Agentic Threat Model
Understanding the unique security challenges of AI agents with tool access.
Why Agentic AI is Different
Traditional Applications
- • Fixed execution paths
- • Predictable behavior
- • Static attack surface
- • User initiates all actions
Agentic AI Systems
- • Dynamic, autonomous decisions
- • Emergent behaviors
- • Expanding attack surface
- • Agent can initiate actions
💉
CRITICALPrompt Injection
Malicious inputs designed to hijack agent behavior and access tools unauthorizedly.
⚠️Attack Vectors
- →Direct prompt manipulation ("Ignore previous instructions")
- →Jailbreak attempts using roleplay scenarios
- →Encoded payloads in file names, document content, or tool inputs
- →Multi-turn prompt chains to bypass safeguards
🛡️Mitigations
- ✓Strict input validation and sanitization
- ✓Tool output filtering and validation
- ✓Separation of data and control channels
- ✓Human-in-the-loop for sensitive operations
🔧
HIGHTool Abuse
Legitimate tools can be weaponized to perform unauthorized actions against your systems.
⚠️Attack Vectors
- →File system tools to exfiltrate sensitive data
- →Network tools to pivot to internal systems
- →Code execution tools for cryptocurrency mining
- →Database tools to dump credentials or modify records
🛡️Mitigations
- ✓Principle of least privilege for all tools
- ✓Sandboxed execution environments
- ✓Resource quotas and rate limiting
- ✓Tool-specific allowlists and blocklists
🌐
HIGHSurface Exposure
Each tool exponentially increases your attack surface. More tools = more vulnerability points.
⚠️Attack Vectors
- →Exposed admin interfaces without authentication
- →Debug endpoints accessible from the internet
- →Default credentials never changed
- →APIs documented but not secured
🛡️Mitigations
- ✓No default credentials; force setup on first run
- ✓VPN or private network for admin access
- ✓Regular security audits of exposed endpoints
- ✓Automated exposure detection
📈
CRITICALPrivilege Escalation
Agents can be tricked into exceeding their intended permissions and accessing restricted resources.
⚠️Attack Vectors
- →Prompting agent to impersonate privileged users
- →Chaining multiple tools to bypass individual restrictions
- →Exploiting trust relationships between services
- →Modifying configuration files to elevate permissions
🛡️Mitigations
- ✓Zero-trust architecture: verify every request
- ✓Immutable infrastructure where possible
- ✓Role-based access control (RBAC) with regular audits
- ✓Separation of duties for sensitive operations
Security is a Journey, Not a Destination
Start with our comprehensive checklist to assess and harden your agentic AI deployments.
Get the Checklist