Last updated: July 2026
AI agent security is the security of an entire decision-and-action loop, not just the language model. The minimum production baseline is least-privilege tools, explicit trust boundaries, isolated execution, validated outputs, short-lived credentials, human approval for high-impact actions, and an audit trail that lets a team reconstruct what happened. Prompt injection matters, but the blast radius is determined by what the agent can read, call, change and remember.
An AI agent is useful because it can interpret a goal, gather context, choose tools, perform several steps and return an outcome. That same loop creates a security surface that a plain chat response may not have. A hostile instruction hidden in an email can influence a tool call. A harmless-looking tool can expose a write capability. A memory entry can preserve poisoned context for a later task. A successful attack therefore does not need to “break the model” in the traditional sense; it can manipulate a model that has been given too much authority.
This AI agent security guide gives builders and security teams a practical threat model for 2026. It covers prompt injection, excessive agency, output handling, identity, MCP servers, memory, sandboxing, approval gates and operational metrics. It is a design and review framework, not a claim that one product, model or vendor makes an agent secure by default. Use the controls that match your data, actions, users and regulatory context.
Never let the model be the final authorization layer for a high-impact action. The model can propose an action; deterministic policy, user identity, scope checks and—in sensitive cases—a human should decide whether the action is allowed.
What makes an agent different from a chatbot?
A chatbot mainly produces content for a person to inspect. An agent can turn content into a sequence of actions: search a private repository, create a ticket, modify a record, send an email, run code or call another service. The difference is not a magic autonomy threshold. It is the combination of model output, state, tools, identity and an execution loop.
Three questions define the blast radius. First, what can the agent read, including hidden system context, retrieved documents and memory? Second, what can it do, including tools inherited from a broad plugin or MCP server? Third, whose identity does it use, and how long do the credentials live? A system that has a brilliant model but cannot answer those questions is not ready for sensitive production work.
The right mental model is a distributed application with a probabilistic planner inside it. The planner may be helpful, but it is not a policy engine, a secrets vault, a transaction signer or a substitute for application authorization. If you need the background first, our guides to what an AI agent is and AI agent architecture explain the components that this security model protects.
The 2026 threat model: eight attack surfaces
1. Direct and indirect prompt injection
Direct prompt injection is an instruction supplied by a user that attempts to change the agent’s priorities or bypass its rules. Indirect prompt injection arrives through content the agent retrieves: an email, web page, PDF, issue, calendar event, code comment or tool response. OWASP describes prompt injection as a model-behavior problem whose impact depends heavily on the business context and the agency granted to the application.
Do not promise that a system prompt, delimiter or “ignore instructions in documents” sentence solves this. Treat external content as data with an untrusted instruction channel. Keep retrieval and tool results labeled, minimize their privileges, and require independent policy checks before an external string can influence a write, secret access or outbound message.
2. Excessive agency
Excessive agency is the combination of excessive functionality, permissions or autonomy. A summarization agent might need read-only mailbox access, yet a convenient connector might also expose send and delete operations. A coding agent may need to run tests, but a shell tool with unrestricted network and filesystem access changes a bug-fixing task into a remote-code-execution surface.
Reduce the surface in three directions: provide fewer tools, make each tool narrower, and place approval around irreversible effects. A read operation should not silently include a write operation. A “send” action should carry a recipient and content preview into the approval step. A deletion tool should be separate from a search tool and should require a fresh, explicit authorization.
3. Improper output handling
Model output is untrusted input to the rest of the application. Passing generated SQL into a database, a path into a filesystem, HTML into a browser, or shell text into an executor without validation can create ordinary software vulnerabilities with an AI-shaped entry point. OWASP calls out issues such as XSS, CSRF, SSRF, privilege escalation and remote code execution when downstream components trust an output too much.
Prefer typed tool arguments, allowlists, parameterized queries, context-aware encoding and schema validation. Do not “sanitize” a string and then treat it as authorization. A validator should check the requested action against the user’s scope, not merely check that the JSON is well formed.
4. Sensitive-data disclosure and confused deputy behavior
An agent may have access to more data than the requesting user, or it may combine data from different tenants in one context. A malicious document can ask the agent to summarize a private record and send the answer to an external address. A support assistant can accidentally reveal another customer’s ticket if retrieval filters are applied after generation rather than before.
