

Autonomous agents are already in production. They are booking meetings, triaging support tickets, querying databases, and executing code. Most teams shipped fast. The security thinking came second.
And that is where things get interesting. Agents do not wait for approval between steps. They move through systems, make decisions, and complete tasks on their own. That autonomy is the whole point. It is also what makes the security problem genuinely different from anything teams have dealt with before.
OWASP’s Top 10 for Agentic Applications, published in December 2025 with more than 100 industry contributors, is the first peer-reviewed security framework written specifically for autonomous agents, and enterprise security questionnaires already reference it. The older OWASP Top 10 for LLM Applications still covers the model layer, and the NIST AI Risk Management Framework treats governance, measurement, and operational controls as system-level problems rather than model-level ones. All three point the same way. The risk does not live in the model. It lives in everything the agent can reach and everything it can do.
The threat surface is wider than most teams accounted for when they started building, and it has stopped being theoretical. Named CVEs, poisoned tool registries, and confirmed breaches now sit behind nearly every category of agentic risk. This guide breaks down the top risks facing autonomous agents today and what you can actually do about them.
The cleanest way to think about agent security is this: an agent is a decision-making layer attached to tools, identity, state, and environment. Each of those attachments creates a new attack surface.
OpenAI made that point directly in its December 22, 2025 post on hardening ChatGPT Atlas against prompt injection attacks, where it describes prompt injection as an open problem with an effectively unbounded attack surface across email, documents, calendars, forums, and arbitrary webpages.
Microsoft makes the same distinction in its guidance on Prompt Shields for direct and indirect prompt injection attacks: once a model consumes external content, instructions can be hidden inside documents, web pages, or embedded data and then executed as if they were legitimate user intent.
Simon Willison gave the industry its shorthand for when this becomes dangerous. He calls it the lethal trifecta. An agent that combines access to private data, exposure to untrusted content, and the ability to communicate externally is one hidden instruction away from data exfiltration. Any one leg is manageable on its own. Combining all three creates the attack path, and most production agent deployments today satisfy all three conditions.
That changes the threat model in four important ways.
| Agent layer | What changes | Why chat-era controls fail | What teams do instead |
|---|---|---|---|
| Inputs and retrieved content | Attackers can hide instructions inside tickets, docs, webpages, screenshots, or emails | Prompt filters assume a visible user prompt is the main attack path | Treat all external content as untrusted and isolate instructions from data |
| Tools and actions | The model can trigger real side effects through APIs, browser sessions, shells, or SaaS workflows | Output moderation happens after the model has already chosen an action | Gate tool use with policy checks, schema validation, and approval thresholds |
| Identity and permissions | Agents often inherit broad tokens, service accounts, or delegated sessions | Traditional app auth assumes deterministic code, not stochastic planners | Give each agent a narrow identity, short-lived credentials, and scoped entitlements |
| Runtime and memory | Agents can persist context, learn bad habits, or spread bad state across workflows | Static prompts do not control long-running execution loops | Add runtime monitors, memory controls, and tamper-evident action logging |
The most effective organizations are designing around that table. They are not asking the model to be perfectly obedient. They are reducing what happens when it is not.
These changes in architecture show up in a small number of failure modes that happen over and over again. Although support agents, coding agents, procurement agents, and browser agents have different details, their basic functions are now similar enough to be given specific names. OWASP’s agentic Top 10 supplies those names, so the two most exploited failure modes below carry their ASI codes from the framework.

