Agentic AI · Risk & Governance

The exploit is
written in plain English.

An agent can be compromised through the content it's designed to process — a sentence buried in a webpage, a document, or an email, with no malware and no stolen credentials involved. The security posture that protected a chatbot does not protect an agent that can reason, act, and touch real systems.

restricted SLIDE 01 — AGENT SECURITY Cover slide: Agent Security
Quick answer

Agent security is the discipline of defending AI agents against a threat model traditional application security wasn't built for: attacks that exploit a model's inherent trust of the text it reads, rather than a code vulnerability or a stolen credential. The leading threat is prompt injection — malicious instructions planted inside a webpage, document, or tool result that an agent then executes with the same authority it uses for legitimate tasks. Model-level defenses help but are not sufficient on their own; a regulator will not accept "the model was instructed not to" as evidence of access control. Real protection requires defense-in-depth: architectural isolation, scoped permissions, input/output guardrails, and human approval for anything irreversible, layered so that no single failure compromises the whole system.

restricted
threat model SLIDE 02 — WHY AGENTS NEED A DIFFERENT THREAT MODEL Why AI agents require a different security threat model than traditional applications
Not malware. Not stolen credentials.

The exploit hides inside normal content

Security teams spent years learning to think in network perimeters, credential theft, and malware signatures. Agents introduce a threat model where the exploit is a carefully worded sentence — detecting it is a fundamentally different skill from detecting a SQL injection attempt or a malicious binary.

An agent that can reason, take action, and reach enterprise systems is not a chatbot, and the controls that protected a chatbot don't protect it. One survey found 82% of executives believed existing policy already protected them from unauthorized agent actions, while a separate survey of the same population found 88% had experienced a confirmed or suspected agent security incident. That gap between confidence and reality is where the current crisis lives.

restricted
LLM01 SLIDE 03 — PROMPT INJECTION FUNDAMENTALS How prompt injection works: direct and indirect attack vectors
Everything is tokens

Why models can't tell instruction from data

Prompt injection exploits a structural weakness: the system prompt, the user's message, retrieved documents, and tool outputs all occupy the same context window as undifferentiated tokens. An attacker who inserts text anywhere in that window can potentially override the operator's instructions.

Direct injection comes straight from the user, typing a request crafted to override stated constraints. Indirect injection is more dangerous for agents specifically: the malicious instruction is planted in a webpage, a document, or an email the agent reads as part of its task, and it executes that instruction with the same authority as the user's original request. If an attacker reaches an agent's long-term memory, the injected instruction can influence every future interaction, not just the current one.

restricted
The numbers, plainly

This is not a theoretical risk

Prompt injection has moved from a research curiosity to OWASP's top-ranked vulnerability for LLM applications, three years running.

brief SLIDE 04 — THE SCALE OF THE PROBLEM Statistics on the scale of prompt injection and agent security incidents
Detection tools are losing ground

A fast-growing, poorly-detected threat

Reported incidents keep climbing while detection accuracy lags badly behind: current tools catch only a minority of sophisticated injection attempts, and five carefully crafted poisoned documents have been shown to manipulate retrieval-augmented agents in the large majority of trials.

73%+
Of production AI deployments show injection exposure
340%
Year-over-year surge in injection attacks (OWASP)
23%
Of sophisticated attempts caught by current detection tools
48%
Of co-running agents affected once one is compromised
restricted
supply chain SLIDE 05 — MCP & SUPPLY CHAIN RISK MCP tool poisoning and AI supply chain risks
When the damage isn't just words

Injection that reaches a tool becomes an action

When an agent is connected to tools, an injected instruction stops being confined to response text — it extends to the tool's side effects: a database write, an API call, a file system operation. Attack techniques specific to this layer include tool poisoning (a malicious or compromised tool description) and credential theft via tool output.

Supply-chain risk compounds this: a backdoored package used as the language-model gateway for several major agent frameworks was live on a public package registry for a few hours in early 2026, pulled in by tens of thousands of downloads before it was caught — a reminder that an agent's security surface includes every dependency in its tool chain, not just its own code.

restricted
propagation SLIDE 06 — MULTI-AGENT PROPAGATION & MEMORY POISONING How prompt injection propagates across multi-agent systems and persists via memory poisoning
One compromised agent, many casualties

Guardrails don't survive the handoff

In a multi-agent system, one agent's output routinely becomes another's input — which means a successful injection at one layer can propagate to every layer downstream. Security testing has found a single injection incident spreading to roughly half of co-running agents in some multi-agent deployments.

