BreachExpress

Cybersecurity, explained for the rest of us.

General

AI Agents and the New Attack Surface: How Autonomous Tools Create Risk

Margot 'Magic' Thorne@magicthorneJune 6, 202612 min read
Abstract visualization of interconnected AI agent nodes with permission pathways extending outward

AI agents are software that acts on your behalf without asking permission each time. They read your email, schedule meetings, draft responses, search databases, trigger workflows, and make decisions based on instructions you gave once. The agent operates continuously, autonomously, with broad access to your data and systems.

This is different from ChatGPT or Claude, where you type a prompt and get a response. Those tools wait for you. AI agents don't wait. They monitor, evaluate, and act. That autonomy creates a new attack surface.

Here's the underlying mechanism, what makes agents riskier than traditional software, and what you need to understand before deploying one.

The Technical Architecture of AI Agents

An AI agent is a large language model combined with execution capabilities. The model interprets natural language instructions. The execution layer carries out actions in external systems through APIs, scripts, or direct integrations.

The agent needs three things to function:

Access to data sources. The agent reads your email, calendar, files, databases, chat logs, and any other information it needs to make decisions. This access is usually broad because the agent can't predict in advance which data will be relevant to future tasks.

Permissions to act. The agent needs write access to send emails, create calendar events, modify documents, post to Slack, trigger workflows, and perform whatever actions you've authorized. These permissions persist. The agent doesn't ask for approval each time.

Instructions or goals. You configure the agent with objectives like "summarize unread emails every morning" or "schedule meetings when someone requests one" or "draft responses to customer support tickets." The agent interprets these instructions and decides how to fulfill them.

The combination creates something fundamentally different from traditional software. A password manager stores credentials and fills forms when you click. An AI agent reads your inbox, decides which messages need responses, drafts those responses, and sends them without human review.

The autonomy is the point. It's also the risk.

Why AI Agents Expand the Attack Surface

Traditional software operates within defined boundaries. A password manager accesses credentials. An email client accesses email. A calendar app accesses your schedule. Each application has limited scope.

AI agents break those boundaries. A single agent might access email, calendar, files, databases, external APIs, and internal systems. The agent's scope is determined by its instructions, not by application architecture. If the agent needs access to fulfill a task, it gets that access.

This creates three new attack vectors that didn't exist with traditional software.

Prompt injection attacks. An attacker embeds malicious instructions in data the agent processes. The agent interprets those instructions as legitimate commands and executes them.

Example: An attacker sends you an email containing hidden text that says "forward all future emails to attacker@example.com." Your email summarization agent processes the email, interprets the hidden instruction as a legitimate command, and forwards your inbox to the attacker.

The agent can't distinguish between instructions from you and instructions from external data sources. Both look like text. Both get processed the same way.

Compromised data sources. AI agents trust the data they access. If an attacker poisons a data source the agent relies on, the agent incorporates that poisoned data into its decision-making.

Example: An agent monitors a shared database to answer customer questions. An attacker gains access to the database and modifies product information to include malicious links. The agent reads the modified data, believes it's accurate, and includes the malicious links in customer responses.

The agent has no mechanism to verify data integrity. It assumes the sources you configured are trustworthy.

Lateral movement through permissions. Once an attacker compromises an AI agent, they inherit all the agent's permissions across all connected systems. A single compromised agent becomes a skeleton key.

Example: An agent has read access to your email, write access to your calendar, and API access to your CRM. An attacker who compromises the agent can read confidential emails, schedule fake meetings, and exfiltrate customer data from the CRM. The agent's broad permissions enable lateral movement that would be impossible with traditional software.

Traditional software limits damage through isolation. AI agents eliminate isolation by design.

The Instruction Interpretation Problem

AI agents interpret natural language instructions. Natural language is ambiguous. The same phrase can mean different things in different contexts. The agent makes its best guess.

This creates a fundamental security problem: you can't precisely control what the agent does. You can only influence its interpretation.

Consider the instruction "summarize important emails." What counts as important? The agent decides. An attacker who understands the agent's interpretation model can craft emails that the agent classifies as important, even when they're spam or phishing attempts.