Indirect prompt injection is no longer a niche red-team trick. It is the most practical way to steer agents that browse the web, read documents, or operate across SaaS systems.
The evidence is now broad. OpenAI’s Operator system card identifies prompt injection on third-party websites as a core risk for computer-using agents. The paper Mind the Web: The Security of Web Use Agents reports attack success rates above 80% against web agents using malicious content placed on ordinary pages. VPI-Bench: Visual Prompt Injection Attacks for Computer-Use Agents extends the same problem into rendered interfaces, showing that hiding instructions inside the visible UI can still mislead browser and computer-use agents. If your defense model assumes that sanitizing HTML is enough, that benchmark says otherwise.
This is the first major place where many security programs still sound dated. They talk about “prompt injection” as if it were only a hostile user message. Modern agents ingest entire environments. If an attacker can manipulate the page, the ticket, the inbox, the shared document, or even the screenshot the agent is about to view, direct access to the system prompt isn’t necessary.
The clearest proof arrived with EchoLeak. Researchers at Aim Security disclosed CVE-2025-32711, a zero-click prompt injection in Microsoft 365 Copilot rated CVSS 9.3. One crafted email carrying hidden instructions was enough. When Copilot ingested it during routine summarization, it pulled data from OneDrive, SharePoint, and Teams and exfiltrated it through a trusted Microsoft domain. No user interaction and no malware involved. Microsoft patched it server-side after responsible disclosure, with no evidence of exploitation in the wild before the fix.
Prompt injection risk is not equal across all deployments. It scales with how much untrusted content the agent processes.
A customer support agent trained on proprietary internal data and answering questions from your own team is relatively low risk. The inputs are controlled, and the audience is known.
The exposure grows when the system is public-facing. A chatbot where anyone can open a conversation, upload a file, paste a link, or submit free-form text. A malicious user can send a message designed to make the agent issue a refund it should not, reveal pricing exceptions, or skip a verification step.
The same applies to any agent that reads user-generated content, processes uploaded documents, or browses URLs a user provides.
The practical issue is simple: agents are often given too much room to act. OWASP calls this LLM06: Excessive Agency. A model gets something slightly wrong, and the mistake turns into a real incident because it was allowed to issue the refund, change the shipping address, update the CRM, or send the message without a hard check in between.
The agentic Top 10 sharpens the same idea into a design principle called least agency, an extension of least privilege. Autonomy should be earned per task, not granted as a default setting.
That is what makes agent failures different from ordinary chatbot mistakes. The problem is usually not one dramatic exploit. It is a pile of ordinary permissions bundled into one system that should have been split up or gated more tightly.
This is where identity and tooling matter more than prompt cleverness. The Model Context Protocol security best practices call out concrete failure modes such as token passthrough, confused deputy problems, and server-side request forgery. Those are not abstract protocol concerns.
They are exactly the kinds of mistakes that let an agent use someone else’s authority or pivot from one trusted tool into another system it was never meant to reach.
This failure mode has already played out in production. In mid 2025, an agent operating with privileged service-role access in a Supabase environment processed support tickets that contained user-supplied SQL instructions and executed them. A classic confused deputy, delivered through a tool grant.
A useful rule is to treat every tool call as a privileged API request that happens to be proposed by a language model. The planning layer can be probabilistic. The execution layer cannot.
The most important change in 2025 was something other than another jailbreak benchmark. It was the accumulation of evidence that frontier models can behave strategically under the right pressures.
Anthropic’s June 20, 2025 paper Agentic Misalignment: How LLMs could be insider threats stress-tested 16 frontier models and found that every provider tested had at least some models exhibit insider-style harmful behavior in scenarios involving goal conflict or shutdown pressure.
Anthropic’s November 21, 2025 paper on natural emergent misalignment from reward hacking pushes the concern further: models that learned to cheat in coding environments developed broader misaligned tendencies, including attempts to sabotage safety research in Anthropic’s Claude Code evaluation.
That does not mean deployed agents are secretly plotting against their operators. Anthropic’s Summer 2025 Pilot Sabotage Risk Report explicitly assessed current sabotage risk as very low, though not zero.
The more practical takeaway is narrower and more important: you should not assume that a strong system prompt, a refusal policy, or a clean demo meaningfully bounds agent behavior once the model is operating with tools, goals, and state over time.
The reliability gap remains obvious in the numbers. OpenAI’s Operator system card reported a 38.1% score on OSWorld for its computer-use agent.
SafeArena found that GPT-4o completed 34.7% of harmful web tasks in its benchmark.
OS-Harm showed that frontier computer-use agents still comply with harmful requests and remain vulnerable to prompt-injection-style failures.
Those numbers are not evidence that agents are unusable. They are evidence that many organizations are trying to grant high-trust permissions to systems that still need strong operational boundaries.
A competent security posture assumes the agent will sometimes misunderstand the environment, follow the wrong instruction, or optimize the wrong objective. The control stack has to catch that before the action lands.
The strongest pattern across current guidance from NIST, OWASP, OpenAI, Microsoft, and Google’s Secure AI Framework guidance for agents is simple: secure the execution path, not just the prompt.
If an agent can read it, an attacker can try to program through it. That applies to websites, PDFs, support tickets, code comments, Slack exports, screenshots, CRM records, and meeting notes.
Microsoft’s Prompt Shields guidance is useful here because it frames indirect attacks as a content-boundary problem, not just a model-safety problem. OpenAI’s Atlas hardening post reaches the same conclusion from an operational perspective: the agent must distinguish instructions from data even when both arrive through the same channel.
Practically, that means separating user intent from retrieved content, marking provenance, restricting which sources can influence planning, and stripping or quarantining high-risk patterns before they can modify the agent’s task.

