raluca Csernatoni and Patryk Pawlak argue that autonomous AI agents are becoming active participants in cyberspace operations — able to chain decisions, identify vulnerabilities, and execute multi-step intrusions at machine speed — and that existing EU cybersecurity and AI governance frameworks cannot address this shift. The paper cites concrete 2025-26 case evidence: the Moltbook platform's exposure of 1.5 million agent API tokens controlled by just 17,000 human operators, and Anthropic's decision not to publicly release its Claude Mythos Preview model after UK AISI testing found it solved expert-level capture-the-flag challenges 73% of the time and completed a 32-step simulated network intrusion. The authors argue Europe needs a more operational governance approach: real-time monitoring capability, investment in AI-enabled cyber defenses, clearer agent-accountability rules, and a strategy to reduce dependence on US frontier models.
This reframes cyber risk for EU policymakers and CISOs: autonomous agents are shifting from tools that assist human attackers to actors that independently conduct reconnaissance, exploit development, and intrusion — a governance gap current EU frameworks (AI Act, NIS2) were not built to address.
Brief EU regulatory affairs and security leadership on the agentic-cyber governance gap; assess exposure to US frontier-model dependency in security tooling.
Carnegie Endowment for International Peace — Carnegie Europe
See this in the live feed Explore related AI security and governance findings — updated every morning.
Open the feed →