[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"kb-article-agentic-ai-is-the-new-lateral-movement-engine-how-autonomous-agents-explode-your-attack-surface-en":3,"ArticleBody_4cbs7gbycvcmJjwXqEjzUQX9FOtPCcgaECaccpe4jGQ":93},{"article":4,"relatedArticles":63,"locale":53},{"id":5,"title":6,"slug":7,"content":8,"htmlContent":9,"excerpt":10,"category":11,"tags":12,"metaDescription":10,"wordCount":13,"readingTime":14,"publishedAt":15,"sources":16,"sourceCoverage":46,"transparency":47,"seo":52,"language":53,"featuredImage":54,"featuredImageCredit":55,"isFreeGeneration":59,"trendSlug":46,"niche":60,"geoTakeaways":46,"geoFaq":46,"entities":46},"6a0d09d41234c70c8f167ef5","Agentic AI Is the New Lateral Movement Engine: How Autonomous Agents Explode Your Attack Surface","agentic-ai-is-the-new-lateral-movement-engine-how-autonomous-agents-explode-your-attack-surface","Agentic AI turns [large language models](https:\u002F\u002Fen.wikipedia.org\u002Fwiki\u002FLarge_language_model) into autonomous [AI agents](https:\u002F\u002Fen.wikipedia.org\u002Fwiki\u002FAI_agent) that plan, decide, and execute workflows end‑to‑end. These agents:\n\n- Invoke tools and APIs  \n- Maintain state and memory  \n- Act across SaaS, cloud, and internal systems without step‑by‑step human approval [2][4]\n\nRisk thus shifts from “bad text” to “unauthorized actions in production.” [2][4]\n\nIn 2026, a mid‑size fintech saw a support agent hijacked via [prompt injection](https:\u002F\u002Fen.wikipedia.org\u002Fwiki\u002FPrompt_injection). The agent pulled an internal runbook and reset MFA for dozens of accounts—no network breach required; the attacker simply abused existing agent privileges. This is the new lateral movement model.\n\n~97% of security leaders expect a material agent‑driven incident soon, yet only a small fraction of budgets targets this risk. [8] That capability‑control gap is where [security threats](https:\u002F\u002Fen.wikipedia.org\u002Fwiki\u002FThreat_(computer_security)) grow.\n\n---\n\n## 1. From Chatbots to Agents: Why the Attack Surface Explodes\n\nTraditional LLM apps are stateless Q&A services. Agentic systems add:\n\n- **Planning**: multi‑step task decomposition  \n- **Tool use**: API calls, workflows  \n- **Memory**: stateful sessions  \n- **Autonomy**: long‑running operations [2]\n\nTogether they turn LLMs into general‑purpose orchestrators across digital environments.\n\n### From text to actions\n\nEnterprise agents already:  \n\n- Update or delete database records  \n- Trigger CI\u002FCD, ticketing, or incident workflows  \n- Fetch and transform sensitive CRM\u002FERP\u002Fwarehouse data [4][9]\n\nThese actions:\n\n- Run at machine speed  \n- Often skip second‑factor checks  \n- Directly change production state (payouts, credentials, entitlements) [4]\n\n💼 **Operational shift**\n\n> Risk has moved from reputational damage to operational impact: incorrect payouts, credential changes, [data exfiltration](https:\u002F\u002Fen.wikipedia.org\u002Fwiki\u002FData_exfiltration), and policy violations driven by model output. [4]\n\n### Non‑human identities everywhere\n\nEvery agent instance functions as a non‑human identity (NHI), bound to:\n\n- API keys and service accounts  \n- Specific tenants, projects, or customers  \n- Tools like ticketing, cloud consoles, file stores [5][8]\n\nProblems:\n\n- Ownership is often unclear  \n- Policies and scopes are inconsistent  \n- Shadow AI and low‑code builders spawn untracked agents [5][8]\n\nAs agents multiply, identity and access surfaces expand rapidly.\n\n### Non‑determinism breaks old assumptions\n\nBecause agents are stateful and non‑deterministic, the same user request may trigger different sequences based on:\n\n- Session memory and context  \n- Current tool availability  \n- Subtle prompt and data differences [8]\n\nConsequences:\n\n- Workflows become harder to predict, test, and audit  \n- “We tested that flow once” no longer guarantees production behavior  \n\n⚠️ **Key implication**\n\n> You must secure *what the agent is allowed to do*, not what you assume it will usually do.