Long conversations compound the risk further: prompt guardrails measurably degrade as context grows, since cumulative context can gradually shift a model's effective constraint boundary. And if an injected instruction reaches persistent memory, it converts the agent into a standing threat — influencing every future session, not just the one where it was planted.

restricted
The only defense that holds up

Model-level defenses are a layer, not a solution

A regulator will not accept "the model was instructed not to" as evidence of access control — architecture has to carry the weight that instructions alone can't.

architecture SLIDE 07 — DEFENSE-IN-DEPTH ARCHITECTURE Defense-in-depth architecture layering model-level and architectural controls
Assume any single layer can fail

Raise the cost of attack at every layer

Safety training reduces the success rate of common injection patterns and is a meaningful additional layer — but it isn't a substitute for architectural controls, and it cannot bear the full weight of enterprise security on its own. A defense-in-depth posture pairs model-level resistance with structural controls, and is designed on the assumption that any one layer, including the model itself, can fail.

Layer 1
Model-Level

Safety training that raises the cost of common injection patterns — necessary, not sufficient on its own.

Layer 2
Gateway / Guardrail

Input and output scanning enforced at the infrastructure layer, before requests reach the model or responses reach a tool.

Layer 3
Execution Boundary

Structural isolation and least-privilege scoping so a compromised reasoning step can't take an unauthorized action.

restricted
guardrails SLIDE 08 — PRACTICAL GUARDRAILS Practical input, output, and goal-alignment guardrails for AI agents
Concrete controls, not just policy

What a working guardrail stack actually does

  • Input scanning — content scanning on retrieved documents before processing, and a blocklist of known malicious sources
  • Output guardrails — the last line of defense before a response reaches a user or a downstream tool call
  • Goal-alignment checks — does this output still align with the agent's original sanctioned objective, catching goal drift before an irreversible action is taken
  • Tool-call allow-lists — validate every proposed tool invocation against a pre-approved action list before it executes
  • Incremental scope consent — the current MCP specification lets a client request only the minimum access needed per operation, rather than a broad standing grant
restricted
access control SLIDE 09 — LEAST PRIVILEGE & HUMAN-IN-THE-LOOP Least privilege access and human-in-the-loop approval for high-risk agent actions
The permission the agent never had can't be abused

Isolation at the execution boundary

The most reliable defense against prompt injection isn't a smarter prompt — it's structural isolation at the point where reasoning turns into action. An agent scoped to only the tools and data it strictly needs for its task limits the blast radius of any single compromised step, regardless of how convincing the injected instruction was.

For anything irreversible — a payment, a deletion, an external message, a production deployment — route the action through explicit human approval rather than autonomous execution. This isn't a failure of trust in the agent; it's the same principle that governs privileged access for human operators, applied consistently to a system that can now act on its own.

restricted
final brief SLIDE 10 — ARCHITECTURE, NOT AN AFTERTHOUGHT Summary: treat agent security as a first-order architectural concern
The line between breach reports and everyone else

Build it in before agents touch real money and real records

As agents move from proof-of-concept into infrastructure touching real money, real medical data, and real legal records, the organizations that treat prompt injection as a first-order architectural concern — not something bolted on after a chatbot demo — are the ones that don't end up in the next breach report.

No single control is sufficient alone: model-level training, gateway guardrails, scoped permissions, and human approval for irreversible actions each close a different gap. Layered together, and designed on the assumption that any one of them can fail, they're what turns "the model was instructed not to" into an actual access-control system a regulator — and an attacker — would recognize as one.

Frequently asked

Agent security FAQ

Prompt injection is an attack where malicious instructions are embedded in content an AI model or agent processes — a message, a webpage, a document, a tool result — exploiting the fact that the model can't reliably distinguish operator instructions from data it's reading. The agent then executes the injected instruction with the same authority as a legitimate request.

Direct injection comes from the user typing a request crafted to override the system's stated constraints. Indirect injection is planted in content the agent reads as part of its task — a retrieved webpage, an email, a document — and is generally more dangerous for agents because it doesn't require the attacker to interact with the agent directly at all.

No. Safety training measurably reduces the success rate of common injection patterns and is a valuable additional layer, but it isn't a substitute for architectural controls. A defense-in-depth posture assumes any single layer, including the model, can fail — which is why scoped permissions, gateway guardrails, and human approval for high-risk actions still matter even with a well-trained model underneath.

Because when an injected instruction reaches a connected tool, the damage stops being confined to response text and extends to the tool's real side effects — a database write, an API call, a file operation. MCP-specific risks include tool poisoning through malicious tool descriptions and credential theft via tool output, which is why the current MCP specification introduces incremental scope consent to limit access to the minimum needed per operation.

Yes. When one agent's output becomes another agent's input, a successful injection at one layer can propagate through every subsequent layer. Security testing has found a single injection incident affecting roughly half of co-running agents in some multi-agent deployments, which is why isolation between agents matters as much as isolation within a single agent.

Least-privilege scoping combined with human approval for irreversible actions. Limiting an agent to only the tools and data its task strictly requires shrinks the blast radius of any single compromised step, and routing payments, deletions, or external messages through explicit human confirmation prevents an injected instruction from ever reaching real-world consequence on its own.

Get started

Ready to harden your agent's security posture?

Layer model-level defenses with gateway guardrails, scope every tool to least privilege, and route irreversible actions through human approval — before an incident forces the question.