AI/ML, AI benefits/risks, Application security

A proactive approach to Agentic AI security

(Adobe Stock)

COMMENTARY: Picture this: The HR team springs into action after the CEO mandates that every division finds new ways to optimize with AI. Under the guidance of the chief people officer, a technically-savvy new hire builds and deploys a cutting-edge AI agent to automate bi-annual review cycles, schedule interview loops, and send friendly birthday greetings to employees.

One day, the agent, interpreting a vague “connect the team” request, sends out calendar invites for an urgent “All-Hands Skills Alignment Workshop” … to every employee, interview candidate, customer, and partner. Within minutes, recruiters are fielding confused calls, sales  frantically cancels appointments with prospects, and the marketing team now wonders why half their partner network just RSVP’d “yes.”

[SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Read more Perspectives here.]

The fallout? Confusion, embarrassment, and a few awkward coffee chats. It's a slightly silly example that underscores a serious point: when AI agents are empowered to take autonomous action, even minor misalignments can lead to unwanted outcomes. The more independent these systems become, the more crucial it becomes to understand and secure them.

Everybody talks about Agentic AI these days, but what is it really? AI agents are custom software components, designed to interact with GenAI, data stores, and productivity tools to perform autonomous, goal-driven activities. Often without human oversight.

What’s behind Agentic AI?

An Agentic AI system collects data and telemetry from tools, APIs, and sensors to identify what’s happening in real-time. Agentic AI uses the “reasoning” power of large language models (LLMs) to analyze that data, interpret goals, and determine which actions to take.

This can include updating records, sending messages, or triggering automations. Agentic AI maintains memory using stored context, so the system can recall facts, past interactions, and patterns. Over time, the system compares outcomes against objectives, to “learn” what works without constant human direction.

Because Agentic AI systems can take action without direct oversight, their risk profile is different from that of stand-alone GenAI tools. Many AI agents are designed to work with autonomy, so small mistakes can scale quickly: what’s a single misdirected email for a human could become thousands of automated actions for an AI agent.

It’s also important to consider that agents connect to tools and sensitive data repositories using standards like the model context protocol (MCP) integrations and MCP servers, and if the connected server gets compromised or hosts malicious tools, it could lead to exposure of confidential data.

These systems require a modern blend of traditional cybersecurity best practices, AI-specific safeguards and tools, and strong governance. The following quick-hit guide offers a starting point.

  • Define the mission with precision: Clearly document what the agent is authorized to do and what’s explicitly off-limits. Treat every integration point as a potential attack surface. Harden LLMs, APIs, plugins, connectors, and MCP integrations through rigorous input validation, least-privilege access controls, and strong authentication and authorization. MCP servers and tools deserve special attention. Conduct formal threat modeling to uncover potential misuse scenarios, monitor continuously for tampering or unauthorized changes, and maintain an approved list of trusted tool sources.
  • Deploy layered guardrails: Technical and procedural measures such as prompt sanitization to block injection attacks and behavioral anomaly detection to identify drift or deviation should work together as defense in depth. Move beyond standard AI risk checklists by explicitly threat modeling for autonomy. Assess risks unique to multi-step, self-directed decisions, including indirect prompt manipulation, cascading system effects, and “reasonable” but unsafe inferences an agent might make. Memory and knowledge bases require the same rigor as any sensitive data store. Because vector databases and retrieval augmented generation (RAG) pipelines are often targets for data poisoning or unauthorized access, teams should encrypt them at rest and in transit, govern them by strict access policies, and practice continuous monitoring for unusual queries. The same applies to data lakes and lakehouses, which often act as an agent’s information backbone. Monitor for data exfiltration and enforce governance policies around which datasets an agent can read or modify.
  • Redteam all Agentic AI systems: Test them as the team would any mission-critical application. Simulate malicious prompt injections (both direct and indirect), compromised MCP tools, and other plausible exploits before attackers do. Require human oversight for any high-impact or irreversible actions such as financial transfers, legal filings, HR changes, or security modifications to ensure a human-in-the-loop before execution. Finally, maintain visibility through continuous monitoring, auditing, and discovery. Keep tamper-resistant logs for forensic analysis and regularly inventory every agentic capability in the environment, whether homegrown or introduced by third-party tools, to ensure governance keeps pace with innovation.

Sure, it’s easy to focus on the horror stories like the AI assistant that orders a pallet of rubber ducks or the “connect the team” mishap we referred to earlier. But with the right planning and strategy, Agentic AI doesn’t have to become a liability.

As CISOs, we have both the opportunity and the responsibility to shape how our organizations adopt Agentic AI. That means engaging early with engineering, data science, business owners, and product teams to build security in.

We should drive early risk assessments, validate integrations, implement prelaunch and runtime testing, and establish ongoing monitoring and governance. By taking an active role from the outset, we can ensure AI agents become secure, trustworthy assets that advance business goals without adding excessive risk.

Diana Kelley, chief information security officer, Noma Security

SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.

An In-Depth Guide to AI

Get essential knowledge and practical strategies to use AI to better your security program.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds