Agentic AI Security: When AI Agents Become the Attack Target

Q: Is there a security standard for AI agents?

OWASP released its Top 10 for Agentic Applications in December 2025. NIST is working on the Cybersecurity AI Profile (IR 8596). Both are currently the best reference frameworks for securing agent deployments.

4 min Reading Time

AI agents act autonomously: they call APIs, write to databases, send emails, and make decisions without human approval. According to Gartner, by the end of 2026, over 40 percent of enterprise applications will integrate such agents. At the same time, 68 percent of organizations lack identity security controls for AI systems (CyberArk 2025). Attackers have taken notice: EchoLeak, a zero-click vulnerability in Microsoft 365 Copilot with a CVSS score of 9.3, required only a single sent email to access all connected data sources.

TL;DR

🔒 68 percent of organizations have no identity security controls for AI systems (CyberArk 2025).
⚠️ Over 40 percent of all agentic AI projects will be abandoned by the end of 2027 (Gartner, June 2025).
🛡️ Prompt injection ranks as the No. 1 risk in the OWASP Top 10 for LLM Applications, with success rates between 57 and 84 percent.
📊 EchoLeak (CVE-2025-32711): A zero-click attack on Microsoft 365 Copilot, CVSS 9.3.
🔧 OWASP released its own Top 10 for Agentic Applications in December 2025.

Why Agents Have a Different Risk Profile

Traditional LLMs are question-and-answer systems – they generate text. An AI agent, however, takes action: it can delete files, change passwords, execute code, call other systems, and commission additional agents. A compromised agent isn’t just a chatbot spouting nonsense – it’s a compromised employee with API access.

McKinsey’s State of AI 2025 reports that 23 percent of companies are already scaling at least one agentic AI use case, with another 39 percent experimenting. Gartner predicts that by the end of 2026, over 40 percent of enterprise applications will integrate task-specific AI agents, up from less than 5 percent in 2025. Adoption is exploding. Security measures are not.

CyberArk quantifies the gap: 68 percent of organizations lack identity security controls for AI systems, and 47 percent cannot secure shadow AI. Machine identities now outnumber human identities by a factor of 82 to 1. Every agent represents another machine identity with potentially privileged access.

68 %

no AI identity controls

82 : 1

Machine vs. Human Identities

> 40 %

Projects abandoned by 2027

Sources: CyberArk 2025, Gartner June 2025

The Four Most Dangerous Attack Vectors

1. Prompt Injection. Attackers manipulate agents via hidden instructions embedded in documents, emails, or websites processed by the agent (indirect prompt injection). OWASP has listed prompt injection as the No. 1 risk for two years running. Success rates are alarming: NIST documents a 57 percent success rate across five different injection tasks. In AI coding editors like GitHub Copilot, specialized frameworks achieve up to 84 percent. Even after applying all protective measures, Google Gemini remains 53.6 percent vulnerable.

Real-world incident: EchoLeak (CVE-2025-32711). Microsoft 365 Copilot contained a zero-click vulnerability with a CVSS score of 9.3. An attacker merely had to send an email – no clicks, no phishing link required. The flaw combined a CSP bypass with an LLM scope violation, enabling access to all data sources connected to the agent.

2. Tool Poisoning and MCP Attacks. The Model Context Protocol (MCP) is the new standard for AI agents to integrate external tools. Attackers hide malicious instructions in tool descriptions, visible to the LLM but not to the user. In 2025, Invariant Labs demonstrated how a malicious MCP server could exfiltrate a user’s entire WhatsApp history. A study on arXiv reveals that 5 percent of open-source MCP servers are already rigged with tool-poisoning attacks.

3. Excessive Agency. Agents often have more permissions than they need. OWASP identifies three root causes: too many functions (the agent can do more than required), overly broad permissions (tools operate with admin rights instead of least privilege), and excessive autonomy (high-risk actions without human oversight). The principle of least privilege – a long-standing standard in cloud security – is systematically ignored in agent deployments.

4. Supply-Chain Attacks on Agent Infrastructure. In August 2025, malicious versions of the NX package were distributed via NPM after the manufacturer’s GitHub account was compromised. The attacker leveraged locally installed AI tools like Claude and Gemini to exfiltrate sensitive data from development environments. AI agents aren’t just targets – they’re tools for supply-chain attacks.

“Agents should only be granted the minimal autonomy necessary for clearly defined tasks.”
OWASP Top 10 for Agentic Applications, core principle of “Least Agency” (December 2025)

OWASP Agentic Top 10: The New Framework

In December 2025, OWASP released a dedicated Top 10 list for Agentic Applications, separate from its classic LLM Top 10. Over 100 security researchers spent more than a year developing it. The list defines ten risk categories specific to autonomous agents, ranging from Agent Goal Hijack (redirecting an agent’s objective via prompt injection) to Tool Misuse (unintended abuse of legitimate tools), Cascading Failures (errors propagating through automated pipelines), and Human-Agent Trust Exploitation (agents deceiving operators with convincing explanations).

For IT security teams, the OWASP Agentic Top 10 is the most critical reference framework for evaluating agent deployments. It provides concrete mitigations for each risk category, grounded in documented incidents rather than theory.

What IT Security Teams Should Do Now

1. Create an agent inventory. Which AI agents are running in your organization? Which tools can they access? What data can they read and write? Forty-seven percent of organizations can’t secure shadow AI. You can’t protect what you don’t know exists.

2. Enforce least agency. Grant each agent only the permissions it needs for its specific task. No admin tokens, no full-access API keys, no unrestricted filesystem access. Require human-in-the-loop approval for high-risk actions.

3. Audit MCP servers. Which external tools are connected via MCP? Who operates them? Have the tool descriptions been reviewed? Five percent of open-source MCP servers are already compromised. Use only verified, self-hosted, or audited MCP servers.

4. Identity controls for agents implementieren. Treat every agent as a machine identity: assign unique credentials, enforce rotation, and monitor separately. Never pass through the credentials of the human user.

5. Define incident response for agent compromise. What happens if an agent is manipulated? How is it isolated? Which actions need to be rolled back? Agent incidents escalate faster than human ones because agents act faster than people can react.

Conclusion: Agents Are Employees with API Access

AI agents aren’t chatbots – they’re autonomous actors with system access. Every agent requires the same security treatment as a privileged employee: identity controls, least privilege, monitoring, and incident response plans. Organizations deploying agents in 2026 without these fundamentals aren’t building innovation – they’re building attack surfaces.

Frequently Asked Questions

What distinguishes an AI agent from a chatbot?

A chatbot generates text. An agent takes action: it calls APIs, writes to databases, sends emails, and makes decisions autonomously. A compromised agent can cause real damage, not just produce incorrect text.

What is prompt injection?

Attackers embed instructions in data processed by the agent (documents, emails, websites). The agent executes these instructions as if they came from the user. Success rates range from 57 to 84 percent, depending on the system and method.

What is the Model Context Protocol (MCP)?

A standard for AI agents to integrate external tools. Attackers can hide malicious instructions in MCP tool descriptions. Five percent of open-source MCP servers are already compromised.

Is there a security standard for AI agents?

OWASP released its Top 10 for Agentic Applications in December 2025. NIST is working on the Cybersecurity AI Profile (IR 8596). Both are currently the best reference frameworks for securing agent deployments.

What should I do first?

Start with an agent inventory (identify which agents are running and which tools they use), then enforce least agency (minimal permissions) and audit MCP servers. Without an inventory, there can be no security.