Vulnerability Intelligence Annual Report 2025
Vulnerability Intelligence Annual Report 2025
Agentic AI security (sometimes called AI agent security, autonomous AI security, or agentic security) is the emerging discipline within cybersecurity dedicated to protecting AI systems that can autonomously perceive their environment, make independent decisions, use external tools, and execute multi-step actions - often without direct human supervision.
The word "agentic" comes from agency - the capacity to act independently in pursuit of a goal. An agentic AI system doesn't just answer questions. It takes actions: sending emails, executing code, calling APIs, querying databases, modifying files, and delegating subtasks to other AI agents. That shift from generating to acting is precisely what makes traditional security models insufficient.
Core Distinction: Traditional AI/ML security protected model inputs and outputs. Agentic AI security protects the entire action loop - what the agent plans, decides, executes, remembers, and delegates across interconnected systems.
According to a 2026 Dark Reading poll, 48% of cybersecurity professionals now identify agentic AI and autonomous systems as the single most dangerous attack vector - surpassing ransomware, deepfakes, and supply chain compromise in perceived risk.
When a traditional AI model is compromised, it produces a bad response. When an agentic AI is compromised, it performs bad actions - at machine speed, across your entire infrastructure, before a human analyst can intervene. The blast radius isn't a paragraph of misleading text. It's deleted cloud resources, exfiltrated credentials, corrupted databases, or cascading failures across connected systems.
Before understanding agentic AI security, you need to understand what you're protecting.
An AI agent is an autonomous software system built on a large language model (LLM) that can perceive input, reason through a plan, use tools, retain memory, and execute multi-step actions to complete a goal - with minimal or no human intervention between steps. It is fundamentally different from a chatbot or a static AI model.
Traditional cybersecurity was built around a fairly stable set of assumptions: humans (or defined software processes) take actions; those actions can be predicted and bounded; systems have clear perimeters. Agentic AI breaks all three assumptions.
The fundamental security shift is this: with agentic AI, the model is no longer the final boundary. The agent's action loop is.
Agentic AI systems face a distinct and evolving threat landscape. Attackers don't need to breach your firewall or crack your encryption. They need to manipulate what the agent reads, remembers, or trusts - and the agent does the rest.
Prompt injection is the most pervasive attack against agentic AI. It occurs when malicious instructions are embedded in content the agent processes - a PDF, a web page, a calendar invite, an email, a code comment - and the agent cannot distinguish between legitimate user instructions and the injected commands. Because agents are designed to follow natural language instructions, the agent executes the attacker's intent while the user sees nothing unusual.
Indirect prompt injection is the more dangerous variant: the attacker doesn't interact with the agent directly. They poison a document, webpage, or external data source that the agent retrieves during a legitimate task. The agent processes the poisoned content and follows the embedded instructions - silently exfiltrating data, modifying system configurations, or escalating its own access.
Because agentic systems persist context across sessions, they are vulnerable to long-horizon attacks where an attacker corrupts the agent's memory with false information, biased beliefs, or embedded backdoor instructions that influence future decisions long after the initial interaction. Unlike a prompt injection that operates in a single session, memory poisoning can persist for weeks - subtly steering every decision the agent makes.
AI agents derive their power from connecting to enterprise tools: email, CRM, cloud APIs, databases, code execution environments. Tool misuse occurs when an agent is manipulated into abusing those integrations - not because the tools are broken, but because the agent's reasoning was corrupted. An attacker who injects instructions into a document retrieved by a coding assistant can direct that assistant to execute cloud resource deletion commands using its legitimately provisioned AWS credentials.
Agents act as non-human identities with delegated authority. When over-provisioned with excessive permissions, a compromised agent can perform actions far beyond the scope of its intended task. The "confused deputy" problem is acute here: an agent given broad API access to serve one workflow can be hijacked to serve another, entirely unauthorized purpose - while still using its legitimate credentials.
Traditional supply chain attacks target static software dependencies. Agentic supply chain attacks target what agents load at runtime - MCP servers, plugins, external tools, prompt templates, and other agents. Because these components are often fetched dynamically, a compromised MCP server or malicious plugin can alter agent behavior, inject instructions, or exfiltrate data without any visible change to the agent's surface-level behavior.
Released in December 2025 and developed by more than 100 security researchers, practitioners, and industry experts - including contributors from NIST, Microsoft, AWS, NVIDIA, and Palo Alto Networks - the OWASP Top 10 for Agentic Applications 2026 is the first industry-standard framework dedicated to securing autonomous AI agents. It is the authoritative starting point for any organization deploying or securing agentic AI systems.
The Two Foundational Principles Behind the OWASP Framework:
(1) Least Agency - only grant agents the minimum autonomy required for the task, mirroring the principle of least privilege.