Enforce tenant and user authorization at retrieval time and again at tool time. Redact secrets before they enter prompts where possible. Use separate credentials for reading and writing. Never let the model decide whether two identities are equivalent. The application should bind every data access to an authenticated principal, resource, purpose and scope.
5. Memory and context poisoning
Long-lived memory changes the threat model. A false preference, malicious instruction or compromised tool result can be stored and later presented as trusted context. Vector databases can also return a poisoned chunk if ingestion, provenance and access controls are weak. Memory should therefore have an owner, source, timestamp, confidence and deletion path.
Separate user preferences from operational instructions. Do not automatically promote a model-generated summary into durable memory. Apply retention limits, provenance checks and human review to sensitive memories. When an incident occurs, you must be able to invalidate one memory item or an entire retrieval namespace without deleting unrelated audit evidence.
6. Tool, MCP and dependency supply chain
Every connector expands the trust boundary. Tool descriptions can be misleading, a server can be compromised, a package can be replaced, and an apparently read-only capability can call a broader backend API. The Model Context Protocol provides transport and authorization patterns, but protocol compliance does not make a server trustworthy. Review the implementation, source, deployment identity, data flow and update path.
Maintain an allowlist of servers and tools. Pin versions where practical, record hashes or provenance for deployable artifacts, and review new capabilities like code. Treat tool annotations and natural-language descriptions as hints, not proof. For remote MCP authorization, follow the specification’s OAuth requirements, validate token audience, use HTTPS and avoid passing a token through to an unintended downstream resource.
7. Identity, privilege and session abuse
Agents often act on behalf of a person, but “on behalf of” is not a credential design. A long-lived bearer token with broad scopes lets a prompt injection become a durable account compromise. A confused-deputy bug appears when the agent can use the application’s service identity to access something the user could not access directly.
Use short-lived, audience-bound credentials and the narrowest scopes. Separate planning from execution identities. Re-authorize sensitive actions when the target, amount, recipient or data category changes. Log the human principal, agent identity, tool, resource, policy decision and approval event so an incident responder can distinguish user intent from model suggestion.
8. Unbounded consumption and agent loops
An agent can spend money, tokens and infrastructure without producing a useful outcome. A loop may repeatedly fetch the same page, call a failing tool, expand a prompt or retry an invalid action. OWASP describes unbounded consumption as a risk to availability, finances, model theft and service quality.
Set maximum turns, wall-clock deadlines, token budgets, tool-call budgets and per-user rate limits. Add a circuit breaker for repeated failures and a graceful escalation path. Monitor tail behavior, not only the average: a median of four turns can coexist with a 95th percentile of twenty. Cost controls are security controls when an attacker can trigger the loop.
Least privilege for AI tools
Least privilege is the most transferable control in an agent system. Start with the task, then expose only the capabilities needed for that task. If the agent drafts support replies, give it read access to the relevant ticket and a draft operation. Do not give it delete, billing, administrator or unrestricted web-posting rights simply because they exist in the same SDK.
| Capability | Default posture | Stronger production control |
|---|---|---|
| Read private data | Allow only the user’s authorized resources | Tenant filter, purpose binding, redaction and audit |
| Write a record | Draft or preview first | Schema validation, field allowlist and idempotency key |
| Send an email or message | Never auto-send by default | Human approval with recipient and content diff |
| Delete or transfer value | Deny by default | Step-up authentication, dual control and reversible window |
| Run code | Sandbox with no secret or network access | Ephemeral runtime, resource limits and artifact scanning |
| Call external MCP server | Approved allowlist only | Audience-bound OAuth, version review and egress policy |
A useful design pattern is capability separation. The model can produce a structured proposal such as “create a refund of amount X for order Y”; a deterministic service then checks identity, account ownership, amount limits, fraud signals and approval state. The model never receives a generic “refund anything” function. This limits damage even when the model is manipulated.
Sandboxing and outbound controls
Sandboxing is not one checkbox. It can mean a separate process, container, virtual machine, browser profile, filesystem namespace, network policy or cloud account. Choose the boundary based on the worst thing the agent can do. If it can execute untrusted code, block access to production credentials, metadata services, internal admin panels and unrestricted outbound destinations. If it only formats text, a lighter boundary may be sufficient.
