Adversaries used to need hours, sometimes days, to move from initial access to impact. Not anymore. Mandiant's M-Trends 2026 report documents attackers collapsing that window to as little as 22 seconds, operating at machine speed, adapting in real time, and targeting the gaps that security teams haven't closed yet.
At the same time, enterprises are handing autonomous AI agents the keys to their infrastructure. Not just access to data, but the ability to read emails, write code, call APIs, trigger transactions, and operate across systems continuously and without human review of every action. By the end of 2026, Gartner predicts that 40% of enterprise applications will include task-specific AI agents, up from less than 5% in 2025.
These two trends are on a collision course. And most security teams are underprepared for what happens when they meet.
This post is not about AI safety in the abstract. It's about the concrete, specific security risks that emerge when AI systems gain the ability to act, and why the frameworks your team already uses aren't sufficient to address them. We'll work through five risks that deserve immediate attention, with enough technical depth to be actionable and enough real-world grounding to make the stakes clear.
Why agentic AI breaks your existing security assumptions
Most AI security today was built for a world of inputs and outputs. A user submits a prompt, the model returns a response, your security tools inspect that exchange. The blast radius of a compromised interaction is limited: sensitive data leaked through an output. Bad, but contained.
Agentic AI operates on different principles entirely. These systems have memory, retaining context across sessions rather than just within a single conversation. They have tools: integrations with email, calendars, databases, code environments, financial systems. They have autonomy, meaning the ability to plan and execute multi-step tasks without human review at each step. And increasingly, they operate within networks of other agents, handing off work, calling sub-agents, and making decisions that cascade through enterprise systems in ways that are difficult to trace.
When something goes wrong in a stateless AI model, you can usually find the bad input and remove it. When something goes wrong in an agentic system, the failure mode can persist across sessions, propagate across agent networks, and manifest in business outcomes, not just model outputs, before anyone notices.
A 2025 survey by Cyber Security Tribe found that 59% of organizations said implementing agentic AI in their security operations was "a work in progress." For the remaining 41% who weren't even that far along, the risks were already present. The agents were already deployed.
You Can't Secure What You Can't See
Before walking through specific threats, there is a foundational problem that makes every subsequent risk significantly harder to manage: shadow AI.
Organizations that believe they have a dozen agents in production often discover they have fifty or more when they actually conduct discovery. The agents exist, they have access to enterprise data and systems, and the security team has no visibility into what they are doing or how they are configured.
Shadow AI compounds every risk that follows. Memory poisoning affects agents you don't know are running. Tool misuse happens through integrations you didn't approve. Privilege escalation occurs with permissions you never reviewed. Cascading failures propagate through agent networks you didn't architect. Supply chain attacks compromise frameworks you didn't vet. And identity-based attacks exploit agents operating under credentials you never intended to delegate.
The security implication is direct: an inventory of deployed agents is not a nice-to-have preliminary step. It is the prerequisite for everything else. You cannot threat model what you cannot see. You cannot enforce least-privilege on agents you don't know exist. You cannot monitor behavior you don't know is happening.
With that framing in mind, here are the five risks that deserve to be at the top of your list, recognizing that each becomes exponentially harder to manage when shadow AI means you are working from an incomplete picture of your actual exposure.
1. Memory poisoning, the slow-burn threat most teams miss
Agentic systems retain context, learn from past interactions, and use accumulated memory to inform future decisions. That's what makes them useful. It's also what makes them uniquely vulnerable.
Memory poisoning is an attack that exploits this persistence. Rather than targeting a single interaction with a malicious prompt, an attacker plants manipulated data in the agent's memory, through a poisoned document it ingested, a compromised data source it regularly polls, or a crafted input early in a long-running session. The payload doesn't trigger immediately. It sits in memory and influences the agent's future reasoning: skewing decisions, surfacing incorrect information to downstream workflows, or gradually shifting behavior in ways that look like drift rather than compromise.
This is why OWASP's Top 10 for Agentic Applications placed memory poisoning among the top three concerns specific to agentic AI. Unlike prompt injection or data exfiltration, memory poisoning can persist across sessions and affect decision logic over time. This makes it very difficult to detect and nearly impossible to remediate without understanding exactly what was poisoned and when.