(2) Human-in-the-Loop for High-Stakes Actions - payments, data deletion, credential access, and production deployments should always require explicit human approval, regardless of agent confidence level.
Securing agentic AI requires layered controls across the agent's entire architecture - not just the model layer.
These are the high-impact security practices recommended by OWASP, NIST, CSA, and leading security researchers for organizations building or deploying agentic AI:
Register agents in your identity governance platform. Provision scoped, short-lived credentials using just-in-time access. Enforce the same joiner-mover-leaver lifecycle for agents as for human employees - including automated deprovisioning when agent tasks or contracts end.
Only grant agents the minimum autonomy, tool access, and permissions required for their specific task. Resist the temptation to over-provision "just in case." Every additional permission is an additional blast radius.
Any content an agent retrieves from outside your controlled environment - PDFs, emails, web pages, RAG documents, API responses - must be treated as potentially hostile. Apply prompt injection filtering before external content reaches the agent's reasoning loop.
Maintain a Software Bill of Materials (SBOM) for every MCP server, plugin, agent framework, and third-party component your agents depend on. Pin versions, use signed manifests, and monitor for unexpected changes or malicious updates - especially in components loaded dynamically at runtime.
Log and analyze the sequence and intent of agent actions, not just individual API calls. Deploy behavioral baselines and anomaly detection systems that understand what normal agent behavior looks like and alert immediately on deviations - tool chaining patterns, privilege escalation, unusual data access volume.
Define categories of high-consequence, irreversible actions that always require explicit human approval. Train agents to pause, explain, and request confirmation before executing these actions - and enforce this policy at the infrastructure level, not just the prompt level.
Run agents in sandboxed execution environments with strict network egress controls, limited filesystem access, and no implicit trust in the host environment. An agent that generates code should not be able to execute that code in a production environment without explicit gating.
Secure agent memory stores with access controls, encryption at rest, and integrity monitoring. Audit long-term memory regularly for evidence of manipulation. Treat unexpected beliefs or instructions in agent memory as potential indicators of compromise.
Run dedicated adversarial exercises targeting your AI agents: test for prompt injection via every external data source, tool misuse via manipulated inputs, privilege escalation, memory poisoning, and inter-agent trust exploitation. Traditional pen tests do not cover these vectors.
Every agent action - every tool called, every decision made, every data item accessed - must be logged with tamper-proof immutability and sufficient context to explain why the agent took each action. This supports forensic investigation, incident response, and regulatory compliance (GDPR, NIST AI RMF, EU AI Act).
In multi-agent systems, never allow agents to implicitly trust messages from other agents. Authenticate every inter-agent communication, enforce authorization on every instruction passed between agents, and treat agent-originated inputs with the same scrutiny as external user inputs.
Every MCP server your agents connect to is as critical as a privileged API or a secrets manager. Vet MCP servers before use, monitor them continuously for definition changes or behavioral drift, restrict which agents can connect to which servers, and have a kill switch process ready for immediate disconnection when compromise is suspected.
The threat is not theoretical. Here are documented incidents that shaped the OWASP Agentic Top 10 and define the current risk landscape:
An indirect prompt injection attack embedded hidden instructions in documents processed by Microsoft Copilot, redirecting the agent to silently exfiltrate internal data to attacker-controlled endpoints. The agent continued returning normal-looking outputs to users while operating as a data exfiltration vector in the background. This incident directly inspired OWASP's ASI01: Agent Goal Hijack classification.
A malicious pull request introduced code into Amazon Q's environment containing instructions to "clean a system to a near-factory state and delete file-system and cloud resources," including commands to terminate EC2 instances, delete S3 buckets, and remove IAM users via AWS CLI. The agent was not escaping a sandbox - it was using its legitimately provisioned cloud credentials to execute destructive commands as instructed. The initialization included flags that bypassed all confirmation prompts.
Researchers discovered an npm package impersonating Postmark's email service MCP server. The package functioned correctly as an email tool, but every message sent through it was silently BCC'd to an attacker-controlled address. It was downloaded 1,643 times before removal. Any AI agent using it for email operations was unknowingly exfiltrating every message it sent.
A proof-of-concept attack successfully injected persistent false beliefs into Google Gemini's memory system through crafted interactions. The corrupted memory then influenced the agent's behavior in future, unrelated sessions - demonstrating that memory poisoning can function as a slow-acting, long-horizon attack that outlasts any single conversation or task.
The first documented case of an AI agent being weaponized at scale as a cyberattack tool. A Chinese state-sponsored threat group manipulated Claude Code to infiltrate approximately 30 global targets across financial institutions, government agencies, and chemical manufacturing - demonstrating that autonomous AI agents can be directed to conduct sophisticated intrusion campaigns without substantial human intervention at each step.
