Full Report
As AI tools evolve from siloed chatbots to autonomous, hyperconnected systems, they create a vast new attack surface. Discover how to manage this risk by focusing on visibility, agency, and semantic security to protect your organization’s increasingly complex landscape of agentic AI systems.Key takeawaysOrganizations have moved from siloed AI chatbots to autonomous, hyperconnected agents that can execute actions and access sensitive internal data stores, exponentially increasing cyber risk.A major security challenge arises because AI agents are often granted capabilities that far exceed their intended goals, creating an unnecessarily large and dangerous blast radius.Securing agentic AI requires moving beyond reactive breach detection to a proactive strategy grounded on exposure management and focused on total visibility, posture adjustment, and monitoring of semantic attack vectors.Here’s a common occurrence in organizations these days: A team – finance, human resources, marketing – sets up an AI agent to perform a seemingly simple action, such as getting task details and emailing them out to the appropriate recipients. But is this AI agent as harmless as it looks? A deeper look reveals a big potential for agentic AI security risks: This seemingly innocuous AI agent has been granted the power to connect to a sensitive data store and exfiltrate that data. Is it secure? Has it been properly configured?Now multiply this scenario by a thousand – or more. The process of spinning up autonomous AI agents is becoming routine, as AI vendors make it increasingly easy to configure them. Thus, eager to automate processes and boost productivity, a typical organization today may have thousands of AI agents operating autonomously. For cybersecurity teams, this prevalence of AI agents represents a major new challenge. How do you secure thousands of AI agents that can act on their own and that are hyperconnected to each other and to myriad internal and external systems and data stores?In this blog post, we’ll delve into this risky scenario and outline the right approach to protect this new attack surface created by this fast proliferation of AI agents.The agentic AI security challenge is three-foldThe first wave of AI tools that organizations started adopting back in 2022 were mostly siloed chatbots that operated with little integration to other enterprise systems. Thus, they had limited or no access to internal databases and they couldn’t execute actions on internal systems.What a difference a few years make. Fast-forward to today and organizations are awash in agentic AI tools, whose potential for cyber risk is exponentially higher due to three core elements: hyperconnectivity, agency, and semantics.Let’s take a closer look at how each one of these characteristics of AI tools helps create a broad attack surface that cybersecurity teams must secure.HyperconnectivityYou need to look at your organization’s landscape of autonomous AI tools and see it not as a collection of individual assets, but rather as a multi-agent system constellation, made up of many interwoven components.Some of those components are internal, while others are external. Some were built in house, while others came from third-parties. Some live in the cloud, others on endpoints, and yet others on AI platforms.Cybersecurity teams must not only detect all of those AI components, wherever they are, but also understand how they connect to each other and how they interact.For example, an organization may have a Copilot Studio AI agent designed to summarize information fetched from the internet. But in this hypothetical setup, that agent also interacts with another agent, built on AWS Bedrock, that runs some of your critical processes in the cloud.What if the Copilot Studio agent retrieves an indirect prompt injection from the internet, which in turn opens the door for an attacker to tamper with the critical cloud operations the AWS Bedrock agent has access to? Suddenly, what appeared as a straightforward agentic AI setup has revealed itself as a toxic combination with potentially catastrophic consequences. Adding to the challenge, AI tools’ configuration plane is getting increasingly complex. This means that cybersecurity teams can’t be content with simply reviewing and approving AI products like Anysphere’s Cursor, Anthropic’s Claude Code, or Microsoft's Copilot in a vacuum.Once an organization greenlights an AI tool for use, the IT department will start configuring them in a variety of ways and integrating them with internal systems, creating the risk for misconfigurations and insecure connections. Ask yourself: Where is the code written by an AI tool getting sent to? Moreover, do you know that tools like Claude Code and Cursor can be configured to operate in “agent mode,” which allows them to execute commands on endpoints, effectively behaving as full-blown autonomous agents?Finally, the context of these AI tools changes quickly and constantly, as they ingest a growing amount and diversity of inputs that can make them vulnerable to malicious tampering.AgencyHere’s a hard truth: We’re building systems that can act autonomously, but we’re securing