When an employee writes a file, endpoint detection logs the write. If something goes wrong, you can ask the employee what they were thinking. When an agent writes a file, endpoint detection still logs the write. But the reasoning that produced it, the prompt that initiated it, the sequence of tool calls between intent and action: none of that shows up in traditional security tooling.
A recent paper out of Uber's deployment makes this concrete. Across 7,200+ hosts running 10,000+ daily agent sessions, the company discovered hundreds of credential exposures from developers using coding agents as intended. The agents did plausible work and, in the process, surfaced credentials in ways nobody could see through existing monitoring.
The paper's proposed fix captures what EDR misses: user prompts, agent reasoning steps, tool invocations, environmental context. Four dimensions that reconstruct the causal chain from "what was asked" to "what happened." Without them, a configuration file save and a credential exfiltration look identical.
Enterprise security was built for a world where intent was carried by humans. On a long holiday weekend, with skeleton crews watching dashboards, that gap feels especially worth sitting with.
The gap: EDR sees file writes, network calls, process execution. It does not see prompts, reasoning chains, or which tools an agent invoked and why.
Uber scale: 7,200+ hosts, 10,000+ daily agent sessions, monitored for 10+ months
What surfaced: Hundreds of credential exposures across 26 categories, all inadvertent. Agents doing assigned work, leaking credentials sideways.
Detection cost: $0.024 per task using a two-tier architecture. Fast triage handles ~41% of sessions cheaply, escalating only higher-risk cases to LLM-based reasoning.
Drift in practice: A user asks an agent to "summarize this Jira ticket." The agent reads SSH keys and makes an HTTP request. Traditional tooling sees the HTTP request. Only causal-chain capture reveals the deviation from intent.
Precision: A prevention layer built on these findings blocked credential leaks at 97.2% precision

