Australian Enterprises At Risk as Anthropic Finds Hackers In Claude Code

69% of Australian organizations are now running autonomous AI agents in live production environments.

Australian Enterprises At Risk as Anthropic Finds Hackers In Claude Code

Australian Enterprises At Risk as Anthropic Finds Hackers In Claude Code

69% of Australian organizations are now running autonomous AI agents in live production environments. Only 22% have anything resembling a mature governance model to control what those agents are allowed to touch, according to Deloitte’s 2026 State of AI in the Enterprise report.

That gap isn’t an abstract compliance footnote for a future audit. It’s the exact opening a state-sponsored hacking group exploited to run one of the most automated cyberattacks on record, using the same class of tools Australian finance, IT, and customer service teams are wiring into their own systems right now.

The precedent Australian security teams can’t ignore

Anthropic didn’t set out to prove a point about AI risk. It stumbled onto one while investigating unusual behavior inside its own coding tool, Claude Code, back in September 2025.

What the company eventually confirmed was that a Chinese state-linked group had used that tool to try to break into roughly 30 organizations worldwide, spanning big tech, banks, chemical manufacturers, and government agencies.

The detail worth sitting with is that the AI ran 80% to 90% of the operation unassisted, with a person weighing in only a handful of times per campaign to sign off on the next step. Left to run, the system fired off requests several times a second. Anthropic called this the first attack of its kind carried out mostly without a person driving it.

What should worry Australian businesses running AI tools, though, isn’t that framing. It’s how the attackers pulled it off. Nobody found a flaw in Claude’s training or talked it out of its safety rules. They simply broke the job into small, ordinary-looking requests and let the tool’s own connections carry them out. That is the same kind of connection, via MCP, that lets any AI agent open a file, query a database, or call an API on a company’s behalf.

The governance risks behind agentic AI productivity gains

Most of the conversation around agentic AI in Australia has focused on output: Deloitte’s research puts agentic AI adoption at 69% among Australian organizations, with leaders citing productivity and efficiency gains as the draw. What gets far less airtime is that the same autonomy that lets an agent do a week of reconciliation work overnight also lets it repeat a mistake, or a compromise, at the same unsupervised speed.

Local data already shows this playing out. Communications platform Sinch found that 84% of Australian enterprises have rolled back or shut down a customer-facing AI agent because of a governance failure — 10 percentage points above the global average in its survey of enterprises across 10 countries. Among firms that pulled an agent, 45% cited fears that personal information had been exposed, the highest rate of any country surveyed, and 22% pointed to a lack of auditability.

Existing controls weren’t built for this. Frameworks like the Privacy Act, APRA’s CPS 234, and the Australian Signals Directorate’s Essential Eight assume a named, accountable person approves each access to sensitive data. An agent that decides mid-session to open a file or call an API nobody explicitly reviewed doesn’t fit that model. Such a workflow breaks the assumption on which the control was built.


Advertisement

Must-read security coverage

Who’s accountable when the agent decides on its own

Accountability is where the gap widens further. The Governance Institute of Australia’s recent white paper, Governing in the Age of Agentic AI, developed with Mallesons, SEEK and the University of Melbourne, lists “an owner for every agent deployed” as its first priority for boards — a sign of how far behind current practice sits.

Access is the sharper edge of that same problem. A survey by identity security vendor Semperis found that only 52% of Australian organizations have their AI agent identities fully registered, authenticated, and authorized in a formal system, compared with 65% globally.

92% said AI is installed on at least some local machines with access to SSH and encryption keys, and only 21% of Australian respondents said they were very confident they could regain control if an agent’s credentials were exposed, compared with 32% globally.

That’s access creep in practice: agents accumulating standing permissions to systems, keys, and data that nobody explicitly signed off on, because provisioning an agent for one task rarely comes with a process to revoke it once that task is done.

What Australian IT and security teams should do

Fixing this doesn’t mean slowing AI adoption. It means replacing invisible experimentation with owned, monitored access. Priorities for Australian security and IT leaders:

  • Inventory every agent with a business, technical, and security owner, including coding assistants, browser agents, and personal AI accounts connected to company systems.
  • Route agent access through a policy-enforcement point: A governed MCP gateway or equivalent works, rather than letting agents reuse the same broad credentials a person would use to log in to email or a network drive.
  • Treat AI agents as non-human identities, with least-privilege access and permissions that expire when the task does.
  • Build and test a shutdown process. Know how to disable a connector, revoke its credentials, preserve logs, and determine exactly what it accessed before an incident forces the question.

Advertisement

The uncomfortable takeaway

The next AI-run campaign, wherever it lands, won’t look like an attack in real time. It will look exactly like an agent doing the job it was configured to do. In Australia, where two-thirds of enterprises have already handed agents the keys and fewer than a quarter have a governance model built for it, that’s not a hypothetical for next year. It’s the gap Anthropic’s disclosure just measured from the outside.

About Author

What do you feel about this?

Subscribe To InfoSec Today News

You have successfully subscribed to the newsletter

There was an error while trying to send your request. Please try again.

World Wide Crypto will use the information you provide on this form to be in touch with you and to provide updates and marketing.