AI Security BriefTHREAT INTELLIGENCE
AI Threats

Agentic AI Security Risks: What Every Developer Must Know

7 minAI Security Brief

Autonomous AI agents are now embedded in enterprise workflows with privileged access to databases, APIs, and critical systems — but the security infrastructure governing them hasn't kept pace. Here's what developers and security teams need to understand right now.

Two years ago, the security conversation around AI centred on chatbots leaking system prompts. In 2026, the stakes are orders of magnitude higher. Autonomous AI agents — systems that reason, plan, and act across enterprise infrastructure without per-action human approval — are now deployed in production at 80% of Fortune 500 companies. They query databases, call external APIs, execute code, send emails, and modify cloud configurations. They do this at machine speed. And only 21% of executives report complete visibility into what their agents are doing.

This is not a future risk. It is the current exposure profile for most organisations that have deployed agentic AI. The attack surface created by autonomous agents is qualitatively different from anything that preceded it, and the frameworks — OWASP, NIST, and emerging vendor guidance — are struggling to keep pace with deployment velocity.

The Anatomy of an Agentic Attack Surface

To understand why agentic AI introduces fundamentally new security risks, you need to understand how agents operate. Unlike a static chatbot, an AI agent follows an observe-orient-decide-act loop: it perceives its environment (through tool calls, document retrieval, and API responses), reasons about what to do next, and executes actions — often triggering further agent invocations in multi-agent pipelines.

This architecture creates three distinct vulnerability surfaces that do not exist in non-agentic AI deployments:

Excessive data access. Agents require broad access to function effectively. Organisations average 15,000 stale-but-enabled accounts with over 31,000 stale permissions (Varonis 2025 State of Data Security). Every deployed agent adds a non-human identity to this sprawling attack surface. Tenable's 2026 Cloud and AI Security Risk Report found that 18% of organisations have granted AI services administrative permissions that are rarely audited — creating a pre-packaged privilege catalogue for any attacker who compromises the agent.

Uncontrolled data usage. Research shows that 27% of organisations admit more than 30% of information sent to AI tools contains private data, including Social Security numbers, medical records, and intellectual property. A further 17% have no visibility into what employees share with AI systems at all. Once this data enters an external model's training pipeline, it cannot be retrieved or deleted.

Agent manipulation through prompt injection. This is the attack vector that makes everything else catastrophic. A compromised agent can exfiltrate thousands of records before any alert fires.

Prompt Injection in Agentic Workflows: The Lethal Trifecta

Prompt injection — ranked #1 on the OWASP Top 10 for LLM Applications 2025 — is dangerous in any AI system. In agentic systems, it becomes a control problem with irreversible consequences.

Security researcher Simon Willison identified what he calls the "lethal trifecta" for AI agent exploitability: an agent is exploitable by design when it simultaneously has access to private data, can execute actions with real-world consequences, and ingests untrusted external content. Every enterprise agent deployment with RAG or web-browsing capability meets this definition.

Indirect prompt injection — where malicious instructions are embedded in documents, emails, or web pages that the agent processes — is particularly insidious because it requires zero user interaction. Trend Micro demonstrated that multi-modal AI agents can be manipulated through hidden instructions in images or documents, causing sensitive data exfiltration without the user ever knowing it happened.

In February 2025, CVE-2025-32711 (EchoLeak) achieved zero-click data exfiltration from Microsoft 365 Copilot by exploiting indirect prompt injection through crafted emails. The attack bypassed Microsoft's Cross Prompt Injection Attempt classifier.

Tool-Use Vulnerabilities and Excessive Permissions

The principle of least privilege — so fundamental to traditional application security — is being systematically violated in agentic deployments. Agents are routinely granted permissions that far exceed what any individual task requires, because developers optimise for functionality over security, and because the operational overhead of fine-grained permission management for non-human identities remains poorly tooled.

Tenable found that non-human identities (AI agents, service accounts) now represent higher risk (52%) than human users (37%), forming "toxic combinations" of permissions and access that fragmented security tools fail to connect. Palo Alto Networks notes that autonomous agents outnumber humans 82-to-1 in enterprise environments — meaning the identity security problem has fundamentally changed in character.

The OWASP Top 10 for LLM Applications 2025 explicitly lists Excessive Agency (LLM08) as a critical risk category: the failure to constrain AI agents to the minimum permissions, actions, and data access required for their intended function.

Data Exfiltration Through Agents

The combination of privileged access, prompt injection vulnerability, and internet-facing tool calls creates a reliable exfiltration pathway. An attacker who can influence content that an agent will process — through a poisoned email, a manipulated web page, a tampered document — can instruct the agent to find, collect, and transmit sensitive data using the same legitimate channels the agent uses for authorised operations.

According to Proofpoint's 2025 Data Security Landscape report, 32% of organisations identify unsupervised data access by AI agents as a critical threat. These agents often operate as highly privileged "superusers," accessing sensitive data across cloud and hybrid environments with less oversight than any human employee would receive.

Shadow AI compounds the problem. 63% of employees who used AI tools in 2025 pasted sensitive company data — including source code and customer records — into personal chatbot accounts. The average enterprise has an estimated 1,200 unofficial AI applications in use, with 86% of organisations reporting no visibility into their AI data flows.

