CyberIntel ⬡ News
★ Saved ◆ Cyber Reads
← Back ◇ Industry News & Leadership May 28, 2026

Agentic AI Isn't Risky; the Way Orgs Deploy It Is

Dark Reading Archived May 28, 2026 ✓ Full text saved

AI agents aren't black boxes — they're models interacting with software tools. The risk lies in their overlap.

Full text archived locally
✦ AI Summary · Claude Sonnet


    APPLICATION SECURITY CYBER RISK VULNERABILITIES & THREATS CYBERSECURITY OPERATIONS NEWS Agentic AI Isn't Risky; the Way Orgs Deploy It Is AI agents aren't black boxes — they're models interacting with software tools. The risk lies in their overlap. Nate Nelson,Contributing Writer May 28, 2026 5 Min Read SOURCE: RAWF8 VIA ALAMY STOCK PHOTO In the mad dash to deploy agentic artificial intelligence (AI) technology, developers aren't taking enough time to understand how their programs work, and they're inadvertently generating a whole lot of very old-fashioned vulnerabilities. The universe of AI agents in the advanced economies of today's world is immeasurably large; literally, nobody has any clue how many of these things are out there. Some recent data suggests that somewhere around a third of organizations have either already adopted or will adopt, agentic AI tech soon, but even those measurements rest on self-reporting and generalized data, or loose predictions.  Contrary to popular belief, however, the agents themselves are not black boxes. In an unusually long presentation at Infosecurity Europe next month, researchers at Acronis are going to attempt to correct this unhelpful narrative by demonstrating how these bots work at a fundamental level. And by picking apart how AI agents work, they argue, an even more interesting finding emerges: that the cybersecurity vulnerabilities in this tech are not the fault of the AI; they're mostly a byproduct of traditionally bad coding. Related:Feeding Frenzy: 'Megalodon' Malware Infects Thousands of GitHub Repos "What people don't understand is that agentic systems still rely on a lot of old world technology and a lot of old world vulnerabilities," says Acronis senior security researcher Eliad Kimhy. As agentic AI tech spreads more and more, "What we are going to see being abused are plain old vulnerabilities in software. And if you don't understand that, you're going to write bad software, and you're going to rely on your large language model (LLM) to do the rest. That's a bad approach." The Vulnerabilities in Agentic AI Last fall, researchers discovered a critical vulnerability in Salesforce. If an attacker planted a malicious prompt in a certain kind of Salesforce form, an AI agent interpreting it on the back end might carry out its instructions. The issue was made worse by the fact that Salesforce was still whitelisting an expired, easily purchasable domain. Early this year, a researcher discovered a dangerous exploit chain in ServiceNow. Thanks to an overly permissive chatbot — protected only by a factory default credential — that could be authenticated as any user simply by supplying their email address, the researcher found that he could access and create powerful AI agents in any company's ServiceNow instance. What do these stories, and so many more like it, have in common? Since agentic AI has introduced so much new risk to organizations, one might reasonably assume that agentic AI technology is itself risky. But considering the sorts of vulnerabilities — lack of input sanitization, hardcoded credentials, insufficient access controls — what's new and "intelligent" about any of that? Related:Shai-Hulud Hackers TeamPCP: Lucky or Skilled? "I think the flashy thing — the fun types of hack, the types of hack that everybody wants to talk about — is jailbreaks. That's not really the point of failure we need to think about," Kimhy argues.  The more significant point of failure is more unique to agents themselves, Acronis says. It lives right at the intersection between the AI and the traditional software it interacts with. To understand why that intersection is so dangerous, one first needs a fundamental understanding of how AI agents work. How AI Agents Work "The problem is that, a lot of the time, people look at these agentic systems as a black box. They think, OK, there's input, there's some magic happening in the middle, and then there's output — we don't know what's going on [in the middle]. The message that we're interested in helping people understand is that it is not a black box," Kimhy says. From a zoomed out perspective, an AI agent can be thought of as a system of two halves. "It's an ecosystem that includes, on one hand, deterministic systems which are tools, basically old world software. A function that takes an argument just like any other function, and produces a deterministic result. The tool that is connected to a non-deterministic system, which is the LLM. That LLM works by understanding probabilities. These two things together form a system," Kimhy explains. Related:For Enterprises, Security Remains Agentic AI's Biggest Challenge Crucially, it is in the juxtaposition of the deterministic and non-deterministic halves that most agentic vulnerabilities arise. In their presentation, Kimhy and his colleague, Acronis lead security researcher Syed Aizad, will demonstrate how this works using a sample AI agent underpinning a travel booking platform. Using cutting-edge reasoning agents, connected to totally inoffensive tools, any number of vulnerabilities still arise. A user might ask for their booking information, for instance, and the agent might supply it to them without realizing that the user might be lying about who they are.  