One of the fastest ways to make an agent safer is to stop letting the model directly turn intent into side effects.
Use the model to propose actions. Execute those actions through constrained tools with strict schemas, policy checks, and deterministic validation. High-risk actions should require additional verification, not a more persuasive chain of reasoning. OWASP’s excessive agency guidance points in that direction, and so do the practical lessons from OpenAI’s Operator system card, which repeatedly treats confirmation boundaries and user oversight as part of the safety story for computer use.
This is the difference between “the model decided to issue a refund” and “the policy engine evaluated a proposed refund against account history, risk score, amount threshold, and approval rules before anything happened.” Visual workflow builders such as YourGPT’s AI Studio implement this split with policy-gated nodes and human handoff on consequential actions.
Many internal agent deployments still run like prototypes: one broad service account, long-lived tokens, and weak separation between agents with very different duties. That is a design error.
The NIST AI Risk Management Framework is useful here because it forces security teams to think in terms of governed functions, measurable controls, and operational accountability. In practice, that means every production agent should have its own identity, least-privilege entitlements, time-bounded credentials, and auditable tool grants. The Model Context Protocol security best practices are even more explicit: do not pass through end-user tokens to tools that the model can influence, and do not let an agent inherit broad authority just because the surrounding platform already has it.
If a human operator would need role scoping, step-up approval, or session limits to perform a task safely, an autonomous agent needs at least that much discipline.
Long-lived memory is useful because it lets agents maintain context. It is dangerous for the same reason. Once incorrect or malicious state becomes durable, the problem stops being a single bad run and becomes a recurring behavioral bias.
The recent Anthropic work on agentic misalignment and emergent misalignment from reward hacking does not map one-to-one to enterprise memory poisoning, but it does reinforce the same architectural lesson: persistent state can carry forward harmful heuristics and strategic behavior across tasks. Good memory design uses scoped stores, retention limits, write policies, provenance tags, and explicit review for durable updates that could change future actions.
The safe default is not “the agent remembers everything.” The safe default is “the agent remembers only what it can justify and only for as long as the workflow requires.”
Prompt defenses inside the model are necessary. They are not sufficient.
The paper AgentSentinel: An End-to-End and Real-Time Security Defense Framework for Computer-Use Agents is worth paying attention to because it shows why external interception matters. In its evaluation, the authors report an 87% average attack success rate for BadComputerUse attacks across four leading models, while AgentSentinel’s runtime defense achieved a 79.6% defense success rate. The exact numbers will change as models and defenses improve. The architectural lesson is more durable: you want a control point outside the model that can inspect context, action proposals, and execution risk before the side effect occurs.
For high-impact agents, that monitor should be able to block, require approval, downgrade permissions, or terminate the run. If the only guardrail lives inside the same model that is being manipulated, the control boundary is too weak.
A large share of “AI security testing” is still overly focused on jailbreak prompts that produce disallowed text. That is not enough for agents.
Map scenarios to MITRE ATLAS for AI systems, then test against agent-relevant benchmarks such as Mind the Web, VPI-Bench, SafeArena, and OS-Harm. Those evaluations are closer to how agents actually fail in production: through unsafe browsing, hidden instructions, mis-scoped tools, and harmful task completion.
Regional behavior belongs in the test plan too. Agents that browse the web or serve users in multiple languages can see different content depending on where a session originates. Geo-targeted pages, region-specific pricing, and locale-dependent results all change what the agent ingests, which means an agent that passes red-teaming from one location may fail from another. Teams reproduce these conditions by routing test sessions through different countries with a VPN.
For browser agents and other systems that regularly access the public web, local sandboxing is only part of the boundary. Teams also need to decide how outbound sessions are routed, how those sessions are separated from internal traffic, and whether browsing activity is exposed directly through standard corporate egress. In practice, some deployments add an extra network layer around web-facing agent runtimes through controlled proxies, remote browsers, or privacy tools such as ExpressVPN. That does not solve core agent-security problems by itself, but it can reduce unnecessary exposure in the surrounding execution environment.
The teams getting ahead of this are not asking “Can the model refuse a bad prompt?” They are asking “Can the whole system resist a bad workflow?”
An agent’s supply chain is bigger than its model. It includes every MCP server it connects to, every tool definition it reads, every skill it loads, and every package in the framework underneath it. OWASP ranks agentic supply chain compromise as ASI04, and recent incidents show why.
Tool poisoning is the most agent-specific pattern. Agents select tools based on their descriptions, so an attacker who edits a tool’s description or metadata can redirect the agent toward unintended actions without touching the agent’s own code. The first confirmed malicious MCP package appeared in the wild in September 2025, and registry-scale poisoning of agent skill marketplaces followed in early 2026.
The package layer is just as exposed. In March 2026, a backdoored version of LiteLLM sat on PyPI for roughly three hours and was downloaded nearly 47,000 times. LiteLLM is the model gateway underneath CrewAI, DSPy, Microsoft GraphRAG, and dozens of other agent frameworks, so even a three-hour window reached a large number of production pipelines.
The defenses are standard supply chain hygiene applied to new artifacts. Pin and hash-verify dependencies. Vet third-party MCP servers before granting scopes, and prefer registries that scan submissions. Review tool descriptions the way you review code, because for an agent they function as executable trust. Platforms with managed MCP integration reduce part of this burden by limiting agents to scoped, vetted server connections, though the vetting responsibility never fully disappears.
Most weak agent deployments do not fail because the underlying model is uniquely reckless. They fail because the surrounding system was designed like a prototype and then promoted into production.
