Agentic AI Security: New Dynamics, Trusted Foundations

Contributed by Aiceberg.

 

Agentic AI - Why should you care?

Agentic AI isn’t just another tech buzzword it represents a fundamental shift in how intelligent systems operate, make decisions, and interact with the world. As AI agents become more autonomous, they introduce both powerful opportunities and new risks that traditional security and governance can’t fully address. If you care about trust, compliance, and keeping humans in control, understanding agentic AI is essential.

 

How Do AI Agents Change Information Systems?

AI agents are redefining information systems by complementing the unique strengths of people and traditional applications, while introducing new capabilities that were previously out of reach.

• PEOPLE- bring judgment, creativity, and ethical oversight, making them essential for defining objectives and managing complex, ambiguous situations.
• APPLICATIONS -excel at automating repetitive, well-defined tasks with reliability and speed, but are limited by their fixed scope and dependence on structured input.
• AI AGENTS- bridge these worlds by autonomously interpreting natural language instructions and orchestrating actions across diverse tools and data sources.

AI agents can tackle open-ended problems, dynamically adapt to changing needs, and automate multi-step processes that once required human intervention such as personalized customer support, intelligent document summarization, or complex scheduling. The result is a more robust, adaptive information system, where people, applications, and AI agents work together: people provide vision and oversight, applications ensure efficiency and accuracy, and AI agents enable flexibility and scale,solving problems that static automation and human labor alone could not feasibly address.

 

Anatomy of an AI Agent

An AI agent is more than just a chatbot or a conversational interface—it is an autonomous system designed to bridge the gap between user intent (“what” the user wants) and effective execution (“how” to achieve that goal). Unlike traditional software, which follows rigid, pre- programmed workflows, an AI agent actively interprets high-level instructions from users, analyzes its available capabilities, and dynamically constructs a plan to accomplish the requested task. This orchestration happens in real time and adapts to each new input, environment, or constraint.

To achieve this, modern AI agents are typically granted access to several key resources:

• Large Language Model (LLM) - The LLM serves as the agent’s core reasoning engine. It interprets natural language prompts, generates step-by-step plans, and adapts its actions based on evolving context. The LLM enables the agent to handle a wide range of user instructions and provides the foundational ability to “think” through problems in human-like language.
• Tools - In the agent context, a “tool” is usually a traditional application or service accessed programmatically through APIs or specialized protocols like MCP. By invoking tools, agents automate complex workflows and interact with digital environments, extending their abilities beyond simple language generation.
• Memory - Memory allows the agent to retain and recall information over time. This can include session-based short-term memory (to keep track of the current conversation or workflow) and long-term memory (to store persistent knowledge, user preferences, or historical actions). Effective use of memory enables the agent to provide continuity, context, and personalization in its interactions.
• Other Agents - Advanced AI agents often operate in environments where they can collaborate or coordinate with other agents. These may be specialist agents with unique skills or dedicated sub-agents responsible for specific tasks. By communicating and delegating among themselves, agents can tackle complex, multi-step goals that would be difficult or impossible for a single agent alone.

 

AI Agent What Controls to Focus on

Not all attack vectors for AI agents are new, so it’s crucial to distinguish between Securing AI Agents which covers the whole environment, including data, networks, and access and AI Agent Security, which focuses on risks unique to advanced AI systems.

To better understand the gaps that AI creates in a cybersecurity program, let's modify STRIDE, an industry standard threat modeling framework, so it can handle the unique challenges of AI agents. This is done by incorporating two new threat categories "Lack of Accountability" and "Misunderstanding" (LM).

• Lack of Accountability - This occurs when actions are performed without clear governance or ownership, making it difficult to determine responsibility when issues arise.
• Misunderstanding - This refers to models having undesirable assessments due to a lack of context or malicious intervention, leading to unexpected emerging behaviors.

Applying STRIDE+LM to AI Agents

The OWASP Top 10 LLM Threats and OWASP AI Agent Threats documentation are widely recognized as industry standards and serve as a strong foundation of knowledge for anyone looking to understand and mitigate security risks in AI and agentic systems.

By bridging these frameworks with STRIDE+ML, we unlock a powerful lens for understanding AI agent risks. This mapping doesn’t just offer clarity it uncovers a fascinating pattern: while many AI agent threats fit neatly within traditional STRIDE categories, a substantial portion defy classic boundaries, demanding the nuance of the ML categories while threat modeling. The result is a more comprehensive and actionable roadmap for safeguarding today’s complex AI systems.

7 out of 25 OWASP threats can fall into misunderstanding and lack of accountability.

These threats fall into three buckets:

• Those that are addressable with Existing Controls
• Those that force you to Expand Controls and adapt your defenses
• Those that demand entirely Novel Controls brand-new approaches designed just for the
• risks that come with AI

This isn’t just a checklist: it’s a spectrum, showing where you’re already covered, where you’ll need to stretch, and where you have to innovate to stay ahead of AI’s evolving threat landscape.