\n\nGlobal surveys show security leaders now treat agents as a distinct architectural risk, not a minor chatbot upgrade. [8]\n\n---\n\n## 2. Threat Taxonomy: How Agents Enable Lateral Movement\n\nModern research separates agent‑specific threats—goal hijacking, unsafe tool use, emergent behaviors—from generic LLM risks like hallucinations. [1][2] For defenders, the core concern is how these threats compose into lateral movement.\n\n### Prompt injection as control‑plane hijack\n\nPrompt injection is still the top agent attack. [9]\n\nTwo main forms:\n\n- **Direct injection**: attacker talks to the agent and overrides instructions  \n- **Indirect injection**: attacker poisons data the agent reads (emails, docs, web pages, tickets, DB rows)\n\nGoal in both cases:\n\n- Replace governance with “follow these instructions”  \n- Subvert internal policies using the agent’s own reasoning loop [4][9]\n\n💡 **Mental model**\n\n> For agents, prompt injection functions like remote code execution on the orchestration layer.\n\n### From tool chaining to lateral movement\n\nOnce the attacker controls goals, each tool integration becomes a pivot:\n\n- Support inbox → CRM  \n- CRM → billing\u002Ffinancial systems  \n- Billing → cloud consoles, secrets, keys [5][10]\n\nMulti‑tool agents act as:\n\n- Pre‑wired privilege chains  \n- Ready‑made lateral movement paths across business and infrastructure systems [5][10]\n\n📊 **Layered risk across the stack**\n\nResearch on multi‑agent portfolio systems shows threats span: [3]\n\n- **Perception**: inputs, retrieval, browsing  \n- **Planning**: goal setting and decomposition  \n- **Execution**: tool\u002FAPI calls and side effects  \n- **Governance**: approvals, policies, audit [3]\n\nA single compromise can cascade, e.g.:\n\n- Manipulated market data (perception) → unsafe trade plan (planning) → valid API calls (execution) in violation of policy (governance). [3]\n\n### Incidents are already real\n\nSince 2025, documented incidents show agents: [4][6][10]\n\n- Leaking internal data via retrieval or summarization  \n- Acting beyond intended scope or environment  \n- Handling workflows like:\n  - HR account provisioning  \n  - Privileged secret rotation  \n  - Export of audit and compliance logs [10]\n\n⚠️ **Why this matters**\n\n> Misuse of one such agent can chain privileges across HR, IT, finance, and compliance—mirroring classic, high‑value lateral movement. [10]\n\n---\n\n## 3. Security Architecture: Zero Trust for Non‑Human Agents\n\nIf agents are lateral movement engines, architectures must treat them as high‑risk identities, not “smart chatbots” to be tamed with better prompts.\n\n### Treat agents as first‑class NHIs\n\nZero‑trust for agentic AI means each agent must: [5]\n\n- Authenticate per tenant and environment  \n- Authorize per tool with least privilege  \n- Be continuously verified on every call, not just at session start  \n\nEnforcement must live outside the LLM; model reasoning cannot be trusted to self‑limit. [5]\n\n💡 **Design principle**\n\n> Scope identity and policy at the tool boundary, not at the chat interface.\n\n### Chatbot defenses are insufficient\n\nLegacy defenses (content filters, jailbreak detection, perimeter prompts):\n\n- Were built for static chatbots  \n- Focus on output safety, not downstream side effects [4]\n\nModern guidance emphasizes securing: [4][9]\n\n- Tool invocation pathways  \n- Data domains and tenants  \n- Environment boundaries (dev\u002Fstage\u002Fprod)\n\nA monolithic system prompt cannot reliably enforce all of this.\n\n### Discovery and layered threat modeling\n\nBest practice starts with centralized discovery of *all* agents, including: [8]\n\n- Shadow AI, low‑code, and vendor‑hosted agents  \n- Departmental experiments and prototypes\n\nMinimum inventory fields:\n\n- Agent name and owner  \n- Tooling and APIs it can call  \n- Data domains, tenants, and environments it touches [8]\n\nRisk‑assessment methods then map threats across:\n\n- Model, orchestration, tools, data, governance layers  \n- To find where broad scopes or shared credentials enable lateral movement [1][3]\n\n⚡ **Architecture checkpoint**\n\n> If you cannot answer “which agents can touch production secrets in tenant X,” you are not ready for agentic AI.