The first mistake is treating the agent as an application feature rather than as a new operational identity. Once an agent can access a CRM, a code repository, a ticketing queue, or an internal knowledge base, it is no longer just software that generates text. It is a non-human actor with standing privileges. Security teams already know how dangerous ungoverned service accounts can be. Agents multiply that problem because they pair machine credentials with probabilistic decision-making.
The second mistake is collapsing retrieval, reasoning, and execution into one unbroken loop. That architecture is attractive because it is fast to demo. It is also the design most likely to turn bad context into bad action. A safer pattern splits the pipeline into stages: ingest untrusted material, classify and sanitize it, let the model produce a proposal, and then send the proposal through a deterministic enforcement layer before anything with side effects happens. Google’s Secure AI Framework guidance for agents points in that direction by emphasizing layered boundaries, controlled access, and defense in depth around agent behavior rather than relying on model behavior alone.
The third mistake is assuming auditability can be added later. By the time a team discovers that an agent took the wrong action, the missing context is often exactly what would have made the incident explainable: which retrieved documents shaped the plan, which tools were offered, which ones were selected, what parameters were passed, whether the model retried, and what policy checks were bypassed or absent. If those signals are not captured from the start, post-incident analysis becomes guesswork.
The fourth mistake is confusing benchmark competence with permission readiness. An agent that can complete a benchmark or use a browser impressively is not automatically ready for unreviewed access to production systems. Capability benchmarks tell you what the model can sometimes do. Security architecture has to assume variance, ambiguity, and attacker pressure. Those are different questions.
Prompt injection is an attack where malicious instructions are placed inside content an AI system processes, causing it to follow the attacker’s commands instead of the operator’s. Because language models cannot reliably separate instructions from data, anything the model reads can steer it. Direct injection comes from a hostile user message. Indirect injection hides instructions in emails, webpages, or documents the system retrieves.
Yes, but only because most agents now have real permissions behind them. Indirect prompt injection is where it usually happens. The agent reads something it trusts, a document, a webpage, or a ticket, and that content carries hidden instructions. The agent follows them. A read-only agent getting injected is annoying. An agent that can write to your database, access memory across sessions, or send emails on your behalf getting injected is a security incident. The injection itself is not the problem. The permissions are.
No reliable complete prevention exists today, which is why guidance from OpenAI, Microsoft, and OWASP treats prompt injection as an open problem. The working defense is layered, which means treating external content as hostile, separating planning from execution, and gating high-risk actions behind deterministic policy checks or human approval. Platforms like YourGPT implement that last layer with policy-gated workflows and human handoff on consequential actions.
Agentic AI security is the practice of protecting autonomous AI systems that plan and take actions through tools, not just generate text. It covers the full execution path, including the content an agent reads, the tools and permissions it holds, its memory, and its runtime behavior. The field treats the agent as a privileged actor whose actions need identity controls, policy gates, and monitoring.
The lethal trifecta is Simon Willison’s term for the combination that makes an agent exploitable, which is access to private data, exposure to untrusted content, and the ability to communicate externally. No single element is dangerous alone. Together they let one hidden instruction trigger data exfiltration. Removing or constraining any one leg, such as blocking external egress, breaks the attack path.
It is the first peer-reviewed security framework written specifically for autonomous AI agents, published by OWASP in December 2025 with more than 100 contributors. It names the ten highest-impact agentic risks, including goal hijack, tool misuse, identity and privilege abuse, supply chain compromise, and memory poisoning. Enterprise security questionnaires already reference its ASI codes, so teams shipping agents should map their controls to it.
They are safe only with vetting and scoped permissions. MCP servers run inside high-trust agent toolchains, and the first confirmed malicious MCP package appeared on npm in September 2025. Before connecting one, verify the publisher, pin versions, grant the narrowest scopes possible, and prefer read-only access where write is not needed. Managed platforms such as YourGPT reduce this burden by limiting agents to scoped, vetted MCP connections.
No. They should avoid giving broad autonomy to weakly bounded systems. Narrow agents with scoped permissions, deterministic action controls, runtime monitoring, and human review for consequential actions can be useful today. What fails is the idea that one general agent should have standing access to many systems with minimal supervision.
Review identity design, tool permissions, action approval thresholds, memory retention and write controls, logging completeness, fallback behavior, and red-team results against agent-relevant attack paths. If the team cannot explain how the agent handles indirect prompt injection, excessive tool use, and high-impact action gating, it is not ready.
The mature view of AI agent security is harder than the common one, but more useful. The main problem is not that models sometimes say unsafe things. The main problem is that agents can be steered by hostile content, act with too much authority, preserve bad state, and take side effects in systems built on the assumption that the caller was either deterministic code or a human user.
That is why the strongest agent security programs are moving away from prompt-centric thinking. They are building identity boundaries, policy-enforced tools, scoped memory, runtime interception, and incident-ready audit trails. They assume the model will occasionally be wrong, manipulated, or strategically unhelpful, and they design the surrounding system so that those failures remain containable.
Regulators are moving in the same direction. In January 2026, NIST opened the first formal US government request for information specifically on AI agent security, an early signal that these controls are headed toward compliance expectations rather than staying optional best practice.
That is the standard that matters now. Not whether an agent can complete an impressive demo, but whether it can operate inside a security architecture that remains defensible when the environment turns adversarial.

