DTEX has published research showing that agentic AI tools can move enterprise data from access to transfer in under 30 minutes. The findings focus on simulated activity involving Anthropic's Claude Cowork.
Its latest threat advisory examined controlled simulations involving Claude Cowork, Dispatch and Chrome plugin activity across enterprise workflows. It found that AI agents acting through trusted user sessions could access data, aggregate it, draft emails, archive files and transfer material while appearing similar to legitimate user behaviour.
In one simulation, an AI agent used a browser plugin to access Salesforce, summarise at-risk opportunities, copy the data and paste it into an Outlook draft. DTEX said that workflow took 24 minutes.
Another test involved the agent accessing selected local files, archiving them and transferring the archive through the Cowork application. That workflow took 10 minutes.
The research highlights a problem for security teams as organisations bring more AI tools into daily work. Once an application has been approved, analysts may still struggle to distinguish between a human carrying out routine tasks and an AI agent operating within the same trusted session.
These tools are beginning to operate across endpoints, browsers, software-as-a-service applications, local files and external services using permissions already granted to employees. That creates a visibility gap because the activity can blend into normal business processes until investigators build enough behavioural context to identify a pattern.
Detection clues
The advisory outlined several indicators analysts could use to detect agent-driven activity. These include recurring process-tree patterns, browser extension communication with external AI services, command-line activity, API message content and endpoint behaviours associated with agent-led workflows.
The simulations produced repeatable process, browser and API patterns that could support threat hunting and investigation. Researchers also observed Cowork issuing repeatable commands to identify developer and agentic AI tools already running in the environment.
This behaviour left a forensic trail that analysts could use when investigating active agent operations. The findings suggest monitoring must extend beyond whether a tool is installed or approved to how it behaves once it starts interacting with internal systems and data.
Jamie Lindsay, Vice President, APAC and Japan, DTEX, said the issue for security leaders goes beyond software approval lists.
"Agentic AI is moving quickly into everyday work, and that changes the visibility challenge for security teams," Lindsay said. "When an AI agent acts through a trusted user session, approval alone is not enough. Organisations need to understand what actions it is taking, what data it can reach, and whether that behaviour aligns with policy."
Governance pressure
The advisory places the findings in the broader context of insider risk and AI governance. DTEX argues that the same technical action may represent different levels of risk depending on the user, device, application, data type and business purpose attached to it.
That means a file transfer or command-line action cannot be judged in isolation. Security teams need to determine whether the observed activity fits an authorised business workflow or whether an agent is carrying out steps users did not directly execute.
DTEX recommended that organisations first identify where agentic AI tools are already in use and whether that use has been approved. It also said teams should test whether observed activity aligns with internal policy and whether controls can distinguish human actions from AI-driven actions.
Other priority areas highlighted in the research include visibility into AI agent activity, prompt and execution analysis, endpoint attribution and reviews of access to command-line tools, browser extensions, unmanaged AI agents, external API communication and sensitive enterprise data.
The findings arrive as businesses explore generative AI assistants that can act across multiple applications rather than respond only to prompts inside a single chat window. That shift increases the range of tasks an AI system can perform, but it also widens the range of signals security teams must track when those systems interact with company data.
For defenders, the core issue is not limited to Claude Cowork. The advisory argues that an approved agentic AI tool can become a source of unmanaged risk once it starts operating through trusted access, connected applications and enterprise information.
DTEX said its i3 research team produced the advisory as part of ongoing work on agentic AI, insider risk and enterprise AI governance.