\n\n### Runtime policy gateways\n\nEnterprise guidance converges on runtime controls between agents and tools: [4][5]\n\n- Policy‑aware gateways enforcing:\n  - Fine‑grained rules per tool\u002FAPI  \n  - Tenant and environment isolation  \n  - Rate limits and anomaly checks  \n- Centralized logs for every call and response\n\nEven if the prompt layer is fully compromised, gateways can block model output from becoming dangerous real‑world actions. [4][5]\n\n---\n\n## 4. Engineering Patterns: Containing Blast Radius and Lateral Movement\n\nArchitecture defines guardrails; engineering patterns determine blast radius when agents are hijacked.\n\n### 4.1 Scoped agents, not universal copilots\n\nSurveys recommend small, narrow agents with: [2][8]\n\n- Strict tool whitelists  \n- IAM‑enforced data boundaries, not prompt‑based limits  \n- Separate identities per environment (prod vs sandbox)\n\n💼 **Practical example**\n\n> Use three scoped agents—“HR‑onboarding,” “IT‑logs‑export,” and “Finance‑payments”—instead of one broad “operations agent” with global access.\n\nIf one is hijacked, the attacker’s reach is constrained. [2]\n\n### 4.2 Deep telemetry and anomaly detection\n\nPlaybooks call for step‑level telemetry on every agent: [4][10]\n\n- Prompts, intermediate plans, chain‑of‑thought (with privacy controls)  \n- Tool\u002FAPI calls, parameters, and outputs  \n- Environment, tenant, identity, and user context  \n- Human approvals and overrides\n\n📊 **Why telemetry matters**\n\n> Without granular traces, you cannot reconstruct attacker movement or safely roll back actions. [4][10]\n\nTelemetry also powers anomaly detection, e.g., an onboarding agent suddenly querying production key vaults.\n\n### 4.3 Security testing for agents\n\nBest practices integrate security testing into the agent SDLC: [8]\n\n- Red‑teaming for direct and indirect prompt injection  \n- Fuzzing of tool invocation paths and parameters  \n- Simulations of poisoned data sources or compromised tools\n\nLayered approaches like RoboPMS test across perception, planning, and execution to reveal cross‑layer failure modes. [3]\n\n⚠️ **Testing mindset**\n\n> Treat agents like microservices that can be deceived, not “smart users” who will spot malicious content.\n\n### 4.4 Policy at decision and execution layers\n\nZero‑trust work stresses that prompt‑level rules (“ignore untrusted input”) are not enough. [5] Robust designs enforce policy at:\n\n- **Decision layer**:\n  - Policy engines that score, constrain, or veto candidate plans  \n- **Execution layer**:\n  - Gateways requiring extra verification for high‑impact actions (fund transfer, key rotation, access changes) [4][5]\n\nSecurity guidance also recommends agent‑specific incident runbooks defining: [10]\n\n- When human approval is mandatory  \n- How to halt or quarantine misbehaving agents  \n- How to roll back actions from compromised sessions  \n\n💡 **Runbook tip**\n\n> Maintain a global “kill switch” per agent identity to revoke credentials, quarantine workloads, and alert owners within minutes. [10]\n\n---\n\n## Conclusion: Design for Containment, Not Perfection\n\nAgentic AI turns LLMs into autonomous actors that chain tools and move laterally across systems, converting prompts into operational risk rather than just unsafe text. [2][4] Research shows chatbot‑era defenses miss this expanded surface, where prompt injection, goal hijacking, and cross‑system workflows combine into powerful lateral movement paths. [1][3]\n\nA secure posture treats agents as high‑risk non‑human identities, applies zero‑trust to every tool call, and models threats across model, orchestration, tools, data, and governance layers. [5][8] Practically, this means: constrained task‑specific agents, strong identity and least privilege, rich telemetry, rigorous red‑teaming, and runtime policy gateways that contain blast radius even when prompts or tools are compromised. [4][10]\n\nStart by inventorying all agents, mapping their tools and data access, and inserting policy‑enforcing gateways between agents and critical systems. Then prioritize high‑impact workflows—credentials, financial operations, data exports—for stricter least privilege and human‑in‑the‑loop checks before scaling agents across the enterprise. [8][10]","\u003Cp>Agentic AI turns \u003Ca