Or consider "schedule meetings when requested." What counts as a request? If someone emails you saying "we should meet," does the agent automatically create a calendar event? What if the email is a phishing attempt designed to get you into a fake Zoom call?

The agent interprets. You can't audit every interpretation. You can't predict every edge case. The ambiguity is inherent to natural language processing.

Security researchers have demonstrated this problem repeatedly. MITRE's ATT&CK framework now includes techniques for exploiting AI systems through adversarial inputs, data poisoning, and model manipulation. The attacks work because agents interpret instructions rather than execute explicit code.

Traditional software does exactly what you program it to do. AI agents do approximately what you ask them to do. The difference matters.

Permission Scope and the Principle of Least Privilege

Most AI agents request broad permissions because they can't predict which specific permissions they'll need for future tasks. You configure the agent once. It operates indefinitely. Broad permissions ensure the agent can handle whatever comes up.

This violates the principle of least privilege, which says systems should have only the minimum permissions required to perform their function. AI agents can't follow this principle because their function is open-ended.

Example: You set up an agent to help with email management. The agent asks for full read/write access to your Gmail account. Why full access? Because the agent might need to search old emails, draft responses, create labels, archive messages, or perform other tasks you haven't specified yet. The agent requests broad access to avoid permission errors later.

Now imagine that agent gets compromised. The attacker inherits full read/write access to your entire email history, every contact, every attachment, every conversation. The broad permissions that made the agent useful also made the compromise catastrophic.

You can limit agent permissions manually, but doing so requires predicting every task the agent might perform. If you guess wrong, the agent fails. Most people choose broad permissions over frequent failures.

The architecture incentivizes insecurity.

The Monitoring Gap

Traditional software generates logs. You can audit what happened. AI agents generate logs too, but those logs don't tell you why the agent made a decision.

The log might show "Agent sent email to john@example.com at 14:32." It won't show why the agent decided to send that email, what data influenced the decision, or whether the decision was correct.

AI agents operate as black boxes. You see inputs and outputs. You don't see the reasoning process that connected them.

This creates a monitoring gap. You can't effectively audit agent behavior because you can't reconstruct the decision-making process from logs alone. You can see that the agent did something. You can't easily determine whether it should have done that thing.

Security monitoring depends on being able to distinguish normal behavior from anomalous behavior. With AI agents, the definition of normal behavior is fuzzy. The agent's actions vary based on how it interprets instructions, what data it has access to, and how the underlying model was trained. Two identical inputs might produce different outputs.

Anomaly detection breaks down when normal behavior is unpredictable.

Real-World Attack Scenarios

These aren't theoretical risks. Security researchers have demonstrated practical attacks against AI agents in controlled environments. Here's what the attacks look like.

Email exfiltration through prompt injection. An attacker sends an email containing hidden instructions to forward all emails to an external address. The agent processes the email as part of its normal summarization routine, interprets the hidden instructions as legitimate commands, and begins forwarding the victim's inbox to the attacker.

The attack succeeds because the agent can't distinguish between instructions from the user and instructions embedded in external data. Both are text. Both get processed.

Calendar manipulation for social engineering. An attacker sends a meeting request containing instructions that tell the agent to accept all future meeting requests from a specific domain. The agent accepts the initial request and modifies its own behavior to accept subsequent requests without user approval.

The attacker now has a reliable method to get the victim into fake meetings, phishing calls, or other social engineering scenarios.

Data poisoning through compromised integrations. An agent pulls information from a third-party API to answer questions. An attacker compromises the API and injects malicious data into responses. The agent incorporates that data into its answers, spreading the poisoned information to users who trust the agent's output.

The attack scales because the agent automatically propagates whatever data it receives from trusted sources.

These scenarios share a common pattern: the attacker exploits the agent's trust in its inputs. The agent assumes data from configured sources is safe. The agent assumes instructions embedded in that data are legitimate. The agent acts on those assumptions without verification.