Use ephemeral environments for code execution and browser tasks. Mount only the files required for the job, make the workspace disposable, cap CPU, memory, disk and duration, and record artifacts for review. Network egress should be allowlisted where possible. A sandbox that can read a cloud credential from the environment and call any IP is a stage prop, not a meaningful containment control.
Browser agents deserve extra care. Separate display content from instructions, confirm the target origin, restrict file uploads and downloads, and require a user review before purchases, messages, permission changes or account recovery. An invisible instruction in a page can be as influential as visible text to the model, so visual confirmation alone is not a sufficient defense.
Human approval that actually works
“Human in the loop” is often implemented as a notification that nobody reads. A useful approval gate presents the action, target, data, side effects, expiration and reason. It should tell the reviewer exactly what the agent proposes and what changed since the last approval. A vague button labelled “continue” is not a control.
Use risk tiers. Low-risk actions such as formatting a private draft can run automatically. Medium-risk actions such as creating a ticket or changing a non-sensitive field can require a policy check and an undo path. High-risk actions such as sending money, changing access, deleting records or publishing externally should require fresh approval, strong authentication and sometimes two people. If the context changes after approval, invalidate the approval.
Ask whether a reviewer could answer “what will happen, to whom, using which data, under whose identity, and how can I undo it?” in less than a minute. If not, the agent should not execute the action yet.
MCP security: a practical review
MCP is useful because it gives agents a common way to discover and call tools, resources and prompts. That common interface also makes capability review important: a server is an integration, not a trusted extension of the model. Start an MCP review with the same questions used for any third-party service: who runs it, where does data go, what does it store, what credentials does it receive, how are updates signed or reviewed, and what is the incident contact?
For HTTP-based authorization, the MCP specification describes OAuth 2.1-oriented flows, secure token storage, HTTPS, redirect-URI validation and PKCE. Newer specification guidance also emphasizes resource indicators and token audience validation. The practical implication is straightforward: a token minted for one resource must not be replayed at another server, and a client must not blindly pass through a user token to a downstream system.
For local stdio servers, protect the host process and environment. A local tool can access files and credentials according to the OS account that launches it. Use a dedicated account or sandbox, keep the server allowlist small, review command arguments, and do not install a server from an unverified copy-paste command. The protocol cannot compensate for a malicious binary with the same filesystem privileges as the user.
Our pages on MCP server selection, agentic workflows versus agents and agents in finance provide architecture context; this security checklist should be applied before a connector reaches production.
Validate outputs before they become actions
Use a typed interface between the model and every meaningful side effect. For example, the model might return a proposal with an action name, resource identifier, amount, reason and confidence. The application validates the types, then independently checks whether the current principal can perform that action. Reject extra fields, unknown operations, malformed identifiers and values outside policy bounds.
from dataclasses import dataclass
@dataclass(frozen=True)
class Proposal:
action: str
resource_id: str
amount_cents: int | None = None
ALLOWED_ACTIONS = {"ticket.create", "ticket.comment"}
def authorize(proposal, principal, resource):
if proposal.action not in ALLOWED_ACTIONS:
return False, "action_not_allowed"
if proposal.resource_id != resource.id:
return False, "resource_mismatch"
if principal.tenant_id != resource.tenant_id:
return False, "tenant_mismatch"
if proposal.amount_cents is not None:
return False, "unexpected_value_field"
return True, "approved"
# The model proposes. The application authorizes and logs.This is intentionally small. It does not attempt to make a model “safe” through a clever prompt. It demonstrates where authorization belongs: in deterministic application code that knows the authenticated principal and the resource. In a real system, add schema validation, rate limits, idempotency, audit events, error handling and tests for cross-tenant access.
