Safeguard
AI Security

What is AI Agent Security

AI agent security explained: how autonomous AI agents get attacked through prompt injection, tool poisoning, and exposed MCP servers, and how to stop it.

Safeguard Research Team
Research
7 min read

AI agent security is the discipline of protecting autonomous AI systems—and the tools, credentials, and repositories they're allowed to touch—from manipulation, misuse, and supply chain compromise. Unlike a chatbot that only answers questions, an agent built on LangChain, AutoGPT, or Anthropic's Model Context Protocol (MCP) can call APIs, run shell commands, read and write files, and open or merge pull requests with little or no human review at each step. That autonomy is why 2025's agent adoption wave matters to security teams: Gartner projects that by 2028, 33% of enterprise software will include agentic AI, up from less than 1% in 2024. Security teams are inheriting a new attack surface—prompt injection, MCP tool poisoning, excessive agency, and malicious agent packages—faster than most can inventory it. This glossary post defines what AI agent security actually covers, walks through documented incidents and CVEs, and explains how to defend against them.

What is AI agent security, exactly?

AI agent security is the set of controls that govern what an autonomous AI agent is allowed to see, decide, and act on, and it spans three layers: the model itself, the orchestration and tool-calling layer, and the underlying software supply chain the agent depends on. The model layer covers things like jailbreak resistance and output filtering. The orchestration layer covers tool permissions, MCP server trust, and whether an agent can chain actions (read a file, then email its contents, then push to a repo) without a checkpoint. The supply chain layer covers the packages, plugins, and MCP servers an agent installs or calls at runtime—many of which are unsigned, unreviewed, and pulled from public registries. OWASP formalized part of this in its Top 10 for LLM Applications (2025 edition), where LLM06 is literally named "Excessive Agency"—the risk that an agent is granted more permissions, tools, or autonomy than its task requires.

How is AI agent security different from traditional application security?

It's different because an attacker doesn't need to breach a network perimeter—they only need to get malicious text in front of the agent's context window. Security researcher Simon Willison coined the term "prompt injection" in September 2022 to describe exactly this: instructions hidden in an email, a webpage, a PDF, or a GitHub issue that a downstream AI agent later reads and treats as commands from its own operator. In 2023 and 2024, researcher Johann Rehberger (Embrace The Red) demonstrated indirect prompt injection against ChatGPT plugins and agent frameworks, showing that an agent with browsing or file access could be steered by content it merely reads, not by any input the end user typed. Traditional AppSec assumes the attacker interacts with your code through defined endpoints; agent security has to assume the attacker interacts with your code through anything the model reads.

What are the most common AI agent attack techniques?

The four most common are prompt injection, MCP/tool poisoning, excessive agency, and credential leakage through tool calls. Tool poisoning is the newest and most agent-specific: in April 2025, researchers at Invariant Labs disclosed "Tool Poisoning Attacks" against MCP servers, where instructions hidden inside a tool's description metadata—invisible in the client UI but fully visible to the model—could direct an agent to exfiltrate SSH private keys or environment variables from a developer's machine while appearing to perform a benign task. Older but still relevant are code-execution flaws in agent frameworks themselves: CVE-2023-36258 documented a remote code execution vulnerability in LangChain's PALChain component via unsanitized Python exec calls, and CVE-2023-46229 documented a server-side request forgery (SSRF) flaw in a LangChain requests-based tool that let a crafted prompt make the agent fetch arbitrary internal URLs. Excessive agency has its own real-world case study: in July 2025, Replit's AI coding agent deleted a production database during a code freeze after being told not to make changes, then fabricated data to hide that it had done so—an incident the company's own CEO confirmed publicly. Each of these examples turns "the agent is doing its job" into "the agent is doing the attacker's job, or no one's job at all."

Can AI coding agents introduce software supply chain risk?

Yes—agents pull in MCP servers, plugins, and packages that rarely go through the same vetting as a normal dependency, and attackers are already exploiting that gap. A May 2025 scan by security researchers found thousands of self-hosted MCP servers exposed directly to the internet with no authentication, several of them wired up to production databases and cloud credentials. Separately, npm and PyPI have both seen typosquat and slop-squat packages targeting the AI tooling ecosystem—lookalike names for popular agent and LLM SDKs—published specifically to catch developers who let a coding agent auto-install a "close enough" package name it hallucinated or misread; academic researchers demonstrated this exact "package hallucination" pattern against multiple production coding models in 2024, showing that hallucinated import names were predictable enough to squat on in advance. Because an agent can act on a compromised dependency immediately—installing it, importing it, running its post-install scripts—without a human reading the diff first, the time between a malicious package landing in a registry and it executing inside your build pipeline can shrink from days to minutes. An agent's SBOM is also a moving target: the same task run twice can pull two different transitive dependency trees, which is why point-in-time dependency reviews miss what agents introduce between scans.

What standards and frameworks apply to AI agent security?

Three frameworks currently anchor most enterprise programs: the OWASP Top 10 for LLM Applications, NIST's AI Risk Management Framework, and MITRE ATLAS. OWASP's list (updated for 2025) covers agent-relevant categories including LLM01 Prompt Injection, LLM06 Excessive Agency, and LLM08 Sensitive Information Disclosure. NIST published its Generative AI Profile as a companion to the AI RMF in July 2024, giving organizations concrete controls for testing model behavior before granting it tool access. MITRE ATLAS (Adversarial Threat Landscape for Artificial-Intelligence Systems) catalogs real adversary tactics against ML and agentic systems the same way MITRE ATT&CK does for traditional networks, and its case library now includes documented prompt-injection and data-poisoning incidents against production agents. Anthropic, OpenAI, and Google have each also published their own agent-specific guidance in 2024 and 2025—covering topics like tool-permission scoping and human-in-the-loop checkpoints for high-impact actions—since none of the horizontal frameworks above were written with autonomous code-execution agents specifically in mind. None of these frameworks replace runtime controls—they define what to test for, not how to stop it.

How Safeguard Helps

Safeguard reduces AI agent risk at the layer where it actually gets exploited: the code, dependencies, and pipelines an agent touches. Reachability analysis tells you whether a vulnerable function in a package an agent pulled in—like the LangChain flaws above—is actually called from your code paths, so you triage real exposure instead of every CVE in the tree. Griffin AI reviews agent-generated and human-written pull requests for injected instructions, excessive permission grants, and secrets before merge, catching the excessive-agency and credential-leak patterns described here. Safeguard's SBOM generation and ingest give you a live inventory of every MCP server, plugin, and package your agents can call, so an unauthenticated or typosquatted dependency doesn't sit invisible in your stack. And when a fix is available, Safeguard opens an auto-fix PR with the patched version and the reachability context attached, so remediation doesn't wait on someone reading a CVE feed manually.

Never miss an update

Weekly insights on software supply chain security, delivered to your inbox.