What to do: Implement session memory isolation: don't allow agent memory to accumulate indefinitely without validation checkpoints. Maintain forensic memory snapshots so you can roll back to known-good states. Validate data sources before they feed into agent context, and treat agent memory as a security surface that deserves the same scrutiny as any other persistent data store. Network-level AI security platforms like Lumia can help with the input validation piece, inspecting content, context, and intent before it reaches agent memory to prevent poisoned data from entering the system in the first place.
2. Tool misuse and privilege escalation turn agents into attack vectors
Agentic AI gets its value from tool integrations. An agent that can only generate text is a chatbot. An agent connected to your email system, your calendar, your CRM, your code deployment pipeline, and your financial systems is genuinely transformative, and genuinely dangerous if compromised.
The risk comes from two compounding factors. First, agents are often provisioned with permissions at the user level, inheriting the full access rights of whoever deployed them. Second, those tool integrations create enormous surface area for manipulation. An attacker who can influence what an agent does, through a crafted prompt, a poisoned data source, or a malicious tool response, can effectively use the agent to act on their behalf, with legitimate credentials, inside systems that were designed to trust the agent's activity.
This risk is particularly acute for shadow AI deployments: an agent provisioned by a business unit may inherit the deploying user's full organizational access without any review of whether that scope is appropriate for the agent's actual function.
What to do: Apply least-privilege principles to every agent identity, treating agent permissions as distinct from user permissions even when they operate on behalf of a user. Implement guardrails that enforce function-level policies on tool calls: an agent managing your calendar should not be able to call your payment APIs, regardless of the permissions its underlying user identity holds. These guardrails should operate in real time, validating tool invocations against expected behavior patterns and blocking unauthorized calls before they execute. Network-level AI policy enforcement tools can provide this runtime protection, intercepting policy violations at the network layer rather than relying on post-hoc logging.
3. Prompt injection, now with real-world consequences
Prompt injection has been on security teams' radar for a few years. At its core, the attack is simple: an adversary crafts input designed to override the agent's instructions, redirect its behavior, or extract information it shouldn't reveal. Against a chatbot, this is a significant problem. Against an agent, it's a critical one.
A prompt injection against a chatbot might extract system prompt contents or produce off-policy responses. A prompt injection against an agent that can send emails, execute code, call APIs, and access file systems can result in data exfiltration, unauthorized transactions, or system compromise, triggered entirely by text.
Indirect prompt injection is the more insidious variant. Rather than injecting through user input, an attacker embeds malicious instructions in content that the agent will encounter during its normal operations. The agent encounters the injection as part of its environmental context, not as explicit user input, which means the user never touched the malicious content at all.
What to do: The important control is continuous monitoring of prompts and responses by dedicated security tooling that understands AI interactions. Implementing this internally is not easy - go for a dedicated solution that analyzes the content, context, and intent of what's being sent to and returned from agents, detecting manipulation attempts that metadata-only monitoring would miss entirely. Pair this with defense-in-depth: treat external content (web pages, documents, emails) as untrusted by default, and add human-in-the-loop gates for high-consequence actions that could be triggered by injected instructions. But recognize that input validation alone is insufficient - you need runtime visibility into what agents are actually being instructed to do.
4. Cascading failures in multi-agent systems
Single-agent systems are complex. Multi-agent systems, where networks of specialized agents collaborate, delegate, and hand off work, are a different order of magnitude. And their failure modes are correspondingly harder to detect and contain.
The core problem is propagation speed. In a human organization, a bad decision moves slowly: it goes through review, generates visible artifacts, requires sign-off at multiple points. In a multi-agent system, a single compromised or manipulated agent can pass corrupted context, bad instructions, or poisoned data to every downstream agent in its network before any human observer notices that something is wrong.
This is the "agent communication poisoning" threat that the OWASP Agentic Applications framework specifically calls out. Attackers who can manipulate inter-agent communication channels can spread misinformation through an entire agent ecosystem without ever directly compromising the orchestration layer or the underlying models. They just need one entry point.
The attribution problem compounds this further. When a multi-agent system produces a bad outcome, tracing it back to the original compromise requires visibility into every step of every agent's reasoning and communication, a level of observability that that most enterprise deployments don't currently have. Your SIEM shows the symptom. It doesn't show the chain of decisions that led there.
