Agentic AI — AI systems that autonomously plan, execute multi-step tasks, and call external tools on your behalf — crossed from experimental to production in 2025. In early 2026, a Chinese state-sponsored group used a compromised AI coding agent to infiltrate roughly 30 organizations across financial services, government, and chemical manufacturing. The attack didn't exploit a software vulnerability. It exploited the agent's trust.
This isn't a future risk. It is the defining new attack surface of 2026. And most security teams don't yet have a framework for it.
What Makes Agentic AI Fundamentally Different
Traditional AI tools — chatbots, summarizers, classifiers — respond to individual prompts. An agent is different: it maintains memory across interactions, calls external APIs and tools, takes actions in real systems, and operates with minimal human oversight between steps.
That autonomy is also the risk. When an AI agent has permission to read your email, query your database, push code to your repository, or interact with cloud infrastructure, a single compromised instruction can cascade into a full system breach — at machine speed, without a human in the loop to catch it.
The attack surface has three new dimensions that don't exist in traditional software security:
- Memory poisoning — injecting malicious content into an agent's persistent memory store, causing it to behave differently on future runs
- Tool chain misuse — manipulating which tools an agent calls, or the parameters it passes, to exfiltrate data or execute unauthorized actions
- Privilege compromise — agents typically run with elevated permissions; compromising one gives an attacker the same access level
The OWASP Top 10 for Agentic Applications
In December 2025, OWASP released its first dedicated security framework for agentic AI — built from input across 100+ security researchers. The top risks it identifies are not abstract. They map directly to how agents are being deployed today:
1. Prompt Injection via Agent Inputs — Malicious instructions embedded in data the agent retrieves (web pages, documents, emails) cause the agent to take unintended actions. Unlike traditional prompt injection, agentic systems can act on these instructions against live systems.
2. Excessive Agency — Agents granted more permissions than their task requires. If an agent only needs to read a database, it shouldn't have write access. Over-privileged agents turn a minor manipulation into a catastrophic breach.
3. Insecure Tool Integration — External tools and APIs connected to agents without proper authentication scoping, output validation, or rate limiting. Each tool is an additional attack surface.
Real Incidents Already on Record
This isn't theoretical. Confirmed incidents from 2025–2026 illustrate the exposure:
The BodySnatcher vulnerability (ServiceNow AI Platform). An unauthenticated attacker could impersonate any user — including system administrators — using only a known email address. The flaw lived in the AI platform layer, not the application layer, meaning traditional application security testing missed it entirely.
The LiteLLM supply chain compromise (March 2026). Attackers compromised the PyPI credentials of LiteLLM — one of the most widely used open-source LLM gateways — and published two backdoored package versions. Organizations that auto-updated their AI infrastructure pulled the backdoor into production. The attack chain moved from credential compromise to persistent backdoor installation inside Kubernetes clusters in hours.
Poisoned skill files in public registries. Security researchers documented attackers planting malicious skill definitions in public AI agent registries. When an agent automatically incorporated these skills — a feature many frameworks support — attackers achieved remote code execution and API key exfiltration without ever directly accessing the target environment.
What Your Security Team Needs to Do Now
Existing security controls were not designed for agents. Your vulnerability scanner doesn't know what an agent did at 3am. Your SIEM wasn't built to correlate 200 agent API calls into a coherent threat narrative. You need to close four gaps specifically:
1. Inventory every agent and its permissions. You cannot secure what you haven't enumerated. Document every AI agent in production, what tools it can call, what data stores it can access, and what actions it can take. Treat this like your cloud asset inventory — it needs to be current and continuously maintained.
2. Apply least privilege to agents. Each agent should have the minimum permissions required to complete its specific function. Read-only access where read-only is sufficient. Scoped API tokens rather than broad service account credentials. Time-limited permissions for sensitive operations. This limits the blast radius when an agent is manipulated.
3. Implement agent action logging and anomaly detection. Every action an agent takes — every tool call, every external request, every data access — should be logged with enough context to reconstruct what happened. Set behavioral baselines and alert on deviations. An agent that suddenly starts exfiltrating data to an unusual endpoint should trigger the same response as a human user doing the same thing.
4. Treat third-party agent components as supply chain risk. Every open-source framework, every pre-built skill, every connected tool is a dependency. Apply the same vendor risk process to AI components that you apply to software vendors. Pin dependency versions. Monitor for compromised packages. Don't auto-update AI infrastructure without validation.
The Governance Gap Most Organizations Haven't Closed
Beyond the technical controls, there's a governance layer most organizations are missing entirely. Who is accountable when an AI agent causes a data breach? What is the approval process before an agent is granted access to production systems? How do you conduct a security review of an agentic application when the behavior is non-deterministic?
These questions don't have default answers. They need policies, defined ownership, and a review process specific to AI — not a checkbox in an existing software approval workflow that was never designed for autonomous systems.
Only 13% of security professionals say they feel well-prepared for GenAI risks, according to ISACA's 2026 survey. The organizations that close that gap first will have a material security advantage. The ones that wait will read about themselves in a breach report.
