AI agent security best practices

Just add trust...to transact

Created with Sketch.

AI agent

Love it or loathe it, AI is part of many tech stacks, and researchers say this is likely to continue; a 2025 PwC study on agentic AI found that 88% of executives expect to increase the corporate IT budget to encompass AI agents. Data from Statistica predicts that by 2030, there will be more than 2.2 billion AI agents worldwide. This sudden surge of non-human identities (NHIs) entering the enterprise can only mean one thing – exploitation by cybercriminals. Checkpoint researchers found that 67% of organizations deploying AI agents saw an increase in security incidents. Forewarned is forearmed, so let’s take a look at some questions on AI agent security.

What are AI agents?

AI agents are autonomous entities capable of performing computing tasks. The agent achieves this by gathering data and acting on it throughout a workflow. Some agents can also learn from previous tasks and data. There are several types of agents, including task-oriented agents that perform duties such as email filtering and scheduling, service agents that summarise papers, and chatbots used in customer service support. They can work either as single agents or in multi-agent workflows.

Why do cybercriminals target AI agents?

AI agents are autonomous by design. To carry out tasks, an AI agent is granted access rights to the systems it operates within. AI agents use this access to gather data and make decisions based on this data. In some circumstances, AI agents operate under the security radar, exchanging data with other agents that is challenging, if not impossible, to detect. It is this autonomous decision-making capability, privileged access, lack of visibility, and an increasing use of agent orchestration and multi-agent workflows that make an AI agent such an attractive target for cybercriminals.

AI agents as non-human identities (NHIs)

Identity is recognized as a core breach target. Research by Palo Alto in its 2026 Identity Security Landscape report found that 90% of companies experienced an identity-related cyber breach. The researchers point out that AI agent identities outnumber human identities by 79:1. Should an enterprise deploying AI agents be worried about identity security attacks? The simple answer is yes. Conventional identity management tools have a gaping hole that AI agents neatly fit into.

Top security risks from AI agents 

AI agents are dynamic, often privileged entities that can be exploited by nefarious actors. Cybercriminals wage a war of attrition against enterprises, and as such, they are always looking for the next vulnerability and exploit. AI agents have delivered both on a plate. OWASP has recently released its Top 10 for Agentic Applications for 2026. This lists the most concerning security risks posed by AI agents and is a must-read for anyone involved in organizational security. The top three are as follows:

Agent Goal Hijack

Primarily involving the manipulation of instructions, this security issue covers a broad range of exploits, including poisoned external data, prompt injections, and forged agent-to-agent messages. Agents are exploitable because they cannot reliably distinguish legitimate instructions from related content. Indirect prompt injection attacks are an example of this type of AI agent exploit. A recent vulnerability in Microsoft 365 Copilot, known as CVE-2025-32711 or ‘EchoLeak’, allowed Data Exfiltration via Prompt Injection. The attackers were able to execute the attack without any user intervention using an email containing a hidden prompt. When a user interacts with Copilot, the prompt is executed during the context-gathering stage. The prompt attack allowed a cybercriminal to exfiltrate information, including emails, files, and document summaries. Microsoft has subsequently patched the flaw.

Tool Misuse and Exploitation

Another data exfiltration risk is the use of legitimate tools to carry out prompt injection attacks, unsafe delegation, and task misalignment. A cascade of risks is at play, including privilege escalation, meaning that low-level privileged account exploits can become nightmare cyberattacks as the attacker increases privileges across the chain, gaining admin-level access. 

Examples of risks include agents following unsafe links, overprivileged access to tools that can result in the deletion of emails and database entries, and data poisoning by external third parties. One of the example scenarios offered by OWASP is an overprivileged API that has access to customer accounts and autonomously issues refunds. A recent in-the-field example of an AI Agent gone rogue was Amazon’s Kiro coding agent. The agent inherited elevated permissions and bypassed human approval before deleting an Amazon production environment. In a statement, Amazon said that the AI agent had “broader permissions than expected.” Amazon stated that the problem was not AI but misconfigured access controls. Still, the issue of overprivileged access rights, whether for AI or not, poses a risk.

Identity and Privilege Abuse

The principle of least privilege, whereby access privileges are assigned on a need-to-know basis, is proving challenging in the world of AI Agents. Without an identity of its own, an agent must receive delegated access rights. Agent-to-agent trust is also exploitable. The risk of unenforceable least privilege is broad and includes data breaches, malware infections, and other vulnerability exploits. 

