arXiv — Agentic AI as a cybersecurity attack surface
AI relevance: The paper reframes agent security around runtime supply chains (context + tools), outlining concrete threat classes and defenses for deployed AI agents.
- Argues that agentic systems move the attack surface from build-time artifacts to inference-time dependencies (context and tools).
- Introduces a unified runtime framework with two supply chains: data supply chain (transient context injection, persistent memory poisoning) and tool supply chain (discovery, implementation, invocation).
- Highlights “Viral Agent Loop,” where agents can propagate malicious behaviors without exploiting code-level flaws.
- Notes that probabilistic tool selection and chaining create interdependent failure modes beyond single-tool exploits.
- Advocates a Zero‑Trust Runtime Architecture that treats context as untrusted control flow.
- Proposes constraining tool execution with cryptographic provenance rather than semantic inference alone.
- Positions the framework as a bridge between model-level vulnerabilities and operational security engineering for agents.
Why it matters
- Most agent breaches are likely to come from runtime supply chains (data + tools), not model weights.
- The taxonomy clarifies where to invest defenses: discovery controls, tool attestation, memory isolation, and runtime monitoring.
- It gives AI ops teams a shared vocabulary to align security, platform, and product workstreams.
What to do
- Inventory data + tools: map every context source and tool an agent can invoke.
- Attest tools: require signed tool manifests and provenance checks before execution.
- Isolate memory: separate long-term memory from transient context; gate writes with policy checks.
- Constrain discovery: limit tool search space and rate‑limit dynamic tool loading.
- Monitor loops: alert on repetitive tool chains or self‑propagating behaviors.