href=\"https:\u002F\u002Fen.wikipedia.org\u002Fwiki\u002FLarge_language_model\" class=\"wiki-link\" target=\"_blank\" rel=\"noopener\">large language models\u003C\u002Fa> into autonomous \u003Ca href=\"https:\u002F\u002Fen.wikipedia.org\u002Fwiki\u002FAI_agent\" class=\"wiki-link\" target=\"_blank\" rel=\"noopener\">AI agents\u003C\u002Fa> that plan, decide, and execute workflows end‑to‑end. These agents:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Invoke tools and APIs\u003C\u002Fli>\n\u003Cli>Maintain state and memory\u003C\u002Fli>\n\u003Cli>Act across SaaS, cloud, and internal systems without step‑by‑step human approval \u003Ca href=\"#source-2\" class=\"citation-link\" title=\"View source [2]\">[2]\u003C\u002Fa>\u003Ca href=\"#source-4\" class=\"citation-link\" title=\"View source [4]\">[4]\u003C\u002Fa>\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>Risk thus shifts from “bad text” to “unauthorized actions in production.” \u003Ca href=\"#source-2\" class=\"citation-link\" title=\"View source [2]\">[2]\u003C\u002Fa>\u003Ca href=\"#source-4\" class=\"citation-link\" title=\"View source [4]\">[4]\u003C\u002Fa>\u003C\u002Fp>\n\u003Cp>In 2026, a mid‑size fintech saw a support agent hijacked via \u003Ca href=\"https:\u002F\u002Fen.wikipedia.org\u002Fwiki\u002FPrompt_injection\" class=\"wiki-link\" target=\"_blank\" rel=\"noopener\">prompt injection\u003C\u002Fa>. The agent pulled an internal runbook and reset MFA for dozens of accounts—no network breach required; the attacker simply abused existing agent privileges. This is the new lateral movement model.\u003C\u002Fp>\n\u003Cp>~97% of security leaders expect a material agent‑driven incident soon, yet only a small fraction of budgets targets this risk. \u003Ca href=\"#source-8\" class=\"citation-link\" title=\"View source [8]\">[8]\u003C\u002Fa> That capability‑control gap is where \u003Ca href=\"https:\u002F\u002Fen.wikipedia.org\u002Fwiki\u002FThreat_(computer_security)\" class=\"wiki-link\" target=\"_blank\" rel=\"noopener\">security threats\u003C\u002Fa> grow.\u003C\u002Fp>\n\u003Chr>\n\u003Ch2>1. From Chatbots to Agents: Why the Attack Surface Explodes\u003C\u002Fh2>\n\u003Cp>Traditional LLM apps are stateless Q&amp;A services. Agentic systems add:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>\u003Cstrong>Planning\u003C\u002Fstrong>: multi‑step task decomposition\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Tool use\u003C\u002Fstrong>: API calls, workflows\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Memory\u003C\u002Fstrong>: stateful sessions\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Autonomy\u003C\u002Fstrong>: long‑running operations \u003Ca href=\"#source-2\" class=\"citation-link\" title=\"View source [2]\">[2]\u003C\u002Fa>\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>Together they turn LLMs into general‑purpose orchestrators across digital environments.\u003C\u002Fp>\n\u003Ch3>From text to actions\u003C\u002Fh3>\n\u003Cp>Enterprise agents already:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Update or delete database records\u003C\u002Fli>\n\u003Cli>Trigger CI\u002FCD, ticketing, or incident workflows\u003C\u002Fli>\n\u003Cli>Fetch and transform sensitive CRM\u002FERP\u002Fwarehouse data \u003Ca href=\"#source-4\" class=\"citation-link\" title=\"View source [4]\">[4]\u003C\u002Fa>\u003Ca href=\"#source-9\" class=\"citation-link\" title=\"View source [9]\">[9]\u003C\u002Fa>\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>These actions:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Run at machine speed\u003C\u002Fli>\n\u003Cli>Often skip second‑factor checks\u003C\u002Fli>\n\u003Cli>Directly change production state (payouts, credentials, entitlements) \u003Ca href=\"#source-4\" class=\"citation-link\" title=\"View source [4]\">[4]\u003C\u002Fa>\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>💼 \u003Cstrong>Operational shift\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cblockquote>\n\u003Cp>Risk has moved from reputational damage to operational impact: incorrect payouts, credential changes, \u003Ca href=\"https:\u002F\u002Fen.wikipedia.org\u002Fwiki\u002FData_exfiltration\" class=\"wiki-link\" target=\"_blank\" rel=\"noopener\">data