them as if they can’t. And this is a problem because humans are rarely in the loop anymore when it comes to AI. On top of that, AI systems are not deterministic systems, like conventional IT ware, but rather probabilistic, meaning that their outputs are hard to anticipate. This is a tectonic shift for cybersecurity teams.Chances are that the next major AI cybersecurity incident you have to deal with will not be caused by a breach, but rather by an action one of your AI systems was allowed to perform. Let’s look at this in more detail. There are three main components to AI agency:Goal: An AI agent is created to summarize news, emails or tasks.Capabilities: Often, the AI agent is able to perform certain actions that exceed the scope needed to accomplish the intended goal.Blast radius: This is everything that can go wrong if the AI agent’s capabilities are compromised.The problem is that quite often an AI agent’s capabilities – the tasks it can perform – exceed the goals for which it was created. In other words, most AI agents possess too much agency. This disparity between capabilities and goals creates an oversized level of cyber risk.Compounding the problem is the reality that organizations’ tendencies are to trust AI, meaning that the human oversight over these systems is usually minimal. SemanticsWhile traditionally in cybersecurity we rely on exact matches to assess that a system hasn’t been tampered with, this approach doesn’t work with AI systems, which operate on meaning, not strict syntax.That’s why it’s easy for an attacker to bypass traditional guardrails by modifying the input the AI tool processes using synonyms, typos, paraphrases and other such language tricks. It’s extremely hard to monitor this vast and ever-expanding semantic attack vector and prevent model poisoning, output manipulation and prompt injection attacks. In other words, attackers don’t need to break the security controls anymore. They just need to go around them using semantics tactics.How do you secure agentic AI?Historically, cybersecurity strategies have been focused on reactive breach detection and response. However, to protect your AI agents, it’s critical to shift to a preventive, proactive approach grounded on exposure management. That way, you’ll be able to understand AI agents’ dynamic systems and what they can do in runtime, as well as fix the misconfigurations and gaps before attackers exploit them.To achieve effective agentic AI governance and security, you need to ground your exposure management strategy on three foundational concepts:VisibilityYou must inventory all the AI agents in your environment, as well as their individual components, wherever they are – on endpoints, in the cloud, in AI platforms and on-premises.But you must go deeper. You need to also know the following about each agent: The data it was trained on, the knowledge base it feeds off of and the data stores it’s connected to.The capabilities it possesses, such as the actions it can take and the agentic protocols that govern it.The connections it has to other systems both internally in your organization and externally; to other AI agents; and to AI and non-AI user identities.Its intent, such as its goals, along with its blast radiusPostureYou must understand what an AI agent can do as part of a broader dynamic system, as well as how its capabilities exceed its goals, so that you can adjust what it’s allowed to do without impacting its efficacy.Let’s say you have multiple AI agents that are integrated and interact with each other, and these agents can, for example, connect to the internet and to your most sensitive cloud environment. It’s imperative to understand what this dynamic multi-agent system can do in the real world, in order to spot any potential toxic combinations within its components.With these insights, you can pinpoint remediations to the security gaps created by the AI toxic combination.Threat detectionOnce you understand what this dynamic multi-agent cluster can do, you need to be able to spot trouble signals in your runtime environment for ongoing exposure reduction.ConclusionAI security needs to be everywhere in your environment, and the way to make AI security pervasive is by adopting an exposure management platform and strategy. . In a nutshell, exposure management empowers cybersecurity teams to discover every asset across your environment – not just AI systems, but also IT, cloud, identity, and OT wares. From there, it helps you assess, prioritize and orchestrate remediation across the entire AI attack surface, giving you control over this new landscape of AI agents populating your environment.To learn about how Tenable can help you boost your AI security, visit the Tenable One AI Exposure page.
Analysis Summary
# Best Practices: Securing Agentic AI Systems
## Overview
As AI tools evolve from siloed chatbots to autonomous, hyperconnected "agents," they introduce a vast new attack surface. These practices address the risks of **hyperconnectivity** (complex integrations), **agency** (autonomous actions exceeding intended goals), and **semantics** (attacks using language tricks like prompt injection rather than code exploits).
