.png)
What Are Agentic AI Risks in Cybersecurity?
Agentic AI systems that can take actions autonomously create novel cybersecurity risks. Learn what they are, how prompt injection works, and what governance boards need to require.
What Are Agentic AI Systems
Agentic AI refers to AI systems that can take actions autonomously to complete multi-step objectives — as opposed to AI systems that respond to individual queries. A traditional AI chatbot answers a question. An AI agent receives a goal, plans a sequence of steps to achieve it, and executes those steps using tools — web browsing, code execution, API calls, file management, email sending — with minimal human involvement at each step.
The distinction matters for cybersecurity because agentic AI systems have capabilities that amplify both their utility and their risk profile. An agent that can read and write files, send emails, execute code, browse the internet, and call external APIs is a powerful productivity tool. It is also a system that can take consequential actions with significant blast radius if it is compromised, manipulated, or simply makes an error on a high-stakes task.
The growth of agentic AI is accelerating. Microsoft Copilot, Google Workspace AI, Salesforce Einstein, enterprise automation platforms, and purpose-built AI agent frameworks are all introducing agentic capabilities into enterprise environments. Employees are building their own agents using low-code and no-code platforms. Developers are building agentic systems into customer-facing applications. Gartner identified agentic AI as the top cybersecurity trend for 2026 — specifically because the security frameworks for managing AI agent risk do not yet exist at the maturity level the deployment rate requires.
The Cybersecurity Risks Specific to AI Agents
Prompt injection is the attack technique most specific to AI agents. A prompt injection attack embeds malicious instructions in content that an AI agent is processing — a webpage the agent is reading, an email it is summarizing, a document it is analyzing — that override the agent's original instructions. An agent sent to summarize a malicious webpage might be instructed by content on that page to forward sensitive data to an external URL, send an email with specific content, or take other unintended actions. The agent faithfully executes the injected instructions because it cannot reliably distinguish between legitimate instructions from its operator and malicious instructions embedded in processed content.
Identity and access management for AI agents is an unsolved problem. Traditional IAM is designed for human users: a person authenticates, receives permissions, and takes actions. AI agents complicate this model significantly. What identity does an agent operate with? What permissions should it have? How are those permissions scoped to specific tasks? How are agent actions audited? How is agent credential exposure detected and responded to? Current IAM frameworks were not designed with agents in mind, and most organizations deploying agents have not solved these questions.
Supply chain risk in AI agent pipelines is substantial. AI agents typically call external APIs, use third-party tool integrations, and retrieve content from external sources. Each integration is a dependency that can be compromised. A compromised AI tool integration used by thousands of agents simultaneously represents the supply chain risk of the SolarWinds pattern applied to AI infrastructure.
Governing AI Agents: What Organizations Need to Do Now
Inventory and classification is the prerequisite. Organizations deploying agents need to know what agents exist, what tools they have access to, what data they can read and write, and what actions they can take. An AI agent that can send emails, modify files, and call APIs without human review is a system with significant blast radius that requires the same risk assessment as any other system with those capabilities.
Least-privilege applies to agents as much as to humans. An AI agent should have access only to the tools, data, and APIs necessary for its specific function. An agent that summarizes internal documents does not need API access to external services. An agent that books calendar meetings does not need access to financial systems. Scoping agent permissions by function is the foundational governance control.
Human-in-the-loop requirements for high-stakes actions are the pragmatic safety net while agentic AI governance matures. Actions with irreversible consequences — sending external communications, making purchases, deleting data, modifying critical systems — should require human approval regardless of how confident the agent is. The cost of a confirmation step on high-stakes actions is negligible compared to the cost of an agent taking an irreversible action based on a prompt injection or a planning error.
Monitoring and audit trails for agent actions are essential for both security and accountability. What did the agent do? What data did it access? What external calls did it make? Without comprehensive logging, forensic investigation of agent-related incidents is impossible — and the agent cannot be evaluated for drift from intended behavior over time.
The Board and PE Perspective
For boards, the agentic AI risk conversation is just beginning. The questions that should be on board risk agendas are: Is the organization deploying AI agents? What is the governance framework for agent deployment? What permissions do agents have, and are those permissions scoped appropriately? Has the security team evaluated prompt injection risk for customer-facing or high-privilege agents?
For PE due diligence, agentic AI deployment without governance is an emerging risk flag. Portfolio companies that have deployed agents in customer-facing or high-privilege contexts without security review, identity governance for agents, or monitoring infrastructure have introduced risk that may not be reflected in their traditional security posture assessments.
The Regulatory Horizon for AI Agents
The regulatory landscape for agentic AI is developing rapidly. The EU AI Act, which entered force in 2024, creates obligations for AI systems in high-risk categories. The NIST AI Risk Management Framework provides guidance on managing AI system risk. CISA has published guidance on AI cybersecurity risk. Regulators in financial services (SEC, OCC), healthcare (HHS), and defense are all developing AI-specific guidance. Organizations deploying agents in regulated industries should expect regulatory scrutiny of their governance frameworks.
Related Reading
Prompt Injection in the Wild: Early Cases and Implications
As AI agents have proliferated, security researchers have documented multiple proof-of-concept and real-world prompt injection attacks against deployed systems. In 2023, researchers demonstrated that AI email assistants could be manipulated through malicious content in incoming emails to exfiltrate email contents or perform unintended actions. In 2024, researchers demonstrated prompt injection attacks against AI web browsing agents that could redirect agent actions mid-task based on content encountered during browsing. Bing Chat's early deployment was demonstrated to be vulnerable to prompt injection through web content that could cause the assistant to change its behavior. These early cases are the leading edge of a significantly larger attack surface as agents gain greater capabilities and broader deployment in enterprise environments. The organizations that establish agent governance frameworks now — before a significant agent-related incident — will be in a materially better position than those that respond reactively.
Agentic AI risks ranked as the top cybersecurity challenge for organizations in 2026, according to Gartner's Top Cybersecurity Trends report. The deployment rate of AI agents across enterprise environments has outpaced the security governance frameworks designed to manage them.