Glossary / AI Agent Security

AI Agent Security

AI agent security is the practice of assessing and controlling how autonomous AI systems use tools, data, and permissions so their actions stay within intended boundaries.

AI agents go beyond chatbots: they can call APIs, run workflows, read files, and take actions. That autonomy creates a larger surface for mistakes or misuse, and more places where intent can drift from what a team expects.

Security reviews focus on concrete boundaries: which tools an agent can reach, what data each tool can return, how memory is protected, and how outputs are validated before actions are taken. In multi-agent setups, message authenticity and handoff controls matter just as much.

Because agents make probabilistic decisions, tests look for consistent failure modes across varied prompts and states. The goal is clear evidence of where controls hold, where they do not, and what changes make behavior predictable.

AI agent threat landscape

AI agent risk is shaped by how tools, data sources, and approvals are connected. A landscape view maps the points where normal workflows can drift outside intent, so controls can be tested with realism.

We use this landscape to design tests that confirm tool boundaries, memory access rules, and approval checks hold up in day-to-day workflows.

Tool access drift

Permissions expand over time or across tasks, allowing an agent to invoke tools beyond the original scope.

Data source overreach

Retrieval tools return broader datasets than needed, widening what the agent can see or act on.

Memory contamination

Untrusted content is stored in long-term memory or context, influencing future actions without review.

Handoff ambiguity

Multi-agent workflows pass tasks without clear identity or policy checks, creating gaps in responsibility.

Output-to-action gaps

Model outputs trigger real actions before validation or human approval is applied.

Common AI agent attacks that shape testing

Most agent failures are not about intent; they are about how everyday inputs, tools, and approvals combine. These attack patterns are the ones we map so testing can validate real boundaries, not assumptions.

Indirect prompt injection through trusted data

An agent reads a ticket, document, or web page that contains instructions disguised as normal content, and treats them as commands.

Resolution: We run controlled mixed-trust inputs and verify that instruction handling, tool gating, and policy checks separate data from directives.

Tool authorization bypass via broad scopes

Shared tokens or generic scopes let an agent call tools outside the current user, tenant, or task context.

Resolution: We test per-user and per-task scoping with safe cross-context calls to confirm least-privilege enforcement.

Memory poisoning and policy drift

Untrusted content is stored in long-term memory and later influences actions, even when it is outdated or unsafe.

Resolution: We validate memory ingestion rules, retention limits, and guardrails with repeatable probes across sessions.

Tool response injection

API or tool responses contain hidden instructions that the agent treats as authoritative and acts upon.

Resolution: We verify response validation, allowlisting, and decision checks before any downstream action is taken.

Autonomous actions without confirmation gates

The agent moves from interpretation to action without a required approval or policy check for sensitive operations.

Resolution: We trace the decision-to-action path and confirm approval gates and safe defaults are enforced in practice.

Testing approach for AI agent security

We keep agent testing predictable: agree on scope, validate the real control points, and document what was verified. No surprise changes or added work.

Confirm scope and agent boundaries

We list the agents, tools, data sources, and environments in scope and agree on access limits and timing.

Map tool, data, and approval controls

We review tool permissions, retrieval rules, memory policies, and approval gates to understand intended behavior.

Run controlled behavior checks

We simulate realistic workflows and mixed-trust inputs to validate that boundaries and confirmations hold.

Document evidence and retest criteria

We share what was tested, what held, and the exact changes needed, with clear retest steps.

What stays predictable

Fixed scope and access agreed before testing starts
Non-disruptive checks in agreed environments
Clear evidence and retest criteria for internal review

Related glossary terms

MCP Security

How agents connect to MCP tools and enforce boundaries.
LLM Security

Core risks and controls for large language models.
Prompt Injection

Why untrusted instructions can steer model behavior.
API Security Testing

Testing the systems agents call through tools.

Safe next step

Talk through your AI agentboundaries with a tester.

If you want a second set of eyes on tool access, memory rules, or approval gates, we can walk through scope and share what a focused test would cover. No commitment required.

Start a low-pressure conversation

or see a sample report first

No obligation to proceed
Scope and access agreed up front
Clear evidence you can share internally