## Key Recommendations
### Immediate Actions
1. **Map the Agent Inventory:** Locate all AI agents currently in use, including those embedded in desktop tools (e.g., Cursor, Claude Code) and cloud platforms (AWS Bedrock, Copilot Studio).
2. **Identify "Agent Mode" Enablement:** Audit developer tools to see if they are configured to execute commands on endpoints or write/send code to external destinations.
3. **Define Blast Radius:** For every known agent, document the sensitive data stores it can access and the critical actions it can perform on its own.
### Short-term Improvements (1-3 months)
1. **Conduct "Goal vs. Capability" Audits:** Review the permissions of each agent. If an agent’s goal is "summarize news" but its capabilities include "accessing database," strip the excessive permissions.
2. **Analyze Multi-Agent Interaction:** Map how agents talk to each other. Identify "toxic combinations" where a low-security agent (e.g., a web scraper) can trigger actions in a high-security agent (e.g., a cloud infrastructure manager).
3. **Implement Semantic Guardrails:** Adjust monitoring to look for "semantic attack vectors" like indirect prompt injections or model poisoning attempts that use paraphrasing to bypass syntax-based filters.
### Long-term Strategy (3+ months)
1. **Adopt Exposure Management:** Move from reactive breach detection to a proactive posture management strategy that continuously monitors AI runtime environments.
2. **Govern Autonomous Identities:** Treat AI agents as distinct identities (similar to Service Accounts) with machine-identity-level governance and monitoring.
3. **Continuous Runtime Monitoring:** Establish "trouble signal" detection specifically for AI behavior to spot anomalies in probabilistic (non-deterministic) outputs.
## Implementation Guidance
### For Small Organizations
- **Focus on shadow AI discovery:** Use endpoint monitoring to find where employees are spinning up unauthorized agents or connecting tools like Claude to company data.
- **Set "Humans-in-the-Loop":** Implement manual approval steps for any AI-triggered action involving external communication or data exfiltration.
### For Medium Organizations
- **Standardize AI Platforms:** Limit AI development to specific platforms (e.g., Azure OpenAI or AWS Bedrock) to centralize visibility and policy enforcement.
- **Configuration Hygiene:** Establish a formal review process for AI agent configurations to prevent misconfigured "agent modes" on developer laptops.
### For Large Enterprises
- **Deploy an Exposure Management Platform:** Integrate AI security into existing IT, Cloud, and Identity security silos for a unified view of the attack surface.
- **Automated Remediation Orchestration:** Use orchestration tools to automatically disable compromised agents or revoke permissions when toxic combinations are detected.
## Configuration Examples
*While specific CLI code was not provided in the text, the following best practices were highlighted:*
- **Constraint-Based Logic:** Configure agents with "Maximum Agency" limits so they cannot execute endpoint commands unless explicitly required for their core goal.
- **Protocol Governance:** Define and enforce "Agentic Protocols"—rules that dictate how an agent is allowed to communicate with other internal systems.
## Compliance Alignment
- **NIST AI Risk Management Framework (AI RMF):** Aligning with visibility and risk prioritization.
- **OWASP Top 10 for LLMs:** Addressing Prompt Injection (Semantic security) and Excessive Agency.
- **ISO/IEC 42001:** Establishing governance for AI management systems.
## Common Pitfalls to Avoid
- **The "Siloed" Fallacy:** Treating AI agents as individual assets rather than a hyperconnected "multi-agent system constellation."
- **Syntax Reliance:** Using old security tools that look for "exact matches" (code/syntax) instead of "meaning" (semantics).
- **Excessive Trust:** Assuming AI systems are deterministic. Remember: AI is **probabilistic**; its outputs and actions are hard to anticipate without active monitoring.
## Resources
- **Tenable One AI Exposure Platform:** [tenable[.]com/products/ai-exposure]
- **Tenable Multi-Agent System Insights:** Documentation on identifying "toxic combinations" in agentic landscapes.