Agentic AI and cyber-risk

Bharat Mistry at Trend Micro explains that agentic AI is the future but that it could turbocharge cyber-security concerns: here’s how to secure it

 

Has artificial intelligence (AI) come of age? Just as generative AI (GenAI) begins to reach the “peak of inflated expectations” (to use Gartner parlance), newer approaches are emerging which could change the world around us. Among these, agentic AI offers the biggest potential for transformative advances, in being able to take a “human-like” approach to task completion.

 

Yet at the same time, agentic AI will expand the corporate attack surface and increase the risk of data theft, sabotage and service disruption. As governments go all-in on the technology, the organisations turning theory into reality must embed security best practice at the heart of development, or risk the consequences.

 

Security overlooked

Agentic AI has been described as a third iteration of the technology. It differs from predictive and generative AI in that it’s designed to work autonomously, solving complex, multi-stage problems independently or as part of a “team”.

 

One of the key benefits is that it’s able to continuously improve, course-correcting if necessary as it is fed new information or its circumstances change. With applications in virtually every sector—from autonomous code writing to insurance claims processing—it’s predicted to drive between $2.6tn and $4.4tn annually for global GDP by 2030. 

 

Yet as businesses race to deliver market-leading applications, drive back-office efficiencies and transform customer-facing experiences, they may overlook secure-by-design principles. In some cases, even their security teams don’t know what kinds of risks to plan for, as AI innovation is outstripping their understanding. Yet gaining this awareness is critical: it’s far cheaper and easier to build security in from the start than try to retrofit it after a serious incident.

 

Mapping the AI attack surface 

With that in mind, the first step is understanding how a threat actor could compromise an agentic AI system. Potential components of the AI attack surface could include the data itself. Manipulation of input data (in adversarial attacks) or training data (ie data poisoning) could lead to incorrect or malicious outputs. And the training/model data itself could be a target if it contains corporate secrets or particularly sensitive information on customers. 

 

APIs and other interfaces also represent a potential target, if threat actors are able to send malicious requests or use injection techniques to change how a targeted AI processes data. Front-end user interfaces could be exploited to gain unauthorized access or inject malicious scripts. Then there are vulnerabilities in third-party open source components, which are growing by the year, and potentially even versions with malware embedded within.

 

Cloud infrastructure used to host AI systems also represents an attractive target, especially if it too contains vulnerabilities or misconfigurations.

 

The OWASP Top 10 for LLM Applications 2025 lists many of these risks. It warns of the potential for sensitive information disclosure, model manipulation, misinformation and even denial of service. 

 

Why and how agentic AI is risky

There are also specific risks linked to agentic AI systems. If resource consumption isn’t strictly controlled, for example, an autonomous AI may generate excessive sub-problems to work on which effectively create a denial-of-service event. The same autonomy which makes agentic AI so powerful may also lead to unintended/damaging outcomes if the AI is poorly designed, or fed with poorly engineered or deliberately malicious prompts—known as “misalignment”.

 

Another risk flagged by OWASP relates to vector databases. These are commonly used in retrieval augmented generation (RAG) and agentic AI to support a fresh approach to AI, designed to overcome the limitations of traditional LLMs. Because LLMs are running out of training data, the concern is that progress will slow and models will become less efficient.

 

RAG overcomes this by combining pre-trained LLMs with search queries/results that reach out to third-party data sources. This makes the returned information more relevant, up to date and with a lower risk of producing a “hallucination”.

 

The problem is that these databases, along with other components such as LLM-hosting platforms and open source components, are riddled with vulnerabilities and/or exposed to the public internet with no authentication required. This makes information theft, data poisoning and other threats more likely.

 

Six ways to make AI safer

It’s the job of cyber-security professionals to anticipate threats like this, in order to head off potential risk before it’s too late. So how can AI developers and their employers prepare for an agentic AI future? Six key steps come to mind.

 

First, secure the data itself. That means using data security posture management (DSPM) to continuously discover, classify and protect it according to sensitivity and regulatory requirements. In this way, even if threat actors manage to get their hands on training or model data, it will be of little to no use to them.

 

Second, secure the AI models to mitigate the risk of data poisoning and service disruption. AI models, especially if fine-tuned by the organisation, may also represent sensitive IP in their own right, and therefore should be protected from prying eyes. AI model security should be multi layered, including: continuous real-time monitoring of container runtime behaviour for suspicious activity; vulnerability scanning; network segmentation to contain the blast radius of attacks; and XDR-driven incident response.

 

Third, secure the AI infrastructure via AI security posture management (AI-SPM). These tools will help by continuously monitoring for compliance violations like vulnerabilities and misconfigurations, and correcting issues to maintain good security posture.

 

Fourth, secure users and localised AI apps that may inadvertently create a new attack vector for threat actors, by applying endpoint security and deepfake detection tools. 

 

Follow this by securing access to AI services along zero trust lines, in order to mitigate the risk of data exfiltration, prompt injection and even unintentional denial of service. Zero trust secure access can help here by providing centralised visibility into all AI usage, including shadow AI, guardrails to prevent prompt injection and data leakage, and risk-based access controls. The right tools will also offer prompt filtering to detect malicious inputs, response filtering to ensure outputs are safe, and reverse proxies which add an extra layer of protection between users and AI services.

 

Finally, guard against zero-day exploits with network-based intrusion detection/prevention (IDS/IPS), which will monitor traffic in real time for suspicious activity. Machine learning-based behavioural analysis enhances these efforts, while automated virtual patching can shield systems from known and unknown threats

 

Agentic AI opens the door to a potentially new era of innovation and economic growth. But long-term success is only assured if security teams are upskilled and allowed to manage risk early on in projects. Better to address these challenges now, rather than wait until AI is so embedded that they become unfixable.  

 

---

 

Bharat Mistry, Field CTO at Trend Micro

 

Main image courtesy of iStockPhoto.com and sankai