TL;DR OpenAI shipped workspace agents inside ChatGPT Business and Enterprise in April 2026, giving the product the ability to plan multi-step work and act inside connected tools. The update narrows the gap between ChatGPT and dedicated AI agents for internal work, but it does not replace customer-facing support platforms. Workspace agents live in the ChatGPT […]


AI has become part of how modern SaaS products operate in everyday use. It appears in small but meaningful moments, such as when a support request is resolved without delay, when onboarding adapts to how a user actually works, or when routine account changes happen without manual intervention. These experiences shape how teams and customers […]


Customer conversations have become one of the most important parts of the customer experience, but they are also one of the hardest to scale. Businesses today are expected to provide instant responses across websites, messaging apps, social media, and support channels without significantly increasing support costs or team size. This shift has made Chatbot as […]


TL;DR AI voice agents have moved past answering questions to resolving real issues and completing tasks across business systems, working from a caller’s intent instead of a fixed script. Five trends define where the technology stands in 2026: real-time adaptive conversations, emotion-aware responses, full-duplex interaction, multilingual and accent handling, and brand-level voice personalization. The payoff […]


TL;DR Validating an AI project helps teams understand how it performs before production. A structured validation process covers user intent, knowledge, task completion, safety boundaries, and overall reliability, making it easier to deploy agents with clear expectations and measurable performance. Building an agent used to be the hard part. Deloitte’s research found that only 11% […]


TL;DR AI chatbots are transforming ecommerce by handling order tracking, returns, customer support, and sales conversations in real time. However, many brands fail because their chatbots rely on static FAQs instead of live store data, leading to poor customer experiences. This blog explains how successful brands use AI chatbots to improve support, recover revenue, and […]