Logging, detection and incident response
Store enough structured data to reconstruct an event without logging secrets or full sensitive prompts by default. A useful trace links the user request, model version, prompt or context references, retrieved document identifiers, tool proposal, policy decision, approval, tool result, latency, token use and final outcome. Hash or redact content where possible, but preserve provenance and correlation identifiers.
| Signal | What it may indicate | Response |
|---|---|---|
| Repeated policy denials | Prompt injection, broken workflow or privilege probing | Rate-limit, surface a safe error and alert on patterns |
| Unusual outbound destinations | Data exfiltration or compromised tool | Block egress, quarantine trace and rotate credentials |
| Tool-call bursts | Loop, denial of wallet or automation abuse | Trip circuit breaker and inspect the task |
| Cross-tenant retrieval attempt | Authorization bug or confused deputy | Deny, preserve evidence and test the filter boundary |
| Memory writes with instructions | Context poisoning | Hold for review and invalidate the source entry |
| Approval override spikes | Bad policy, user fatigue or adversarial pressure | Review the UX and risk tier before expanding access |
Prepare an incident playbook before launch. It should include disabling a tool, revoking tokens, freezing outbound actions, stopping memory writes, isolating a tenant, finding affected traces, notifying the right owners and restoring service with reduced capability. A “turn off the model” plan is incomplete if a queued action or long-lived credential can still execute.
Testing an AI agent security boundary
Security testing should combine ordinary application tests with adversarial agent evaluations. Test direct and indirect prompt injection, malicious tool descriptions, cross-tenant retrieval, output-to-SQL or output-to-shell paths, memory poisoning, token replay, tool timeouts, giant inputs, repeated retries and approval-context changes. The goal is not to prove that no attack exists; it is to verify that a realistic attack stays inside a small blast radius.
Write tests at the policy boundary. A model may produce different wording each time, but “a user without access to record B cannot retrieve record B” should be deterministic. Include negative tests for every tool: wrong tenant, expired identity, missing approval, extra fields, stale resource version, too-large amount, untrusted origin and repeated failure.
Red-team the full chain, not only the model. An evaluator should be allowed to put hostile instructions into a document, compromise a test tool, alter a memory item and create a long-running loop. Then measure whether the policy engine, sandbox, egress filter, rate limiter and alerting system work together. If the system blocks an injection but leaks a secret in the trace, the control is not complete.
Governance and regulatory context
NIST’s AI Risk Management Framework and Generative AI Profile are useful organizing tools because they connect governance, mapping, measurement and management. They do not replace a security architecture or create a universal “approved agent” stamp. Use them to document intended use, affected people, data, foreseeable misuse, testing evidence, monitoring and ownership.
The regulatory result depends on the use case, jurisdiction and role of the organization. An internal drafting agent is not automatically the same legal category as an agent used in employment, credit, healthcare, critical infrastructure or public services. Map the workflow and the decision, not just the model name. Privacy obligations can apply even when an agent is “only summarizing,” because prompts, retrieved documents, logs and memory may contain personal data.
Keep a record of human accountability. Someone must own the tool allowlist, data permissions, model changes, evaluation thresholds, incident response and retirement decision. “The model decided” is not a defensible control description when the application chose the tools, credentials and automation level.
A 30-day rollout plan
| Period | Focus | Deliverable |
|---|---|---|
| Days 1–5 | Inventory | Data map, tools, identities, trust boundaries, owners and worst-case actions |
| Days 6–10 | Constrain | Allowlisted tools, scoped credentials, tenant filters, budgets and sandbox profile |
| Days 11–17 | Validate | Typed proposals, output checks, approval UX, audit events and circuit breakers |
| Days 18–24 | Attack | Injection, memory, supply-chain, identity, loop and cross-tenant evaluations |
| Days 25–30 | Operate | Dashboard, incident drill, rollback plan, change review and staged release |
Start with read-only tasks and reversible writes. Expand the capability set only when the evidence supports it. A successful pilot should show not only answer quality but also policy-denial behavior, average and tail tool calls, approval load, sensitive-data handling and recovery from a compromised connector. Capability expansion is a security change, so review it like one.
Security metrics worth monitoring
Track both safety and usefulness. Useful metrics include the rate of blocked tool calls, cross-tenant denials, prompt-injection detections, approval requests and approval overrides; percentage of tool calls with valid provenance; secret-redaction events; mean and p95 loop turns; cost per successful task; sandbox escapes or blocked egress attempts; time to revoke a credential; and the proportion of actions that have a reversible path.
