What if the Copilot Studio agent retrieves an indirect prompt injection from the internet, which in turn opens the door for an attacker to tamper with the critical cloud operations the AWS Bedrock agent has access to? Suddenly, what appeared as a straightforward agentic AI setup has revealed itself as a toxic combination with potentially catastrophic consequences.
\u00a0<\/p>\n
<\/p>\n
Adding to the challenge, AI tools\u2019 configuration plane is getting increasingly complex. This means that cybersecurity teams can\u2019t be content with simply reviewing and approving AI products like Anysphere\u2019s Cursor<\/a>, Anthropic\u2019s Claude Code<\/a>, or Microsoft\u2019s Copilot<\/a> in a vacuum.<\/p>\n Once an organization greenlights an AI tool for use, the IT department will start configuring them in a variety of ways and integrating them with internal systems, creating the risk for misconfigurations and insecure connections. Ask yourself: Where is the code written by an AI tool getting sent to?\u00a0<\/p>\n Moreover, do you know that tools like Claude Code and Cursor can be configured to operate in \u201cagent mode,\u201d which allows them to execute commands on endpoints, effectively behaving as full-blown autonomous agents?<\/p>\n Finally, the context of these AI tools changes quickly and constantly, as they ingest a growing amount and diversity of inputs that can make them vulnerable to malicious tampering.<\/p>\n Agency<\/p>\n Here\u2019s a hard truth: We\u2019re building systems that can act autonomously, but we\u2019re securing them as if they can\u2019t. And this is a problem because humans are rarely in the loop anymore when it comes to AI. On top of that, AI systems are not deterministic systems, like conventional IT ware, but rather probabilistic, meaning that their outputs are hard to anticipate. This is a tectonic shift for cybersecurity teams.<\/p>\n Chances are that the next major AI cybersecurity<\/a> incident you have to deal with will not be caused by a breach, but rather by an action one of your AI systems was allowed to perform.\u00a0<\/p>\n Let\u2019s look at this in more detail. There are three main components to AI agency:<\/p>\n Goal: An AI agent is created to summarize news, emails or tasks. The problem is that quite often an AI agent\u2019s capabilities \u2013 the tasks it can perform \u2013 exceed the goals for which it was created. In other words, most AI agents possess too much agency. This disparity between capabilities and goals creates an oversized level of cyber risk.<\/p>\n Compounding the problem is the reality that organizations\u2019 tendencies are to trust AI, meaning that the human oversight over these systems is usually minimal.\u00a0<\/p>\n Semantics<\/p>\n While traditionally in cybersecurity we rely on exact matches to assess that a system hasn\u2019t been tampered with, this approach doesn\u2019t work with AI systems, which operate on meaning, not strict syntax.<\/p>\n That\u2019s why it\u2019s easy for an attacker to bypass traditional guardrails by modifying the input the AI tool processes using synonyms, typos, paraphrases and other such language tricks. It\u2019s extremely hard to monitor this vast and ever-expanding semantic attack vector and prevent model poisoning, output manipulation and prompt injection attacks.\u00a0<\/p>\n In other words, attackers don\u2019t need to break the security controls anymore. They just need to go around them using semantics tactics.<\/p>\n How do you secure agentic AI?<\/p>\n Historically, cybersecurity strategies have been focused on reactive breach detection and response. However, to protect your AI agents, it\u2019s critical to shift to a preventive, proactive approach grounded on exposure management<\/a>. That way, you\u2019ll be able to understand AI agents\u2019 dynamic systems and what they can do in runtime, as well as fix the misconfigurations and gaps before attackers exploit them.<\/p>\n To achieve effective agentic AI governance and security, you need to ground your exposure management strategy<\/a> on three foundational concepts:<\/p>\n Visibility<\/p>\n You must inventory all the AI agents in your environment, as well as their individual components, wherever they are \u2013 on endpoints, in the cloud, in AI platforms and on-premises.<\/p>\n But you must go deeper. You need to also know the following about each agent:\u00a0<\/p>\n The data it was trained on, the knowledge base it feeds off of and the data stores it\u2019s connected to. Posture<\/p>\n You must understand what an AI agent can do as part of a broader dynamic system, as well as how its capabilities exceed its goals, so that you can adjust what it\u2019s allowed to do without impacting its efficacy.<\/p>\n Let\u2019s say you have multiple AI agents that are integrated and interact with each other, and these agents can, for example, connect to the internet and to your most sensitive cloud environment. It\u2019s imperative to understand what this dynamic multi-agent system can do in the real world, in order to spot any potential toxic combinations within its components.<\/p>\n With these insights, you can pinpoint remediations to the security gaps created by the AI toxic combination.<\/p>\n Threat detection<\/p>\n Once you understand what this dynamic multi-agent cluster can do, you need to be able to spot trouble signals in your runtime environment for ongoing exposure reduction.<\/p>\n Conclusion<\/p>\n AI security<\/a> needs to be everywhere in your environment, and the way to make AI security pervasive is by adopting an exposure management platform<\/a> and strategy. .\u00a0<\/p>\n In a nutshell, exposure management empowers cybersecurity teams to discover every asset across your environment \u2013 not just AI systems, but also IT, cloud, identity, and OT wares. From there, it helps you assess, prioritize and orchestrate remediation across the entire AI attack surface, giving you control over this new landscape of AI agents populating your environment.<\/p>\n
\nCapabilities: Often, the AI agent is able to perform certain actions that exceed the scope needed to accomplish the intended goal.
\nBlast radius: This is everything that can go wrong if the AI agent\u2019s capabilities are compromised.<\/p>\n
\nThe capabilities it possesses, such as the actions it can take and the agentic protocols that govern it.
\nThe connections it has to other systems both internally in your organization and externally; to other AI agents; and to AI and non-AI user identities.
\nIts intent, such as its goals, along with its blast radius<\/p>\n