Last year, Anthropic reported the first large-scale cyber campaign largely executed by AI agents. The attackers used AI to autonomously execute the entire attack chain, making thousands of requests per second at a speed no human team could match.
As AI agents become more capable, traditional security approaches aren’t enough anymore. Understanding the risks of agentic AI and building the skills to detect, prevent, and mitigate them is essential.
What Makes Agentic AI Different?
Standard AI applications are generally reactive; for example, if you ask ChatGPT a question, it gives you an answer. Agentic AI is a different story. These systems are proactive in that they set goals, break them down into steps, use tools to accomplish tasks, remember context from previous interactions, and even collaborate with other AI agents.
Seeing as 39% of companies are already experimenting with agentic AI, security challenges are no longer only theoretical but highlight a need for new frameworks, hands-on training, and defenses before these agents move into production.
The OWASP Agentic Top 10 Risks Explained
The OWASP Agentic AI project was created to help teams understand the security risks from AI agents and how to mitigate them. These are the threats that researchers have identified as most likely to cause harm if left unchecked.
1. Agent Goal Hijack
AI agents follow a set of goals or objectives that attackers can exploit by embedding malicious instructions into documents, web pages, or data that the agent trusts.
When these goals are hijacked, agents can carry out a whole series of actions without human oversight, multiplying the possible damage. Basically, it only takes one manipulated instruction to redirect an agent’s entire workflow.
For example, a seemingly routine email sent to an AI assistant could request a quick internal task. However, hidden instructions can change what the agent thinks it is supposed to do. So, instead of just completing the request, it may start gathering data or sharing sensitive information.
2. Tool Misuse and Exploitation
Agents often have access to company tools such as databases and APIs. If agents get ambiguous or manipulated instructions, they could cause the system to act in ways it shouldn’t.
If there are no proper validation and permission checks, an agent can misuse these tools by doing things like issuing unauthorized refunds or modifying critical data.
As another example, if a coding agent has access to deployment tools and gets manipulated into pushing malicious code to production, that could be a big problem (to say the least).
3. Identity and Privilege Abuse
AI agents are at risk of privilege escalation as they can inherit permissions, delegate credentials, and pass context between agents. An agent could get higher-level credentials from another agent and access sensitive information it isn’t supposed to.
Managing agent credentials as strictly as human credentials and tracking delegation paths are vital to preventing unauthorized access and minimizing risk.
To explain with an example, an IT support agent helps employees with system tasks. When it needs to check something in the admin panel, it temporarily gets higher credentials. However, those credentials get cached in the agent’s memory for “efficiency.” Later, a low-privilege user interacts with the same agent and cleverly prompts it to reuse those cached admin credentials.
4. Agentic Supply Chain Vulnerabilities
Software supply chains are already complex, but agents can make things even more complicated. Agents often depend on external components, such as MCP servers, prompt templates, or other agents, to operate (many of which are loaded dynamically at runtime).
If any of these dependencies get compromised, they can inject hidden instructions, backdoors, or malicious behavior that will then spread through multiple agents.
A malicious MCP server was found on npm, as the well-known Postmark service. It worked by secretly sending a copy of every email to an attacker. Companies using it accidentally leaked all their private messages for weeks before anyone noticed.
5. Unexpected Code Execution (RCE)
AI coding assistants are genuinely helpful, and according to Stack Overflow’s 2025 survey, 84% of developers are using them. However, agents that generate and execute code can be manipulated by attackers to perform unauthorized instructions.
It goes beyond traditional RCE vulnerabilities because the agent intentionally generates and runs its own code, so the problem is ensuring it’s safe and doesn’t get tricked into generating anything malicious.
Prompt injection attacks against AI coding assistants like GitHub Copilot show how untrusted input can cause an AI to produce unsafe code. The risk is even bigger with agentic AI, because a manipulated prompt could cause an agent to generate and execute code without any human checking it.
6. Memory and Context Poisoning
AI agents can remember preferences and learn from past interactions, which is great, but it also creates a new attack surface.
When agents store information for future use, it becomes a target. If an attacker poisons the memory, then it affects every future decision the agent makes. It’s not like one-time attacks, because memory poisoning is persistent. The agent doesn’t just make one bad decision, but makes consistently bad decisions over time.
Security researchers demonstrated a new hack that uses prompt injection to corrupt Google Gemini’s long-term memory. An attacker managed to inject false information into a customer service agent’s knowledge base through a manipulated document in a RAG pipeline.
The agent learned and stored incorrect refund policies, which poisoned the information and influenced every customer interaction from then on.
7. Insecure Inter-Agent Communication
Agents often need to communicate with each other to get work done, especially in systems where tasks are split across multiple agents. The problem is that these conversations are often treated as “safe by default.”
Messages may be sent without encryption and lack proper authentication. As the communication happens internally, agents tend to trust whatever they receive, which could lead to interception and spoofing.
Most legacy security tools aren’t designed to monitor or reason about how autonomous agents communicate with each other. As agentic systems scale and operate independently, every inter-agent message becomes another potential attack surface.
8. Cascading Failures
Seeing how agentic systems interact with one another, a single error can spread quickly across systems. All it takes is for a hallucination, poisoned input, or compromised tool in one agent to move across connected systems, causing widespread failures.
Let’s say a corrupted market analysis agent exaggerates a risk; the other trading agents will start making dangerous trades based on that, which could cause the system to lose large amounts of money.
9. Human-Agent Trust Exploitation
AI agents are good at sounding confident and authoritative. They provide detailed explanations and seem to understand context, which makes people trust them more than they should. However, AI assistants can be influenced by untrusted content embedded in documents and other data sources.
In the Replit “vibe coding” incident, an AI agent was used to automatically fix build issues. The agent misunderstood the task and generated commands that deleted a production database, despite being instructed not to make changes. Then the agent fabricated fake data and reports to cover up its mistakes, deceiving the user about what had happened.
10. Rogue Agents
Malicious or compromised agents can stop doing what they were told and start following hidden goals. They can even team up with other agents to cause damage. Rogue agents can continue harmful activity long after the original attack, making them hard to find and contain.
For instance, an agent may keep stealing data autonomously even after its source of poisoned instructions has been removed.
The challenge with rogue agents is that they often operate within their permissions and follow their instructions, but they just do so in ways that are harmful or misaligned with human intent.
Why Development Teams Need AI-Focused Labs
We’ve already established that older security measures aren’t effective when it comes to AI risks, and even more so when agents act autonomously. Instead, teams need practical, hands-on training to see exactly how attackers might exploit AI agents and how to mitigate attacks.
Developers should be able to experiment with risks like with prompt injection, tool misuse, and compromised data sources to understand how vulnerabilities arise from agent autonomy and multi-agent interactions.
Building Hands-On AI Security Skills with SecureFlag
While reading about AI security risks is helpful, it doesn’t really prepare teams on how to deal with them when they happen in practice. SecureFlag’s AI labs provide teams with a safe place to practice mitigating agentic AI and MCP threats, without risking production environments.
With SecureFlag, developers can:
-
Work through hands-on labs built around agentic AI and MCP scenarios.
-
Develop practical skills for identifying and reducing LLM-related risks.
-
Progress through guided learning paths that break down AI security challenges.
-
Stay current as new labs and content are added on a regular basis.
As agentic AI becomes part of everyday development, security should be a main priority. SecureFlag helps teams build secure agentic applications from the very first design decisions.