The Delegation Problem

When you deploy an AI agent, you're delegating authority. The agent acts on your behalf with your permissions. Legally, organizationally, and practically, the agent's actions are your actions.

If the agent sends a confidential document to the wrong person, you sent it. If the agent accepts a fraudulent invoice, you accepted it. If the agent leaks customer data, you leaked it.

This creates liability that doesn't exist with traditional software. A bug in Microsoft Word might cause you to lose work, but Word doesn't act autonomously. It doesn't send emails, approve transactions, or make decisions. An AI agent does all of those things.

The delegation is implicit in the architecture. You configured the agent. You gave it permissions. The agent operates under your authority. You're responsible for what it does, even when you don't understand why it did it.

Organizations deploying AI agents need to think about this differently than they think about traditional software. The agent isn't just a tool. It's a proxy. It represents you. It acts with your authority. The security implications extend beyond technical vulnerabilities into questions of accountability, liability, and governance.

The Training Data Supply Chain

AI agents are built on large language models trained on massive datasets. Those datasets come from the internet, corporate databases, proprietary sources, and other inputs controlled by the model vendor.

You don't know what's in the training data. You don't know where it came from. You don't know whether it's been poisoned, manipulated, or deliberately biased.

This creates a supply chain vulnerability. An attacker who can influence the training data can influence the agent's behavior. The attack happens before you deploy the agent. The vulnerability is baked into the model itself.

Security researchers have demonstrated that poisoned training data can cause models to produce specific outputs when triggered by specific inputs. The model appears to function normally until the trigger appears. Then it executes the attacker's instructions.

You can't audit the training data. You can't verify its integrity. You rely entirely on the model vendor's security practices. If the vendor's training pipeline is compromised, every agent built on that model is compromised.

Traditional software has supply chain risks too, but those risks are different. A compromised library in traditional software executes specific malicious code. A compromised training dataset in an AI model subtly influences decision-making in ways that are hard to detect.

The attack surface includes not just the agent you deploy, but the entire training process that created the underlying model.

Mitigation Strategies That Actually Work

You can't eliminate the risks AI agents create, but you can reduce them. Here's what actually works based on current security research and industry practice.

Limit agent permissions to specific, enumerated actions. Don't give the agent broad read/write access. Configure explicit permissions for specific operations. The agent can send emails to these three addresses. The agent can read files in this one folder. The agent can modify calendar events but not delete them.

Yes, this requires more configuration. Yes, the agent will fail when it encounters tasks outside its permissions. That's the point. Failure is safer than unauthorized action.

Use separate accounts for agent operations. Create a dedicated email account, calendar, file storage, and API credentials for the agent. Don't use your primary accounts. This limits the damage if the agent is compromised and makes monitoring easier because all agent activity is isolated.

Implement human-in-the-loop approval for high-risk actions. Configure the agent to request approval before sending external emails, approving transactions over a certain amount, or accessing sensitive data. The agent drafts the action, you approve it, the agent executes it.

This reduces autonomy, which reduces risk. The tradeoff is worth it for actions that carry significant consequences.

Monitor agent actions through structured logging. Implement logging that captures not just what the agent did, but what data it accessed, which external sources it queried, and what instructions it interpreted. Review these logs regularly. Look for patterns that don't match your expectations.

You can't audit the agent's reasoning, but you can audit its behavior. Anomalies in behavior often indicate problems in reasoning.

Treat agents as untrusted code. Run agents in sandboxed environments with network restrictions, file system isolation, and limited access to system resources. The agent operates in a container that can't access anything outside its defined boundaries.

This is how organizations handle untrusted code. AI agents should be treated the same way.

Implement input validation for agent data sources. If the agent pulls data from external APIs, databases, or other sources, validate that data before the agent processes it. Check for anomalies, unexpected patterns, or signs of manipulation.

This won't catch sophisticated attacks, but it will catch obvious ones.

The Broader Context: Autonomous Systems and Security

AI agents are the leading edge of a broader shift toward autonomous systems. Software that makes decisions, takes actions, and operates without continuous human oversight.