Supply Chain Risks in the AI Agent Ecosystem

If direct attacks on AI agents represent the immediate threat, supply chain attacks against AI infrastructure represent the strategic, structural threat. The February 2026 ClawHavoc incident — in which Antiy CERT confirmed 1,184 malicious skills across ClawHub, the package registry for the OpenClaw AI agent framework — demonstrated how the software supply chain attack model transfers directly to AI agent ecosystems.

SecurityScorecard found 135,000 OpenClaw instances exposed to the public internet with insecure defaults. The distinction from traditional software supply chain attacks is privilege: a compromised dependency in a web application runs in a sandboxed runtime. A compromised AI agent skill runs with whatever permissions the agent has been granted.

The NIST AI Agent Standards Initiative, launched in February 2026, acknowledged the urgency: NIST's Center for AI Standards and Innovation (CAISI) has called for industry-led development of agent standards and published a Request for Information on AI agent security threats.

What Developers Must Do Now

The OWASP Top 10 for LLM Applications 2025 provides actionable guidance. For agentic systems specifically, the minimum viable security posture includes:

Implement least privilege by default. Every agent should have the minimum permissions required for its specific function. Permissions should be scoped, short-lived, and regularly audited. Treat every AI agent identity with the same rigour applied to privileged human accounts.

Isolate trust boundaries. Data retrieved from external sources must be treated as untrusted input, not as instructions. Implement architectural separation between the instruction channel (system prompts, developer configuration) and the data channel (retrieved documents, web content, user input).

Monitor agent behaviour in production. Log all tool calls, data accesses, and external communications. Treat behavioural anomalies in agent activity with the same urgency applied to anomalous human user behaviour.

Audit your AI supply chain. Apply the same scrutiny to AI agent skills, plugins, and MCP servers that you apply to npm packages and Python dependencies.

The organisations that will avoid the next generation of AI-enabled breaches are not those waiting for a mature governance standard. They are those applying existing security principles — least privilege, defence in depth, zero trust — to a new class of privileged non-human identity.

Key Takeaways

  • 80% of Fortune 500 companies now deploy active AI agents, yet only 21% have complete visibility into agent permissions and data access patterns.
  • Prompt injection (#1 on OWASP Top 10 for LLM 2025) enables zero-click data exfiltration in agentic systems — demonstrated in CVE-2025-32711 (EchoLeak) against Microsoft 365 Copilot.
  • 18% of organisations have granted AI services administrative permissions that are rarely audited, per Tenable's 2026 Cloud and AI Security Risk Report.
  • The ClawHavoc supply chain attack compromised 1,184 malicious skills in the OpenClaw agent ecosystem, exposing ~135,000 internet-facing instances.
  • NIST's AI Agent Standards Initiative (launched February 2026) and the OWASP Top 10 for LLM 2025 provide the current frameworks for agentic AI security governance.

References

  1. OWASP — Top 10 for LLM Applications 2025: Prompt injection, excessive agency, supply chain vulnerabilities for AI systems. https://genai.owasp.org/llm-top-10/

  2. NIST — AI Agent Standards Initiative (February 2026): CAISI launches framework for interoperable and secure AI agent deployment. https://www.nist.gov/news-events/news/2026/02/announcing-ai-agent-standards-initiative-interoperable-and-secure

  3. Tenable — Cloud and AI Security Risk Report 2026: 86% of organisations host third-party packages with critical CVEs; non-human identities carry higher risk than humans. https://www.tenable.com/press-releases/tenable-research-reveals-growing-ai-exposure-gap-fueled-by-supply-chain-risks-and-lack-of-identity-controls

  4. Kiteworks — AI Agents Are the Biggest Data Security Threat You're Not Governing: 32% of organisations cite unsupervised agent data access as critical; Trend Micro zero-click exfiltration demo. https://www.kiteworks.com/cybersecurity-risk-management/ai-agents-ungoverned-data-security-threat/

Stay ahead of AI security threats. Subscribe to the AI Security Brief newsletter for weekly intelligence on AI-powered attacks, privacy tools, and defence strategies. Subscribe now →

Filed under:AI Threatsagentic AI security risksautonomous AI agents security
Back to all articles
Related Intelligence
AI Threats

How AI Is Being Used to Launch Cyberattacks in 2026

AI has crossed a threshold in 2026 — adversaries are no longer just using it to write phishing emails. Autonomous attack agents, AI-generated malware, and deepfake social engineering are redefining the threat landscape at machine speed.

6 minAI Security Brief
AI Threats

AI Model Prompt Injection Attacks Explained

Prompt injection is the #1 vulnerability in deployed AI systems — and unlike traditional software flaws, it cannot be patched. Here's how direct and indirect attacks work, real-world exploits from 2024–2026, and the defence strategies that actually reduce risk.

7 minAI Security Brief
Privacy

Australia's Privacy Act Reforms 2026: What You Need to Know

Australia's Privacy Act has undergone its most significant overhaul since 1988 — with new penalties reaching $50 million, mandatory disclosure of AI decision-making systems, and a new statutory tort for serious privacy invasions. Here's what changed and what it means for your organisation.

7 minAI Security Brief