The agentic threat surface, translated for AI Officers

This is part of the Agentic AI element of the GovCompass-7.

Why the threat surface is different

Classic LLM security is about the text a model produces. Agentic security is about the actions an agent takes. The OWASP Agentic Security Initiative makes the point directly: securing agentic AIagentic AISystems where a model takes actions — calling tools, executing multi-step plans — amplifying both capability and every failure mode; governed with action allowlists, approvals and full logging.Open full entry → is a move from securing outputs to governing autonomous actions. An agentic risk often combines several classic LLM vulnerabilities and amplifies them, because autonomy means a vulnerability can be exploited at scale without a human in the path. Goal hijackinggoal hijackingAn attack that redirects an agent's objective so it pursues a goal you did not set. Prompt injection combined with autonomy: it changes what the agent does, not just what it says.Open full entry →, for example, is prompt injectionprompt injectionSmuggling adversarial instructions into a generative system's input (directly or via retrieved content) to override its intended behaviour.Open full entry → combined with excessive autonomy: the injection no longer just changes what the model says, it changes what the agent does.

The ten risks, as governance problems

The OWASP Top 10 for Agentic Applications identifies ten risk categories. Read as governance problems rather than exploits, they translate as follows.

Agent goal hijacking. An attacker redirects the agent's objective so it pursues a goal you did not set. Governance response: bounded objectives, input provenance controls, and detective monitoring that flags when an agent's behaviour diverges from its mandate. Stresses security and human oversighthuman oversightDesigned-in human ability to monitor, intervene in, override or shut down an AI system — meaningful only when the human has authority, information and time to act.Open full entry →.

Tool misusetool misuseAn agent calling a permitted tool in a way that produces an unintended real-world effect. Countered with scoped tool access and approval gates on high-consequence calls.Open full entry → and unintended execution. The agent calls a tool in a way you did not intend, executing an action with real-world effect. Governance response: scoped tool access, least-privilegeleast-privilegeGranting each agent only the access its task requires, with no shared credentials and scoped, time-bound permissions. A core preventive control for agentic security.Open full entry → tool permissions, and approval gates on high-consequence tool calls. Stresses security and accountabilityaccountabilityThe principle that a named human or organization answers for an AI system's outcomes, through ownership, documentation, audit trails and redress — never the system itself.Open full entry →.

Identity and privilege abuse. The agent operates with more access than its task requires, or its identity is impersonated. Governance response: per-agent least-privilege identities, no shared credentials across agents, and scoped, time-bound access. Stresses security and privacy.

Agentic supply chainsupply chainThe layered chain behind an AI product — foundation models, datasets, labelling services, integrators — each layer adding risk the buyer never contracted for directly.Open full entry → compromise. A component, a tool, a model, a sub-agentsub-agentAn agent invoked by another agent or an orchestrator to carry out part of a task. Its actions still inherit the obligations of the stack it belongs to.Open full entry →, is compromised upstream. Governance response: supply chain assurance for every tool and model an agent can reach, and an inventory of the agent's full dependency surface. Stresses security and accountability.

Unexpected code execution. The agent executes code, directly or through a tool, with effects you did not anticipate. Governance response: sandboxing, execution boundaries, and a deny-by-default posture on code execution. Stresses security and safety.

Memory and context poisoning. The agent's persistent memory is corrupted so that future behaviour is shaped by planted content. Governance response: memory integrity controls, provenance on stored context, and detective monitoring for memory drift. Stresses security, safety, and fairnessfairnessThe responsible-AI principle that systems should not create or reinforce unjust discrimination; operationalised through bias testing, representative data and per-group thresholds — with multiple, mutually incompatible mathematical definitions.Open full entry →.

Resource exhaustion. The agent consumes resources, compute, API calls, budget, in a runaway loop. Governance response: rate limits, budget caps, and circuit breakers that halt a runaway chain. Stresses reliability and accountability.

Advanced prompt injection. Injection techniques tailored to agents, including injection through tool outputs and retrieved content. Governance response: input sanitisation across every channel the agent reads from, not just the user prompt. Stresses security and transparencytransparencyOpenness about the fact that AI is used and how it operates in general: disclosures, documentation, notices. Pairs with explainability, which addresses individual outcomes.Open full entry →.

Sensitive data disclosure. The agent leaks data it had legitimate access to, through an action or output. Governance response: output filtering, data-handling policy enforcement at the action level, and least-privilege data access. Stresses privacy and security.

Over-relianceover-relianceGranting an agent more autonomy than its demonstrated reliability justifies, usually on the strength of a demo. The most common agentic governance failure.Open full entry → on autonomous decision making. The organisation grants the agent more autonomy than its reliability justifies. Governance response: progressive autonomyprogressive autonomyGranting an agent the least autonomy that lets it work, then widening its scope only as evidence of reliable behaviour accumulates. Autonomy is earned, not configured.Open full entry →, escalation triggers, and a documented autonomy levelautonomy levelThe documented degree of autonomy a deployed agent is permitted, matched to its demonstrated reliability and the controls in place; raised deliberately, not by default.Open full entry → matched to demonstrated reliability. Stresses human oversight and accountability.

How an AI Officer uses this

This list is not a security checklist to delegate. It is a control inventory for the security and oversight dimensions of agentic AI. The practical move is to take each agent in your inventory and run it against these ten risks, asking for each: which preventive control reduces it, which detective control surfaces it, which corrective control contains it. The gaps in that grid are the agentic security backlog, and they belong in the same risk registerrisk registerThe living record of an AI system's identified risks, ratings, responses, owners and review dates — kept current from design through retirement.Open full entry → as the rest of your GovCompass-7 programme, not in a separate security silo that the governance function never sees.

The framework landscape

OWASP is not alone. The MAESTRO threat-modelling framework from the Cloud Security Alliance provides a structured way to enumerate the agentic attack surface, and NIST and CAISI opened a formal process on AI agentAI agentA system that perceives its environment, decides and takes actions toward a goal — calling tools, executing plans. Autonomy of action demands allowlists, approval gates, sandboxing, logging and a kill switch.Open full entry → security in early 2026. These converge on the same insight: agentic security needs its own threat model because the single-inference model of classic LLM security does not capture probabilistic behaviour, runtime tool composition, persistent memory, and multi-agent delegation. For an AI Officer, the value is not in adopting one framework over another but in ensuring the controls they all point to are present, owned, and evidenced.