Businesses Rush to Deploy Agentic AI
▼ Summary
– AI agents are being widely integrated into core business systems with significant autonomy, but most organizations lack the security readiness to protect these deployments.
– Multi-turn prompt injection attacks achieved high success rates in 2025, exposing a critical weakness in model resilience during extended interactions with tools and memory.
– The autonomy and standardized communication protocols of AI agents introduce new risks, such as unauthorized command execution and data exfiltration, as seen in attacks on systems like the Model Context Protocol (MCP).
– The AI supply chain is vulnerable through malicious code in model files, data poisoning, and provenance gaps in open-source repositories and automated pipelines.
– Nation-state actors are increasingly using AI to automate cyberattacks, from vulnerability scanning to generating obfuscated malware and deepfakes for social engineering.
Businesses are rapidly integrating advanced AI assistants into their core operational systems, granting these agents unprecedented autonomy to perform tasks that directly impact critical functions. These systems are now deeply embedded within ticketing platforms, source code repositories, internal chat applications, and cloud management dashboards. In numerous enterprise environments, they possess the capability to open pull requests, query sensitive databases, book services, and initiate automated workflows with minimal human oversight. This shift toward what is termed ‘agentic AI’ represents a significant evolution in how companies leverage automation, but it also introduces complex new security challenges that many organizations are not fully prepared to address.
A recent industry report highlights a concerning gap between deployment speed and security readiness. While a majority of organizations have moved forward with plans to implement agentic AI across business functions, only a small fraction, twenty nine percent, reported feeling adequately prepared to secure these powerful deployments. This disparity has created vulnerabilities across several fronts, including the interfaces of the AI models themselves, the integrations with various business tools, and the broader software supply chain that supports these ecosystems.
Measuring the resilience of AI models against sophisticated attacks has become a critical focus. Throughout 2025, techniques like prompt injection and model jailbreaking grew increasingly mature. Research demonstrated that multi-turn attacks, which unfold over extended conversations with an AI, achieved alarming success rates, sometimes as high as 92 percent in tests against several popular open-weight models. These attacks methodically steer a model toward prohibited content or unsafe actions through a series of carefully crafted prompts. Traditional single-turn security measures often fail to provide sufficient protection in longer interactive sessions where the AI utilizes memory and accesses external tools.
While jailbreak success rates offer one view of a model’s robustness, security experts argue that multi-turn resilience should be tracked as a distinct and vital metric, particularly for autonomous agents designed for prolonged operation. Amy Chang, who leads AI Threat Intelligence and Security Research at Cisco, emphasized that security metrics must align with an organization’s specific level of AI maturity. For a company just beginning to experiment with large language models, implementing advanced agent tracing might be premature. The key is to tailor security controls to the actual risks presented by the current stage of deployment.
The autonomy granted to AI agents introduces a unique category of protocol risk. These systems often operate in continuous loops where they observe, orient themselves, decide, and act. They frequently communicate with other agents using standardized protocols, creating new avenues for exploitation. A compromised agent can execute unauthorized commands, steal data, and move laterally across connected systems. One documented incident involved a malicious issue submitted to a GitHub repository that used the Model Context Protocol (MCP), a common framework for connecting AI to tools, to hijack an agent and trigger the exfiltration of data from private code repositories.
The rapid adoption of protocols like MCP has significantly expanded the attack surface. Security researchers have identified numerous risks within these ecosystems, including tool poisoning, remote code execution flaws, overprivileged access, and supply chain tampering. In one illustrative case, a fraudulent package uploaded to the npm registry mimicked a legitimate email integration; once installed, it silently copied all outbound messages to an address controlled by an attacker.
Furthermore, agent-to-agent communication creates novel identity risks. Threats like impersonation, session smuggling, and unauthorized capability escalation allow attackers to exploit the implicit trust built between automated systems. For example, a compromised research agent could subtly insert hidden instructions into its output. A financial agent consuming that data might then execute unintended and potentially harmful trades, demonstrating how identity threats now extend far beyond human user accounts and traditional service credentials.
The AI supply chain itself has emerged as a major point of exposure. Public repositories host millions of models and datasets, but provenance is often unclear. Model files can contain executable code that runs automatically upon loading, meaning malicious code embedded within a model object can trigger without warning. Data poisoning presents another measurable risk; studies have shown that injecting a relatively small number of poisoned documents, as few as 250, into training data can implant hidden backdoors. These backdoors activate only when a specific trigger phrase is used, leaving the model’s general performance seemingly unaffected, which makes detection extremely difficult.
Nation-state actors have increasingly incorporated AI into their offensive operations, automating significant portions of cyberattack chains. One group linked to China reportedly automated 80-90% of an attack by jailbreaking an AI coding assistant and directing it to scan for open ports, identify software vulnerabilities, and even write exploit code. Russian operators have integrated language models into malware workflows to generate obfuscated commands, while North Korean actors have used generative AI to create convincing deepfake profiles for remote job scams. Iranian groups have applied AI to enhance phishing campaigns and to analyze maritime data during regional conflicts.
As AI adoption penetrates deeper into enterprise workflows, the security landscape must adapt. The combination of agent autonomy, protocol integration, and open model ecosystems greatly expands both operational capability and potential attack vectors. In response, security teams are beginning to adapt proven principles like zero trust controls, least privilege access, continuous authentication, and behavioral monitoring to govern AI systems that interact directly with vital business processes.
(Source: HelpNet Security)
