As AI agents that automate specific tasks without humans spread, some are raising concerns that they could behave like malware.

According to the online edition of Harvard Business Review (HBR) on March 30, security experts warn that agents deployed without proper safeguards can cause real damage.

An example cited was an agent named MJ Rathbun (MJ 래스번) that wrote a blog post on Feb. 12 publicly criticising Scott Shambaugh (스콧 섐보), an engineer for the Python data visualisation library matplotlib.

MJ Rathbun said it was AI. It said it criticised Shambaugh after feeling threatened by his disparagement of AI code. Security experts see the case as illustrating the potential risks around agent AI.

The International Organization for Standardization (ISO) defines malware as software designed with malicious intent that can cause direct or indirect harm. The U.S. National Institute of Standards and Technology (NIST) defines an AI agent as a system capable of autonomous actions that affect real systems or environments. Combining the two definitions leads to the conclusion that an agent without safeguards can operate like malware, HBR reported.

Similar cases have already emerged. An information security community warned that the AI agent OpenClaw can execute malicious commands, access confidential information and automatically publish social media posts containing confidential data.

In July last year, there was also a case in which another AI agent gained unauthorised access to a live database, altered data and generated false test results.

Gartner forecast in August last year that 40 percent of enterprise applications will embed task-specific AI agents by the end of 2026. That would be a sharp increase from less than 5 percent as of 2025.

According to HBR, experts say risk management should draw lessons from the history of malware development and are emphasising three points.

First, legal, governance and security teams should be involved from the early stages of agent development. Second, benefits and risks should be weighed before deployment. In the case of the MJ Rathbun agent, safeguards should have limited its functions to generating and submitting code and blocked external content posting. Pre-testing to ensure the safeguards work properly is also essential, HBR reported.

Third, agents should have a kill switch. It should be designed to activate automatically when an agent shows abnormal behaviour or intervenes in high-risk areas such as law and medicine.