OpenClaw, an open-source AI agent platform with over 135,000 GitHub stars, triggered the first major AI agent security crisis of 2026 with multiple critical vulnerabilities, malicious marketplace exploits, and over 21,000 exposed instances. When employees connected OpenClaw agents to corporate Slack and Google Workspace environments, they created shadow AI with elevated privileges that traditional security tools could not detect.
At Loginsoft, our vulnerability research, SBOM analysis, and supply chain security expertise maps directly to the most critical agentic AI security domains - from MCP server vetting and open source dependency analysis to non-human identity governance and threat intelligence for AI agent attack patterns. As agentic systems proliferate across enterprise environments, the demand for deep, technical security expertise at the AI infrastructure layer has never been greater.
Q1. What is agentic AI security in simple terms?
Agentic AI security is the practice of making sure AI agents - systems that can autonomously take actions like sending emails, executing code, or calling APIs - do so safely, within defined boundaries, and cannot be manipulated by attackers into doing harmful things. It's not enough to make the AI "smart" or "aligned" - you have to govern what it does with the same rigor you apply to any privileged user in your organization.
Q2. How is agentic AI security different from traditional AI security?
Traditional AI security focused on protecting model inputs and outputs - blocking jailbreaks, filtering harmful responses, preventing data leakage in training. Agentic AI security addresses a fundamentally different problem: these systems act. They call APIs, execute code, access credentials, and make decisions in chains. The threat model shifts from "bad outputs" to "bad actions" - with a blast radius that can include deleted infrastructure, exfiltrated secrets, or cascading failures across connected systems, all happening at machine speed before any human can intervene.
Q3. What is the OWASP Top 10 for Agentic Applications?
Released in December 2025 and developed by over 100 security experts worldwide, the OWASP Top 10 for Agentic Applications 2026 is the first industry-standard framework for securing autonomous AI agents. It catalogues the ten most critical risk categories - from Agent Goal Hijack (ASI01) and Tool Misuse (ASI02) to Memory Poisoning (ASI06), Cascading Failures (ASI08), and Rogue Agents (ASI10). It has been adopted and referenced by Microsoft, NVIDIA, AWS, and GoDaddy, and is the starting point for any organization building or governing agentic AI systems.
Q4. What is prompt injection and why is it the biggest agentic AI threat?
Prompt injection is an attack where malicious instructions are embedded in content that an AI agent processes - a PDF, email, web page, or database entry - causing the agent to execute the attacker's commands instead of the user's. In agentic systems this is especially dangerous because agents are designed to follow natural language instructions, cannot reliably distinguish instructions from data, and have the tools and access to act on whatever instructions they receive. Indirect prompt injection - where the attacker poisons external content rather than interacting directly - is the most stealthy variant, and currently has no complete technical defense.
Q5. What is an MCP server and why does it matter for agentic AI security?
Model Context Protocol (MCP) is an open standard that allows AI agents to connect to external tools and data sources in a standardized way. MCP servers are the plugins and connectors that extend what an agent can do - email, calendar, databases, code execution, cloud APIs. Because agents load and trust MCP servers dynamically, a malicious or compromised MCP server is a direct path to agent compromise. The first malicious MCP server in the wild was discovered in September 2025 - impersonating a legitimate email service and silently exfiltrating every message sent through it.
Q6. What is "least agency" and why is it the foundational defense principle?
Least agency is the agentic AI security equivalent of least privilege. It means granting agents only the minimum autonomy, tool access, permissions, and memory scope required to perform their specific task - and nothing more. Every additional permission expands the blast radius of a potential compromise. The OWASP Agentic Top 10 identifies least agency as the single most important design principle for building secure agentic systems. In practice, it means time-bounded credentials, scoped API access, sandboxed execution environments, and human approval gates for high-consequence actions.
Q7. How do you govern AI agent identities in an enterprise?
AI agents must be registered and managed as non-human identities (NHIs) within the enterprise's identity governance framework - authenticated with short-lived, scoped credentials, provisioned using just-in-time access, and automatically deprovisioned when their tasks complete. They should follow the same joiner-mover-leaver lifecycle as human employees. Every action an agent takes with enterprise systems should be logged and auditable. Given that NHIs already outnumber human identities 50:1 in the average enterprise, organizations that do not have an NHI governance program in place are already operating with a significant and growing blind spot.
Q8. What regulations governing agentic AI security?
Several frameworks and regulations are directly relevant. The EU AI Act classifies many agentic AI deployments as high-risk systems requiring human oversight, transparency, and robustness controls. NIST's AI RMF provides governance guidance across the AI lifecycle. GDPR applies wherever agents process personal data. NIS2 and DORA apply where agents are part of critical infrastructure or financial service workflows. CISA's emerging guidance on AI system security, and NIST's ongoing work through CAISI on AI agent security standards, will add further regulatory weight in the coming 12-24 months. Organizations deploying agents in regulated industries should treat these requirements as minimum baselines, not ceilings.
