The agentic threat surface, translated for AI Officers

This is part of the Agentic AI element of the GovCompass-7.

Why the threat surface is different

Classic LLM security is about the text a model produces. Agentic security is about the actions an agent takes. The OWASP Agentic Security Initiative makes the point directly: securing agentic AIagentic AISystems where a model takes actions — calling tools, executing multi-step plans — amplifying both capability and every failure mode; governed with action allowlists, approvals and full logging.Open full entry → is a move from securing outputs to governing autonomous actions. An agentic riskriskIn the EU AI Act's terms, the combination of the probability that a harm occurs and the severity of it if it does. The link between a principle (via the harm that would breach it) and a control (the measure that reduces it). Naming the harm and assessing its risk is required by Art. 9 before any mitigation measure is chosen. See harm, control, residual risk.Open full entry → often combines several classic LLM vulnerabilities and amplifies them, because autonomy means a vulnerability can be exploited at scale without a human in the path. Goal hijackinggoal hijackingAn attack that redirects an agent's objective so it pursues a goal you did not set. Prompt injection combined with autonomy: it changes what the agent does, not just what it says.Open full entry →, for example, is prompt injectionprompt injectionSmuggling adversarial instructions into a generative system's input (directly or via retrieved content) to override its intended behavior.Open full entry → combined with excessive autonomy: the injection no longer just changes what the model says, it changes what the agent does.

The ten risks, as governance problems

The OWASP Top 10 for Agentic Applications identifies ten risk categories. Read as governancegovernanceThe system through which an organization steers itself: corporate governance, risk management, compliance, lines of accountability, risk appetite, and the operating model. It exists across everything the organization does, before and beyond AI. AI governance is this same system extended for AI. See AI governance, governance design, execution level.Open full entry → problems rather than exploits, they translate as follows.

Agent goal hijacking. An attacker redirects the agent's objective so it pursues a goal you did not set. Governance response: bounded objectives, input provenanceprovenanceThe documented origin and history of data or content, used to establish where it came from and whether it can be trusted or lawfully used.Open full entry → controls, and detective monitoring that flags when an agent's behavior diverges from its mandate. Stresses security and human oversighthuman oversightDesigned-in human ability to monitor, intervene in, override or shut down an AI system — meaningful only when the human has authority, information and time to act.Open full entry →.

Tool misusetool misuseAn agent calling a permitted tool in a way that produces an unintended real-world effect. Countered with scoped tool access and approval gates on high-consequence calls.Open full entry → and unintended execution. The agent calls a tool in a way you did not intend, executing an action with real-world effect. Governance response: scoped tool access, least-privilegeleast-privilegeGranting each agent only the access its task requires, with no shared credentials and scoped, time-bound permissions. A core preventive control for agentic security.Open full entry → tool permissions, and approval gates on high-consequence tool calls. Stresses security and accountabilityaccountabilityThe principle that a named human or organization answers for an AI system's outcomes, through ownership, documentation, audit trails and redress — never the system itself.Open full entry →.

Identity and privilege abuse. The agent operates with more access than its task requires, or its identity is impersonated. Governance response: per-agent least-privilege identities, no shared credentials across agents, and scoped, time-bound access. Stresses security and privacy.

Agentic supply chainsupply chainThe layered chain behind an AI product — foundation models, datasets, labelling services, integrators — each layer adding risk the buyer never contracted for directly.Open full entry → compromise. A component, a tool, a model, a sub-agentsub-agentAn agent invoked by another agent or an orchestrator to carry out part of a task. Its actions still inherit the obligations of the stack it belongs to.Open full entry →, is compromised upstream. Governance response: supply chain assurance for every tool and model an agent can reach, and an inventory of the agent's full dependency surface. Stresses security and accountability.

Unexpected code execution. The agent executes code, directly or through a tool, with effects you did not anticipate. Governance response: sandboxing, execution boundaries, and a deny-by-default posture on code execution. Stresses security and safety.

Memory and context poisoning. The agent's persistent memory is corrupted so that future behavior is shaped by planted content. Governance response: memory integrity controls, provenance on stored context, and detective monitoring for memory drift. Stresses security, safety, and fairnessfairnessThe responsible-AI principle that systems should not create or reinforce unjust discrimination; operationalized through bias testing, representative data and per-group thresholds — with multiple, mutually incompatible mathematical definitions.Open full entry →.

Resource exhaustion. The agent consumes resources, compute, API calls, budget, in a runaway loop. Governance response: rate limits, budget caps, and circuit breakers that halt a runaway chain. Stresses reliability and accountability.

Advanced prompt injection. Injection techniques tailored to agents, including injection through tool outputs and retrieved content. Governance response: input sanitisation across every channel the agent reads from, not just the user prompt. Stresses security and transparencytransparencyOpenness about the fact that AI is used and how it operates in general: disclosures, documentation, notices. Pairs with explainability, which addresses individual outcomes.Open full entry →.

Sensitive data disclosure. The agent leaks data it had legitimate access to, through an action or output. Governance response: output filtering, data-handling policy enforcement at the action level, and least-privilege data access. Stresses privacy and security.

Over-relianceover-relianceGranting an agent more autonomy than its demonstrated reliability justifies, usually on the strength of a demo. The most common agentic governance failure.Open full entry → on autonomous decision making. The organization grants the agent more autonomy than its reliability justifies. Governance response: progressive autonomyprogressive autonomyGranting an agent the least autonomy that lets it work, then widening its scope only as evidence of reliable behavior accumulates. Autonomy is earned, not configured.Open full entry →, escalation triggers, and a documented autonomy levelautonomy levelThe documented degree of autonomy a deployed agent is permitted, matched to its demonstrated reliability and the controls in place; raised deliberately, not by default.Open full entry → matched to demonstrated reliability. Stresses human oversight and accountability.

How an AI Officer uses this

This list is not a security checklist to delegate. It is a controlcontrolThe concrete, testable measure that reduces a specific risk, and through that risk protects the principle behind it. Also called a risk management measure, risk response, or risk treatment. Always traceable to the risk it addresses: under EU AI Act Art. 9 every control must map back to a specific risk, and controls recorded separately from their risks is a recognized compliance failure. It works in one of three types: preventive, detective, or corrective. See risk, control types, evidence.Open full entry → inventory for the security and oversight dimensions of agentic AI. The practical move is to take each agent in your inventory and run it against these ten risks, asking for each: which preventive control reduces it, which detective control surfaces it, which corrective control contains it. The gaps in that grid are the agentic security backlog, and they belong in the same risk registerrisk registerThe living record of an AI system's identified risks, ratings, responses, owners and review dates — kept current from design through retirement.Open full entry → as the rest of your GovCompass-7 program, not in a separate security silo that the governance function never sees.

The framework landscape

OWASP is not alone. The MAESTRO threat-modeling framework from the Cloud Security Alliance provides a structured way to enumerate the agentic attack surface, and NIST and CAISI opened a formal process on AI agentAI agentA system that perceives its environment, decides and takes actions toward a goal — calling tools, executing plans. Autonomy of action demands allowlists, approval gates, sandboxing, logging and a kill switch.Open full entry → security in early 2026. These converge on the same insight: agentic security needs its own threat model because the single-inferenceinferenceThe stage where a trained model produces outputs on new inputs, as opposed to the training stage where it learns its parameters.Open full entry → model of classic LLM security does not capture probabilistic behavior, runtime tool composition, persistent memory, and multi-agent delegation. For an AI Officer, the value is not in adopting one framework over another but in ensuring the controls they all point to are present, owned, and evidenced.