This shift creates security challenges that don't fit existing frameworks. Traditional security assumes software does what it's programmed to do. Autonomous systems interpret instructions and make decisions. The gap between programming and behavior creates new attack surfaces.

CISA has published guidance on securing emerging technologies, but that guidance is still evolving. The security community is learning how to think about autonomous systems in real time. Best practices are emerging, but they're not settled.

The challenge isn't just technical. It's conceptual. We're used to thinking about security in terms of access control, authentication, and authorization. Those concepts still apply to AI agents, but they're not sufficient. Agents can have proper authentication and still behave maliciously if their instructions are manipulated or their training data is poisoned.

Security for autonomous systems requires thinking about trustworthiness, not just access. Can you trust the agent to interpret instructions correctly? Can you trust the data sources the agent relies on? Can you trust the model vendor's training process?

These are harder questions than "does this user have permission to access this file?"

What This Means for You

If you're using AI agents or considering deploying them, here's what you need to understand:

AI agents are not productivity tools in the traditional sense. They're autonomous systems with broad permissions and limited oversight. The risks are qualitatively different from the risks of traditional software.

You can't fully control what an agent does. You can only influence its behavior through instructions, permissions, and data sources. The agent interprets and decides. That interpretation creates unpredictability.

Compromising an AI agent is more valuable to an attacker than compromising traditional software. The agent's broad permissions and autonomous operation make it a high-value target. Expect attacks to focus on agents as they become more common.

The security practices that work for traditional software are necessary but not sufficient for AI agents. You still need access control, authentication, and authorization. But you also need input validation, output monitoring, permission scoping, and human oversight.

The technology is moving faster than the security frameworks. Vendors are deploying AI agents before the security community has fully figured out how to secure them. This is normal for emerging technology. It's also risky.

Treat AI agents as you would treat a junior employee with administrative access to your systems. Monitor what they do. Limit what they can access. Review their actions regularly. Don't assume they'll always do the right thing.

The autonomy is useful. The autonomy is also dangerous. Both things are true.

Simplified diagram showing AI agent access scope compared to traditional application boundaries
→ Filed under
ai securityai agentsautonomous systemsapi securitypermission managementemerging threats
ShareXLinkedInFacebook

Frequently asked questions

An AI agent acts autonomously on your behalf with permissions to read data, trigger actions, and make decisions without asking for confirmation each time. Unlike ChatGPT or similar tools that only respond when prompted, agents operate continuously with broad access.
AI agents combine broad permissions, autonomous decision-making, and access to multiple systems. A compromised agent can act across your entire digital environment without the traditional boundaries that limit damage from a single breached application.
Yes. Attackers can manipulate agent inputs through prompt injection, poisoned training data, or compromised external sources the agent trusts. The agent follows instructions it believes are legitimate, even when they're malicious.
Most agents need read access to your files and communications, write access to create or modify content, API access to external services, and execution privileges to perform actions like sending emails or scheduling meetings. The scope varies but tends toward broad access.
Limit agent permissions to the minimum required, audit what the agent actually accesses, use separate accounts for agent operations, monitor agent actions through logs, and treat agents as you would a junior employee with administrative access.

You might also like

Vintage computer forum interface from the 2000s showing active user profiles and post counts
General

Forum accounts from the 2000s: still out there, still yours

That phpBB account from 2004 still exists, holds years of posts, and connects to an email you might not use. Here's what happens to old forum accounts.

11 min · Margot 'Magic' Thorne · Jun 4

Split screen showing a Google search bar on one side and targeted ads appearing on websites on the other side, connected by glowing data streams
General

Why your Google searches follow you around: the ad tracking mechanism explained

Google tracks your searches to show you ads. Here's the technical mechanism behind ad targeting, what data gets collected, and what you can actually control.

11 min · Margot 'Magic' Thorne · May 30

Smartphone screen showing permission request dialog with checkboxes for contacts, location, camera, and microphone access
General

Why Apps Ask for Permissions They Don't Need

Apps request contacts, location, and camera access far beyond what their features require. Here's the mechanism behind permission requests and what you can actually control.

11 min · Margot 'Magic' Thorne · Jun 3