This is not the fault of the agent; it's a simple matter of authentication. Researchers demonstrated this exact scenario last December, using a program powered by a Microsoft Copilot Studio agent to leak personally identifying information (PII). How to Secure Agentic Technology It would be perfectly straightforward to design an authentication check for an AI agent, of course. But are slapdash "Agentforce" or "Now Assist" agents, or increasingly common vibe coded programs, accounting for that and a thousand potentially other vulnerable interactions between those deterministic and non-deterministic halves? "People are going to [deploy agentic AI] without a deep understanding of how these systems work, and how they're connected to each other. And that's incredibly important to understand. The fixes for the LLM itself are not the same as the fixes for the software," he says, adding that "more specifically, a lot of focus is now on the non-deterministic side. That's the sexy part. But that's really only half the picture, maybe even less than half the picture." Kimhy's conference catchphrase is "old world principles with a new world spin": applying time-tested cybersecurity principles to this new tech. This includes preventing agents from leaking data with standard token-based authentication, or applying access controls to the AI, just as one would a human employee. "We need to first incorporate old world thinking, to understand that [traditional software principles] have always been a part of this system, and these tools need to be considered," he explains. "But we need to put a new world twist on it, because now we've connected [that software] to something that is unpredictable in a lot of ways. And that is something that I think there's just not enough awareness of." About the Author Nate Nelson Contributing Writer Nate Nelson is a journalist and award-winning scriptwriter. In addition to Dark Reading he writes for Darknet Diaries, the most popular show in cybersecurity across all media. He began his career as a freelancer, ghostwriting Forbes and CNBC op-eds for executives in tech and finance. Then he transitioned to journalism at Threatpost, where he covered cybersecurity news and trends. Throughout those years he co-created a cybersecurity podcast, Malicious Life, which in its day climbed into the Top 20 technology podcasts charts on Apple Podcasts and Spotify. He holds degrees from New York University and Bard College. As a born and bred New Yorker, he enjoys a superiority complex, but is polite enough to keep it to himself. Want more Dark Reading stories in your Google search results? ADD US NOW More Insights Industry Reports How Organizations Are Managing Incident Response How Enterprises Are Developing Secure Applications Inside RSAC 2026: security leaders reveal the risks redefining your defense strategy Essential News & Insights from Black Hat USA 2025 How Enterprises Are Harnessing Emerging Technologies in Cybersecurity Access More Research Webinars The Frontier AI Era: Why Cybersecurity Must Move at Machine Speed Build vs. Buy: The Hidden Cost of Building Your Own AI Security Stack Defending in the Shadow Era: When the CVE Feed Goes Dark Building SecOps That Make the Most of Every Dollar AI-Powered Credential Security: Intelligence Without Exposure More Webinars You May Also Like APPLICATION SECURITY Supply Chain Attack Secretly Installs OpenClaw for Cline Users by Rob Wright FEB 19, 2026 APPLICATION SECURITY Chinese Hackers Hijack Notepad++ Updates for 6 Months by Jai Vijayan, Contributing Writer FEB 02, 2026 APPLICATION SECURITY Trump Administration Rescinds Biden-Era Software Guidance by Alexander Culafi JAN 29, 2026 APPLICATION SECURITY Microsoft Fixes Exploited Zero Day in Light Patch Tuesday by Jai Vijayan, Contributing Writer DEC 09, 2025 Editor's Choice CYBERSECURITY OPERATIONS 20 Leaders Who Built the CISO Era: 2 Decades of Change byDark Reading Editorial Team MAY 12, 2026 41 MIN READ APPLICATION SECURITY It's Patch Tuesday for Microsoft & Not a Zero-Day In Sight byJai Vijayan MAY 12, 2026 5 MIN READ CYBERATTACKS & DATA BREACHES Instructure Breach Exposes Schools' Vendor Dependence byAlexander Culafi MAY 6, 2026 4 MIN READ Want more Dark Reading stories in your Google search results? Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox. SUBSCRIBE Webinars The Frontier AI Era: Why Cybersecurity Must Move at Machine Speed TUESDAY, JUNE 23, 2026 1:00 PM EDT Build vs. Buy: The Hidden Cost of Building Your Own AI Security Stack THURS, JUNE 25, 2026, AT 1PM EST Defending in the Shadow Era: When the CVE Feed Goes Dark TUES, JUNE 16, 2026 AT 1PM EST Building SecOps That Make the Most of Every Dollar THURS, JULY 9, 2026 AT 1PM EST AI-Powered Credential Security: Intelligence Without Exposure WED, JUNE 17, 2026, AT 1PM EST More Webinars BLACK HAT USA | MANDALAY BAY, LAS VEGAS The premier cybersecurity event of the year returns to Mandalay Bay with a re‑engineered, six‑day program built to ignite innovation, push boundaries, and bring the global security community together like never before. Use code: DARKREADING to save $200 on a Briefings pass or $100 on a Business pass. GET YOUR PASS
    💬 Team Notes
    Article Info
    Source
    Dark Reading
    Category
    ◇ Industry News & Leadership
    Published
    May 28, 2026
    Archived
    May 28, 2026
    Full Text
    ✓ Saved locally
    Open Original ↗