Josys Confronts the Dual Threat of Credential Theft and Rogue AI Agents

SEATTLE, WA – June 11, 2026 – The modern enterprise is facing an identity crisis of unprecedented scale. For years, the primary threat has been a relentless siege on employee credentials, a battle fought on the dark web and through sophisticated phishing schemes. But a second, more insidious front has opened: the rapid, often ungoverned deployment of artificial intelligence agents inside corporate walls. Today, AI-native security firm Josys unveiled a suite of new capabilities aimed at fighting this war on two fronts, signaling a significant shift from reactive defense to autonomous governance.

The numbers paint a stark picture of the challenge. According to SpyCloud's 2026 Identity Exposure Report, a staggering 642.4 million credentials were stolen via infostealer infections in 2025 alone. This makes credential theft the fastest-growing entry point for attackers, a fact corroborated by numerous industry reports, including Verizon's annual Data Breach Investigations Report, which consistently lists stolen credentials as a top attack vector. The old model of periodic password resets and manual access reviews is simply no longer sufficient.

"Identity is no longer just an IT concern. It is a board-level risk that grows every time a new AI agent is deployed or a credential leaks to the dark web," said Yasukane Matsumoto, chief executive officer of Josys. His assertion cuts to the core of the problem: the very definition of an 'identity' has expanded, and the tools used to secure it have not kept pace.

Governing the Unseen: Bringing Shadow AI into the Light

The most forward-looking aspect of Josys's announcement is its direct confrontation with what many are calling "shadow AI." For years, security teams have battled "shadow IT"—unauthorized SaaS applications adopted by employees. Today, that problem has evolved. With an estimated 80% of Fortune 500 companies now using active AI agents, a new class of non-human identity has emerged, often with privileged access to critical systems and data, yet operating completely outside of traditional governance frameworks.

This creates a massive visibility gap. According to Gartner research, 56% of these non-human identities sit entirely outside any structured governance. These are not just simple bots; they are sophisticated agents built on frameworks like Microsoft Copilot or Anthropic's Claude, capable of executing complex tasks. Without oversight, they represent a new, unpredictable attack surface.

Josys is tackling this head-on with its new AI Agent Discovery and Governance capability. The platform is designed to bring these autonomous agents into the same control plane used for human employees. It works by automatically inventorying every agent, assigning ownership, mapping its access privileges, and surfacing previously invisible activity. For compliance and risk officers, this moves AI from an ungoverned black box to a managed and auditable component of the enterprise ecosystem. It’s a critical step in ensuring that the productivity gains from AI don't come at the cost of catastrophic security failures.

An Autonomous Shield for the Modern Enterprise

While governing AI is the future, protecting against credential compromise is the urgent present. Most organizations discover a credential has been stolen only after an attacker has already used it to breach their network. Josys aims to flip this script with its Identity Threat Monitoring service.

The platform continuously monitors stealer logs, dark web forums, and data paste sites for leaked employee credentials. When a match is found, the system doesn't just send an alert; it triggers an autonomous workflow. It instantly maps the compromised identity to the user’s full application access profile and automatically executes remediation, revoking access across every connected application without requiring manual triage. This speed and automation are crucial when the median time to contain a breach can stretch into months.

This automated response is powered by the third new capability, Policy-Driven Autonomous Governance. The reality of the SaaS-first world is that configurations drift and employees adopt new tools without IT involvement, creating persistent security gaps. Research from the Cloud Security Alliance shows 43% of organizations have suffered a breach due to misconfigured settings. Josys replaces the industry's reliance on periodic manual reviews with a system of continuous enforcement. Security teams can configure policies once—using a library of over 60 pre-built templates aligned to standards like NIST 800-53, ISO 27001, and HIPAA—and the platform handles the rest. It detects violations in real time, triggers automated remediation, and maintains an audit-ready trail.

The Go-to-Market Engine: Scaling Security Through MSPs

Perhaps the most strategically significant element of the Josys story is not just its technology, but its business model. From its inception, the platform was engineered for Managed Service Providers (MSPs). This is more than a sales channel; it's a recognition of how security is actually delivered to the vast mid-market.

"The MSP channel is where this problem gets solved at scale for the mid-market," Matsumoto added. "Most identity platforms were never designed for that economic model. Ours was."

This design philosophy is evident in the platform's multi-tenant architecture. It allows a single analyst at an MSP to manage identity security across dozens or even hundreds of customer environments without cumbersome context-switching. Alerts are aggregated, policies can be deployed across tenants, and remediation workflows run seamlessly for every client. For mid-sized companies that face enterprise-grade threats without enterprise-grade budgets, this MSP-centric model democratizes access to sophisticated, AI-driven security.

By building for the operational realities of the MSP, Josys creates a powerful distribution engine for its advanced capabilities. Each of the three new features operates within this same multi-tenant control plane, enabling MSPs to immediately extend identity threat detection, AI agent governance, and continuous policy enforcement to their entire customer base.

Legacy identity tools were built for a world of static employee directories managed by an in-house IT team. As Matsumoto noted, "That world is gone." Josys was built for the one we are actually in, where humans, machines, and AI agents must be governed together, continuously, and at the immense scale the modern digital landscape demands.