A low denial rate is not automatically good. It can mean a clean workload, or it can mean the policy engine is not seeing the risky action. A high approval rate can mean good decisions, or reviewer fatigue. Pair each metric with a sample of traces and an expected baseline. Security is a feedback loop: change the prompt, model, tool or data flow, then rerun the same evaluations.
Final AI agent security checklist
- Scope. Is the agent’s purpose narrow, documented and owned by a named team?
- Identity. Are credentials short-lived, audience-bound and limited to the user’s authorized resources?
- Tools. Are unnecessary functions removed, with read and write capabilities separated?
- Context. Are user input, retrieved data, memory and tool results treated as untrusted content?
- Output. Are arguments typed, validated, allowlisted and checked independently of the model?
- Execution. Is code or browser work isolated with resource and egress limits?
- Approval. Do high-impact actions show target, scope, side effects and an undo path?
- MCP. Are servers allowlisted, reviewed, authenticated correctly and prevented from receiving unrelated tokens?
- Memory. Are writes attributed, retained for a purpose, reviewable and removable?
- Operations. Are traces, alerts, budgets, circuit breakers, rollback and credential revocation tested?
- Evaluation. Do negative tests cover injection, privilege abuse, data leakage, loops and tool compromise?
Conclusion
The strongest AI agent security architecture is not the one with the most elaborate prompt. It is the one that assumes the model can be confused and still keeps authority narrow. Prompt injection becomes less dangerous when documents cannot grant permissions. A malicious tool becomes less dangerous when servers are allowlisted and tokens are audience-bound. A bad plan becomes less dangerous when a deterministic policy gate validates the user, resource, amount and approval.
Build the first version as a constrained workflow, measure the real failure modes, and expand capabilities deliberately. For the broader architecture trade-offs, compare our AI agent frameworks guide, coding-agent comparison and LLM inference cost comparison. Security, quality and cost are coupled properties of the same loop.
FAQ: AI agent security
What is AI agent security?
AI agent security protects the model-driven loop of planning, context retrieval, tool calls, memory and execution. It combines least privilege, identity controls, validation, sandboxing, approvals, monitoring and incident response.
Can prompt injection be prevented completely?
There is no universal prompt-only fix. Reduce impact by treating external content as untrusted, minimizing tools and permissions, validating outputs, isolating execution and requiring approval for high-impact actions.
What is excessive agency in an AI agent?
Excessive agency means the system has more functionality, permissions or autonomy than the task requires. Separate read and write tools, remove unused capabilities and add deterministic policy gates.
Do AI agents need a sandbox?
Agents that run code, browse hostile content or handle untrusted files generally need isolation. The required boundary depends on the worst possible action, including data access, credentials and network egress.
How should MCP servers be secured?
Use an allowlist, review the server and update path, apply least-privilege scopes, follow the authorization specification, validate token audience, use HTTPS and prevent token passthrough to unintended resources.
When should a human approve an agent action?
Require fresh approval for irreversible, high-impact or externally visible actions such as sending money, changing access, deleting records or publishing. Show the target, scope, side effects and undo path.
What should be logged for an AI agent?
Log the principal, agent and model version, context references, tool proposal, policy decision, approval, tool result, latency, cost and outcome while redacting secrets and unnecessary personal data.
Sources and further reading
- OWASP GenAI: LLM01 Prompt Injection.
- OWASP GenAI: LLM06 Excessive Agency.
- OWASP GenAI: LLM05 Improper Output Handling.
- OWASP GenAI: LLM10 Unbounded Consumption.
- OWASP: Agentic AI — Threats and Mitigations.
- OWASP: Top 10 Risks and Mitigations for Agentic AI Security.
- NIST: AI Risk Management Framework.
- NIST: Generative Artificial Intelligence Profile.
- NIST: AI Security and Resilience.
- Model Context Protocol: Security Best Practices.
- Model Context Protocol: Authorization and token audience validation.
- Model Context Protocol: OAuth and authorization requirements.
- OWASP: Application Security Verification Standard.
- NIST: Adversarial Machine Learning — Taxonomy and Terminology.
- Google: Secure AI Framework.
- DecodeTheFuture: AI agent architecture explained.
- DecodeTheFuture: agentic workflows versus AI agents.
Threat names and protocol requirements can evolve. Re-check the linked primary documentation, your cloud provider’s security controls and your organization’s policies before production deployment.