What to do: Treat inter-agent communication as a security surface requiring encryption, authentication, and integrity validation, not just an internal API call. Most critically, implement step-level logging of agent execution across the full chain, not just at the entry and exit points. The reality is that most organizations don't have this visibility today - their existing logging captures high-level events (an API was called, a transaction completed) but not the detailed chain of agent reasoning, tool invocations, and inter-agent handoffs that led to that outcome. Ensure that your dedicated agentic AI security solution provides this granular observability, monitoring each step of agent execution and creating audit trails that serve multiple purposes: compliance requirements, incident response investigations, and educating teams on how agents actually behave in production. Design agent networks with isolation boundaries so that a compromised agent cannot propagate freely to every downstream system.
5. Supply chain attacks on AI agent frameworks
If the previous risks focused on attacks against running agentic systems, supply chain attacks target something earlier in the lifecycle: the frameworks and components that development teams use to build those systems in the first place.
The pattern is familiar from software supply chain security. State-sponsored and financially motivated attackers have learned that compromising a widely-used component at the supply chain level is far more effective than attacking individual deployments. Instead of breaching one enterprise, you compromise one library and get access to everyone who uses it. The Salt Typhoon campaign against US telecommunications infrastructure demonstrated how patiently and invisibly these attacks can operate, moving undetected for over a year by using legitimate system tools to blend in with normal activity.
In an agentic context, the same logic applies to AI agent frameworks. An attacker who can inject adversarial logic into a popular open-source framework through a malicious contribution can reach thousands of enterprise deployments simultaneously, and affect how their agents handle tool calls, process context, and manage memory.
The detection challenge is severe. Supply chain compromises are designed to look like legitimate software. The malicious logic may remain dormant through testing environments and activate only under specific conditions in production. Standard security tooling that evaluates behavior rather than provenance will miss it entirely until activation. Shadow AI deployments compound this risk significantly: agents deployed by business units without security review are far less likely to be using vetted frameworks or following dependency management best practices.
What to do: Implement rigorous dependency management for all AI agent components, applying the same scrutiny you'd give to any third-party software in a production environment. Use software bills of materials (SBOMs) for agentic deployments. Monitor for behavioral anomalies in agent framework behavior, particularly around tool calls and external communications, that could indicate activated supply chain payloads.
Agentic Deployment Security Checklist
None of the risks above require exotic attack capabilities. They arise from the inherent properties of agentic systems, including their persistence, tool use, autonomy, and inter-agent communication, operating in enterprise environments that were designed for a different security model.
The good news is that they're addressable, with the right approach at the right point in the deployment lifecycle. Retrofitting security into a running agentic deployment is significantly harder than building it in from the start.
Before you deploy your next agentic workload, work through these five questions:
Have you inventoried all existing agents? As discussed earlier, shadow AI is the foundational problem that makes every other risk harder to manage. Before you can secure your agentic infrastructure, you need to know what's running and what they’re doing. Many organizations discover they have five to ten times more agents deployed than their IT teams were aware of. Conduct an agentic risk exposure assessment across low-code platforms, SaaS tools, and direct API integrations, not just formally approved deployments.
Have you threat modeled against the OWASP Agentic Top 10? The OWASP Top 10 for Agentic Applications, released December 2025, is the most comprehensive publicly available framework for systematic risk assessment. It should be the foundation of any agentic security program.
Does every agent have a distinct, least-privilege identity? Agent identities should not inherit user-level permissions by default. Define the minimum access each agent requires for its specific function and enforce it at the identity layer.
Do you have step-level observability into agent execution? Log aggregation at the input/output level is not sufficient for agentic systems. You need visibility into individual tool calls, sub-agent communications, and reasoning steps, not just the final action and outcome.
Where are your human-in-the-loop gates? Not every agent action requires human review. But high-consequence actions such as financial transactions, external communications, code deployments, and access provisioning should have defined escalation paths that require human confirmation before execution.
Agentic AI is not going to slow down. The organizations that benefit most from it will be those that build the governance and security infrastructure to support it safely, not those that restrict it or deploy it without guardrails. The risks above are real, but they're manageable with the right frameworks, the right tooling, and security teams that understand where the threat surface actually is.
If your organization is deploying agents, evaluating agentic workflows, or trying to understand where shadow AI already exists, now is the time to assess your exposure.
Book a demo today to see how we help enterprises discover, monitor, and secure agentic AI across their environment.
