Introduction
Problem Statement
Contemporary security frameworks address three primary domains: infrastructure security, application security, and AI model security. None adequately address the attack surface created when autonomous agents operate on behalf of users with delegated authority.
The agentic security gap
| Domain | Existing Coverage | Agentic Gap |
|---|---|---|
| Infrastructure | Network, compute, storage | Agent runtime environments lack specific controls |
| Application | Authentication, authorization, input validation | Assumes human-initiated requests with predictable patterns |
| AI Models | Training data, model integrity, output filtering | Addresses model behavior, not operational security |
Threat categories unique to agentic systems
Exfiltration via legitimate channels occurs when agents with valid permissions to read sensitive data and send communications are manipulated to transmit information to unauthorized recipients. Traditional Data Loss Prevention systems monitor egress channels but cannot evaluate the semantic intent behind agent-initiated transmissions.
Prompt injection and instruction hijacking exploit the fundamental mechanism by which agents interpret instructions. Malicious instructions embedded in documents, web pages, or API responses can redirect agent behavior. Unlike SQL injection, which exploits parsing vulnerabilities, prompt injection exploits the interpretive nature of language models.
Capability confluence emerges when individual permissions that are safe in isolation become dangerous in combination. An agent with read access to credentials, write access to configuration files, and the ability to schedule tasks possesses the capability set required for persistent backdoor installation, even though each permission individually appears benign.
Implicit delegation and permission inheritance create risk when agents inherit user permissions without the contextual judgment humans apply when exercising those permissions. A user who would never email confidential documents to external parties may authorize an agent that does so when manipulated.
Autonomous action without visibility makes forensic reconstruction difficult. Agents execute sequences of actions that may span multiple systems, sessions, and time periods. Without purpose-built observability, organizations lack the ability to reconstruct what occurred, why, and under whose authority.
Insufficiency of existing standards
| Standard | Primary Focus | Limitation for Agentic Systems |
|---|---|---|
| SOC 2 | Service organization controls | No agent-specific criteria |
| ISO 27001 | Information security management | Framework agnostic, no agentic guidance |
| ISO 42001 | AI management systems | Addresses AI governance, not operational security |
| NIST AI RMF | AI risk management | Guidance-oriented, not auditable controls |
| OWASP Top 10 for LLMs | LLM vulnerabilities | Model-centric, limited operational coverage |