For a deeper dive into specific threats and the most effective mitigation strategies, check out the latest OWASP documentation, which maps out these categories and offers practical guidance.

• OWASP Top 10 for LLM Applications
• OWASP AI Agent Threats and Mitigation

 

Existing Controls

These threats share a key similarity: each aligns closely with classic security concerns such as data leakage, privilege escalation, denial of service, and unauthorized access that organizations have long addressed through established controls. Proven solutions like IAM, DLP , access control, secure communications, logging, and resource throttling remain effective at mitigating most of these risks, provided they are consistently applied and adapted to the AI/LLM context. While the technology is evolving, these threats do not fundamentally change the security landscape; instead, they reinforce the importance of applying well-known best practices to new AI-driven environments.

 

Expanding Controls

These threats are similar in that they reflect traditional security challenges such as tampering, denial of service, and privilege abuse but in more dynamic and complex AI environments. Existing cybersecurity controls like supply chain management, input validation, session handling, zero trust, and IAM still provide a solid foundation, but they must be expanded or adapted to address the increased speed, automation, and new attack surfaces introduced by AI agents and LLMs. The core concepts remain the same, but successful risk management now depends on updating controls to meet the unique demands and evolving threats of autonomous, multi-agent, and data-driven systems.

 

Novel Controls

These threats are united by the fact that they stem from the unique, dynamic reasoning and autonomy of AI agents challenges that traditional cybersecurity controls can’t fully address. Issues like prompt injection, misinformation, tool misuse, and intent manipulation arise from the model’s language understanding, open-ended action space, and capacity for emergent behavior. Similarly, trust manipulation and lack of agent accountability highlight psychological and organizational risks outside the reach of classic technical safeguards.

Effective mitigation will require genuinely novel controls such as dynamic output validation, explainability tools, human oversight, and new forms of policy enforcement—specifically designed for the unpredictable and adaptable nature of modern AI.

 

Mitigations for Novel Threats

Mitigation	Threats Addressed	Purpose
Real-Time Natural Language Monitoring	T15 – Human Trust Manipulation T7 – Misaligned Behavior T2 – Tool Misuse T6 – Intent Breaking LLM01 – Prompt Injection LLM09 – Misinformation	Detect unsafe behavior at runtime, flag, sanitize or block it for the prompt and response
Explainable AI (XAI)	T15 – Human Trust Manipulation T7 – Misaligned Behavior T5 – Cascading Hallucinations LLM09 – Misinformation	Provide transparency into agent decisions for auditability and user trust
Formal Verification	T7 – Misaligned Behavior T2 – Tool Misuse T6 – Intent Breaking	Ensure agent actions match defined goals and constraints
Adversarial Testing	LLM01 – Prompt Injection LLM09 – Misinformation T15 – Human Trust Manipulation	Simulate attacks to assess model robustness
Privilege Control	T2 – Tool Misuse LLM01 – Prompt Injection T6 – Intent Breaking	Restrict agent capabilities to reduce blast radius
Grounded Context	T5 – Cascading Hallucinations LLM09 – Misinformation	Improve factual accuracy by injecting verified data into the prompt
Human-in-the-Loop	T7 – Misaligned Behavior T15 – Human Trust Manipulation T6 – Intent Breaking	Require approval for sensitive actions or ambiguous decisions

 

Who’s Really in Charge? Governing Agentic AI with Explainability

To govern agentic AI effectively, explainability must be at the core of your strategy . As agentic AI systems make complex, autonomous decisions sometimes chaining actions or invoking tools on their own it’s essential to understand not just what the AI did, but why it made those choices. Explainable AI (XAI) refers to systems and models that make the decision-making process of AI transparent, understandable, and interpretable to humans. Explainable AI lets you see why the model made a decision, not just the result it produced. For example, if an AI agent flags a customer interaction as risky, explainability ensures you can trace back to the data, context, and logic behind that decision so you can justify it, correct it if needed, or use it to improve future outcomes.

Explainable AI gives organizations the power to audit decisions, uncover hidden risks, and ensure agent actions align with user intent and business policies. Without explainability, it’s the AI not your people or leadership that’s effectively running your business, leaving you with little control or insight when things go wrong. This transparency is critical for building trust, passing compliance audits, and maintaining true human-centered oversight.

Not all AI explainability is the same. With standard LLMs, the “chain of thought” is non-deterministic generated on the fly as freeform text making it hard to audit, interpret, or turn into actionable insights. Every answer may differ, and understanding the rationale often means wading through another large, unstructured paragraph.

 

Conclusion

In summary, agentic AI is transforming the way organizations operate, bringing both remarkable capabilities and unprecedented risks. The smartest approach isn’t to reinvent the wheel, but to first maximize the value of your existing cybersecurity program using established controls and best practices wherever they apply . At the same time, organizations should focus their research and development efforts on the small but critical set of threats that require new controls those unique risks introduced by the autonomy, reasoning, and emergent behaviors of agentic AI. By doing this, you can safeguard innovation, build trust, and maintain true control ensuring your AI works for you, not the other way around.