OWASP offers up several examples of agent risk under this heading, including Synthetic Identity Injection. Attackers use this exploit to impersonate internal agents, piggybacking on unverified descriptors to gain inherited trust and privileges. Device code phishing is a great example of the war of attrition that makes phishing so successful. Device code phishing has been found in Phishing-as-a-Service toolkits, such as EvilTokens. This AI-powered phishing exploits the OAuth 2.0 Device Authorization Grant; the attackers redirect the MFA token to their own OAuth client, giving them full control. Directed at Microsoft 365 and Google accounts, AI agents that hold delegated OAuth tokens for Microsoft 365 and Graph API access are directly exposed.

Shadow AI agents and data risk

Shadow IT has long been known to increase security risk. Now that AI Agents have entered the scene, Shadow AI is increasing that risk. Good security relies on good governance. AI agents are local entities that act underneath the governance layer. If someone installs an AI agent on an endpoint, it becomes invisible, and its use is uncontrollable. Shadow AI agents are autonomous; no human is needed during a task workflow. If a shadow AI agent is connected via an MCP server, there is a potential for that agent to access data directly. The data could be anything the AI agent needs to carry out its tasks: code, financial information, emails, and so on.

Best practices to reduce AI agent security risk

AI agents pose a risk to any organization that uses them. There are ways to mitigate this risk, and some of the current best practices are shown below:

Improve AI agent visibility

A central tenet of AI visibility is the identification of AI agents. Knowing what agents you have, where they operate, and what they are allowed to do is security 101. Visibility should include LLM queries sent and received, multi-agent interactions and data flows, and resource usage. Monitoring and logging AI agents provide insights needed not only to optimize agent use but also to identify potential data leaks and privacy violations.

Continuous monitoring of AI agents

Use a monitoring solution that supports AI agents and identifies unusual behaviors. Monitoring should help to spot privilege escalation attempts, data exfiltration, and unusual access patterns.

Identify AI agents

AI agents are non-human identities (NHIs). AI agents should be given identities that reflect the However, much like human identity, AI agent identity can and will be spoofed, stolen, and faked. AI orchestration, even with agent verification, can introduce multiple vulnerabilities unless each agent is not only identified and verified but also subject to risk-profile decisioning. Conventional identity management solutions are not designed to handle the autonomy and adaptability of AI agents. Identity should be assigned to a human user who can provide oversight.

Apply least privilege access rights to AI agents

Identification is only one part of the security controls assigned to AI agents. Least privilege access rights, i.e., access permissions on a need-to-know basis, are essential for human and AI agent identities. Agents must be assigned attribute-based privileges using short-lived credentials to prevent standing privilege abuse.

Human-in-the-loop

Humans should be part of the AI agent workflow decision-making. Placing a human in the loop to oversee workflow requests and approvals and to conduct regular access reviews helps reduce the risk of an AI agent going rogue or being hijacked.

Use an AI agent risk profiling layer

AI risk profiling uses orchestration and decisioning to identify risks posed by AI agents. AI risk profiling is distinct from AI orchestration, which connects multiple, specialized agents to carry out and automate tasks as a collective ‘multi-agent system’ (MAS). Avoco Secure’s orchestration and decisioning engine provides a layer of AI agent risk profiling based on dynamic rules that respond to signals, such as identity verification. A secondary layer of probability-based risk-based decisioning uses ‘fuzzy set theory’ to place AI agents into risk levels. Fuzzy sets can be configured to reflect an organization’s risk appetite and/or specific use cases. A decision can be made as to how to proceed with the AI agent, given its risk profile.

As is often the case with technology advances, playing security catch-up seems to be the norm. AI agents are a new risk factor for companies that exploit our people and our systems. Identity-based cyberattacks are already among the most prolific techniques used by cybercriminals. AI agents expand a system’s attack surface, enabling access to sensitive data and exploitation of vulnerable systems and services. Prompt injection is a common theme, as is privilege escalation and misuse. When an organization adopts AI agents to automate workflows and perform routine tasks, it must do so knowing it is adding risk to the company. By following guidance from OWASP and other industry experts, you can mitigate that risk. The keywords to remember for AI agent security are: 

Discover, identify, monitor, profile, control.

Tags: , , , , ,