Safeguard
Industry Analysis

AI Agent Security: 6 Risks Beyond Traditional Controls

Gartner projects a third of enterprise apps will run agentic AI by 2028. Here are six AI agent security risks traditional controls miss.

James
Principal Security Architect
7 min read

July 2026 — Enterprise adoption of autonomous AI agents has outpaced the security tooling built to govern them. Gartner has projected that by 2028, roughly a third of enterprise software will embed agentic AI capable of taking independent action, up from less than 1% in 2024. OWASP's GenAI Security Project shipped an updated Top 10 for LLM Applications this year with prompt injection, excessive agency, and insecure plugin design ranked among the highest-severity categories. Meanwhile, security teams report in survey after survey that they are deploying agents faster than they can inventory them — a familiar pattern to anyone who lived through the early days of shadow SaaS and unmanaged cloud sprawl, except this time the "user" can write code, call APIs, and merge its own pull requests.

The shift matters because AI agents don't fit neatly into the control frameworks that supply chain and application security teams have spent the last decade building. SAST, SCA, and CI/CD gates were designed around human-authored commits and predictable dependency graphs. Agents introduce a different threat model: non-deterministic behavior, dynamically assembled tool chains, and identities that act with the authority of the systems they're plugged into. Below, we break down six risk categories that fall outside what traditional application and supply chain security controls were built to catch — and what defensive teams should be watching for.

1. Excessive Tool and API Permissioning

Most agent frameworks default to broad, standing access to the tools and APIs they're wired to — file systems, ticketing systems, cloud consoles, internal databases — because narrowing permissions per-task is still immature tooling-wise. Unlike a human developer whose access is scoped through IAM roles reviewed on a cadence, an agent's effective privilege is often the union of every tool it's been given, regardless of whether a given task needs it. When an agent is compromised via a malicious input, the blast radius is the full permission set, not the task at hand. Traditional least-privilege reviews rarely account for "what can this agent chain together across five different tool calls" — they audit individual grants, not compositional risk.

2. Prompt Injection as a De Facto RCE Vector

Prompt injection has matured from a novelty jailbreak technique into something functionally equivalent to remote code execution in agentic contexts. When an agent reads untrusted content — a webpage, a PDF, an email, a ticket comment, a package README — and that content contains instructions the model follows, an attacker gets to steer the agent's next action. In agents with write access to source control, cloud infrastructure, or financial systems, that steering can translate directly into data exfiltration, unauthorized deployments, or destructive changes. Static analysis tools that scan code for injection vulnerabilities have no visibility into this class of risk, because the "vulnerable" surface is the model's instruction-following behavior itself, not a parsing bug in application code.

3. Non-Human Identity Sprawl and Credential Exposure

Every agent needs credentials to act — API keys, OAuth tokens, service account secrets — and organizations are provisioning these non-human identities far faster than they're retiring or rotating them. Unlike human accounts tied to an HR system and offboarding workflow, agent identities are often created ad hoc by individual engineers experimenting with a new framework, then left live long after the experiment ends. Secrets get embedded in agent configuration files, logged in verbose debug output, or passed through intermediate tool calls where they're exposed to the model's context window — and therefore, potentially, to anything that can influence that context. Traditional secret-scanning catches hardcoded credentials in source; it doesn't catch a credential that only ever existed transiently inside an agent's runtime memory.

4. Opaque Dependency Chains in Agent Frameworks

Agent frameworks — orchestration libraries, tool-calling SDKs, vector store connectors, memory backends — pull in dependency trees that are frequently deeper and less scrutinized than the application code they support, because they're new, moving fast, and treated as "glue" rather than production-critical infrastructure. A vulnerable or malicious package sitting three layers down in a LangChain-style plugin ecosystem can influence what data an agent retrieves, what tools it selects, or what code it generates — all without ever touching the primary application's own manifest in a way traditional SCA tools are tuned to flag as high priority. The 2024-2025 wave of malicious PyPI and npm packages specifically named to typosquat popular agent and ML tooling packages is a preview of where attackers are focusing effort.

5. Memory and Context Poisoning Across Sessions

Agents with persistent memory — vector databases, session logs, retrieved-document caches — carry state across interactions in ways traditional stateless applications don't. That persistence creates a new integrity problem: if an attacker can get poisoned data into an agent's long-term memory once, that corruption can influence every subsequent decision the agent makes, potentially for weeks, until someone notices. This is a supply-chain-style risk for data rather than code — a slow-burn compromise with no equivalent in conventional vulnerability management, which is built around scanning artifacts at a point in time, not auditing the evolving state of a memory store.

6. Autonomous Remediation Without Reachability Context

Perhaps the most consequential risk for security teams specifically: a growing number of AI agents are now empowered to write and merge fixes — patching dependencies, rewriting config, closing tickets — without the reachability context a human reviewer would apply instinctively. An agent that sees a critical CVE in a manifest and reflexively bumps the version, opens a PR, or restarts a service can introduce breaking changes or false confidence when the vulnerable function was never actually reachable from application entry points in the first place — or, worse, miss the handful of genuinely exploitable findings buried under hundreds of theoretical ones because it has no way to tell the two apart. Autonomous action without accurate prioritization doesn't just create noise; it creates a false sense that remediation velocity equals risk reduction.

The Common Thread

Across all six categories, the underlying problem is the same: traditional controls were designed to govern static artifacts and predictable human behavior, and AI agents are neither static nor entirely predictable. Security teams that try to bolt agent governance onto existing SAST/SCA pipelines without adapting for dynamic tool use, non-human identity lifecycle, and reachability-aware prioritization will end up with dashboards full of findings and no reliable signal about which ones matter. The organizations managing this well are the ones treating agent security as its own discipline — inventorying agents and their tool/permission graphs the way they'd inventory service accounts, and demanding the same exploitability evidence for an agent-generated fix that they'd demand for a human-authored one.

How Safeguard Helps

Safeguard is built for exactly this gap between traditional supply chain tooling and the realities of agent-driven development. Our reachability analysis engine traces whether a vulnerable function is actually callable from a live entry point before it ever reaches a human or an agent's queue, cutting through the noise that leads to reflexive, low-value patching. Griffin AI, Safeguard's security-focused agent, applies that same reachability and exploitability context when triaging findings across code, dependencies, and infrastructure — so remediation decisions, whether made by a person or an autonomous workflow, are grounded in evidence rather than CVSS scores alone. Safeguard's SBOM generation and ingestion capabilities give teams a continuously updated inventory of every component — including the agent frameworks and plugin dependencies most organizations aren't tracking today — and our auto-fix PRs deliver targeted, reachability-verified remediations for review rather than blind version bumps. Together, these capabilities let security teams extend the rigor of traditional supply chain controls into the agentic era, instead of trying to retrofit tools that were never built for it.

Never miss an update

Weekly insights on software supply chain security, delivered to your inbox.