CyberIntel ⬡ News
★ Saved ◆ Cyber Reads
← Back ◇ Industry News & Leadership May 28, 2026

AI Agents Present Massive New Attack Surface

Data Breach Today Archived May 28, 2026 ✓ Full text saved

With Great Capabilities Comes Great Risk Artificial intelligence agents have well and truly arrived and companies of all kinds are rushing to deploy them. But experts warn that agentic AI brings with it a massive new attack surface and highlights the need for a comprehensive, systemic approach to AI security and governance.

Full text archived locally
✦ AI Summary · Claude Sonnet


    Agentic AI , Artificial Intelligence & Machine Learning , Next-Generation Technologies & Secure Development AI Agents Present Massive New Attack Surface With Great Capabilities Comes Great Risk Shaun Waterman • May 28, 2026     Credit Eligible Get Permission Image: Shutterstock Artificial intelligence agents have well and truly arrived and companies of all kinds are rushing to deploy them. But experts warn that agentic AI brings with it a massive new attack surface and highlights the need for a comprehensive, systemic approach to AI security and governance. See Also: AI Agents Introduce a New Insider Threat Model Unlike the now familiar chatbots, AI agents don't just generate text. They can perform tasks like sending emails, arranging meetings or potentially even booking flights. Software development agents can push code to production. With these increased capabilities, comes an increased potential for harm that hackers can exploit, explained Ian Swanson, vice president of AI security products at Palo Alto Networks. "AI agents pose significantly greater cybersecurity risks than traditional chatbots because they possess the agency to act," he told ISMG. "When you grant an AI agent the ability to use tools, write code, or access internal software, any vulnerability becomes a direct pathway to operational disruption." And there are many such vulnerabilities, said Shing-hon Lou, a senior cybersecurity engineer on the AI Security Incident Response Team at Carnegie Mellon's Software Engineering Institute. The institute was the home of the first US-CERT, and aims to replicate that role by making AISIRT a central clearing house for reports of vulnerabilities in AI. "As organizations rush to adopt agentic AI, many of these tools are not well-tested for security vulnerabilities," Lou said. "The AISIRT continues to see numerous reports of vulnerabilities that could lead to adversarial manipulation of business and mission processes." The threat posed by AI agents was thrown into sharp relief earlier this year when an open-source AI agent OpenClaw became the most starred software on GitHub. OpenClaw agents ran amok: One tried to blackmail a software developer who rejected its code changes for his open-source project. Another deleted its user's email inbox. OpenClaw agents even have their own social media site, which didn't stop Cisco's security team from calling them a "security nightmare." The risks don't seem to be slowing adoption. According to a McKinsey report last year, 62% of the enterprises surveyed were experimenting with AI agents, and nearly a quarter were scaling an agentic AI system. Companies are transitioning "incredibly fast" from "experimentation with LLMs to the actual production deployment of agentic AI," Swanson said. "It is one of the most aggressive technology rollouts we’ve seen." Because AI agents must interact with multiple software applications, humans, the internet and increasingly, other agents, it's pretty much impossible to police or limit their inputs, explained one security expert not cleared by current employers to speak to the press. And because they're LLMs, they can be manipulated by an adversary through those inputs. Traditional software exploits aren't needed. "Their attack surface is the whole world," the expert said. Researchers at Google's frontier AI lab DeepMind recently outlined the six ways in which agentic AI can be attacked via the web, characterizing them as a series of traps which could be laid for agents: Content Injection Traps that exploit the gap between human perception and machine parsing of websites to embed malicious commands - a website that looks completely normal to a human can be chock full of malicious content that an agent will hoover up. Semantic Manipulation Traps, which manipulate data inputs, for example wrapping malicious instructions in educational, hypothetical, or red-teaming framing to bypass safety filters and oversight mechanisms, and other attacks designed to corrupt an agent's reasoning and internal verification processes. Cognitive State Traps, which target an agent's long-term memory, knowledge bases and learned behavioral policies, such as apparently innocuous data implanted into internal memory stores that activates as malicious when retrieved in a specific future context. Behavioral Control Traps, commands that hijack an agent's capabilities to force unauthorized actions, like hidden code that induces the agent to locate, encode and exfiltrate private or sensitive data to an attacker-controlled endpoint. Systemic Traps, which exploit the multi-agent swarms some enterprises have deployed, seeding the environment with inputs designed to trigger correlated agent behavior leading to macro-level failure. Human-in-the-Loop Traps, in which agents are commandeered to exploit cognitive biases to influence a human overseer. The potential for systemic traps was "mind-boggling," said Michael Figueroa, CISO of Chikara Health Records, an early stage start up in the electronic health record market. "You have these swarms of agents and one malicious prompt" can propagate throughout the enterprise. "We're building an internet of agents, where they all talk to each other, but there's no governance," he said. He said businesses adopt agentic tools without thinking through the risks or consequences. "We're moving all of our business processes essentially into this non-deterministic cloud of context." "It's gonna get hairy," he predicted. The six way taxonomy developed by DeepMind was useful, according to Chris Blask, "because it follows the operational cycle of an agent: perception, reasoning, remembering, acting, coordinating [with other agents] and often routing decisions through human oversight. "Each of those stages creates a distinct attack surface," said Blask, co-founder and CEO of QuietWire, a Canadian company building governance-focused AI infrastructure. Blask is a member of a working group convened by embedded software security firm CS Canada tasked with developing a technical specification for systems of AI systems. The DeepMind paper revealed a new class of cybersecurity threats to AI agents, he told ISMG in an interview. "The information environment can be weaponized against them," internet elements like "web pages, documents, user interfaces, metadata, media files, memory stores, agent-to-agent interactions and even human overseers can become part of the attack surface." To Blask, the takeaway is that a systemic approach is needed. An effective security and governance model needs to see an agent through the whole cycle, he said. "The governable object is the whole composition: the model, the agent, the prompt, the memory, the tool access, the data sources, the human reviewer, the workflow, the authority boundary and the evidence trail." Meanwhile, others are working to incorporate the vulnerabilities of AI agents into existing defensive frameworks. John Cavanaugh, president and CEO of the Internet Infrastructure Services Corporation, has mapped the agentic AI attacks the DeepMind paper identified to the OWASP Agentic AI Multi-Agent System Threat Modelling Guide, calling the result the MAESTRO framework. He is working on incorporating these new attack surfaces into Nvidia's Generative AI Red-Teaming & Assessment Kit, an open-source pen-testing framework for AI. Defenses can be built in at the training and the operational stages of AI, said Cavanaugh. "Models can be conditioned on explicit behavioral principles, enabling the agents to safely refuse manipulative instructions," he said. During operations, sources can be filtered, content scanned for hidden instructions and agent output monitored for shifting or suspicious behavior. "While these technical defenses serve as the primary line of protection, technical hardening alone is likely insufficient" to secure agentic AI, Cavanaugh said. To be effective, technical defenses must be combined with "ecosystem-level interventions—such as trust signals, reputation systems and web.”
    💬 Team Notes
    Article Info
    Source
    Data Breach Today
    Category
    ◇ Industry News & Leadership
    Published
    May 28, 2026
    Archived
    May 28, 2026
    Full Text
    ✓ Saved locally
    Open Original ↗