exfiltration\u003C\u002Fa>, and policy violations driven by model output. \u003Ca href=\"#source-4\" class=\"citation-link\" title=\"View source [4]\">[4]\u003C\u002Fa>\u003C\u002Fp>\n\u003C\u002Fblockquote>\n\u003Ch3>Non‑human identities everywhere\u003C\u002Fh3>\n\u003Cp>Every agent instance functions as a non‑human identity (NHI), bound to:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>API keys and service accounts\u003C\u002Fli>\n\u003Cli>Specific tenants, projects, or customers\u003C\u002Fli>\n\u003Cli>Tools like ticketing, cloud consoles, file stores \u003Ca href=\"#source-5\" class=\"citation-link\" title=\"View source [5]\">[5]\u003C\u002Fa>\u003Ca href=\"#source-8\" class=\"citation-link\" title=\"View source [8]\">[8]\u003C\u002Fa>\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>Problems:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Ownership is often unclear\u003C\u002Fli>\n\u003Cli>Policies and scopes are inconsistent\u003C\u002Fli>\n\u003Cli>Shadow AI and low‑code builders spawn untracked agents \u003Ca href=\"#source-5\" class=\"citation-link\" title=\"View source [5]\">[5]\u003C\u002Fa>\u003Ca href=\"#source-8\" class=\"citation-link\" title=\"View source [8]\">[8]\u003C\u002Fa>\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>As agents multiply, identity and access surfaces expand rapidly.\u003C\u002Fp>\n\u003Ch3>Non‑determinism breaks old assumptions\u003C\u002Fh3>\n\u003Cp>Because agents are stateful and non‑deterministic, the same user request may trigger different sequences based on:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Session memory and context\u003C\u002Fli>\n\u003Cli>Current tool availability\u003C\u002Fli>\n\u003Cli>Subtle prompt and data differences \u003Ca href=\"#source-8\" class=\"citation-link\" title=\"View source [8]\">[8]\u003C\u002Fa>\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>Consequences:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Workflows become harder to predict, test, and audit\u003C\u002Fli>\n\u003Cli>“We tested that flow once” no longer guarantees production behavior\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>⚠️ \u003Cstrong>Key implication\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cblockquote>\n\u003Cp>You must secure \u003Cem>what the agent is allowed to do\u003C\u002Fem>, not what you assume it will usually do.\u003C\u002Fp>\n\u003C\u002Fblockquote>\n\u003Cp>Global surveys show security leaders now treat agents as a distinct architectural risk, not a minor chatbot upgrade. \u003Ca href=\"#source-8\" class=\"citation-link\" title=\"View source [8]\">[8]\u003C\u002Fa>\u003C\u002Fp>\n\u003Chr>\n\u003Ch2>2. Threat Taxonomy: How Agents Enable Lateral Movement\u003C\u002Fh2>\n\u003Cp>Modern research separates agent‑specific threats—goal hijacking, unsafe tool use, emergent behaviors—from generic LLM risks like hallucinations. \u003Ca href=\"#source-1\" class=\"citation-link\" title=\"View source [1]\">[1]\u003C\u002Fa>\u003Ca href=\"#source-2\" class=\"citation-link\" title=\"View source [2]\">[2]\u003C\u002Fa> For defenders, the core concern is how these threats compose into lateral movement.\u003C\u002Fp>\n\u003Ch3>Prompt injection as control‑plane hijack\u003C\u002Fh3>\n\u003Cp>Prompt injection is still the top agent attack. \u003Ca href=\"#source-9\" class=\"citation-link\" title=\"View source [9]\">[9]\u003C\u002Fa>\u003C\u002Fp>\n\u003Cp>Two main forms:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>\u003Cstrong>Direct injection\u003C\u002Fstrong>: attacker talks to the agent and overrides instructions\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Indirect injection\u003C\u002Fstrong>: attacker poisons data the agent reads (emails, docs, web pages, tickets, DB rows)\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>Goal in both cases:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Replace governance with “follow these instructions”\u003C\u002Fli>\n\u003Cli>Subvert internal policies using the agent’s own reasoning loop \u003Ca href=\"#source-4\" class=\"citation-link\" title=\"View source [4]\">[4]\u003C\u002Fa>\u003Ca href=\"#source-9\" class=\"citation-link\" title=\"View source [9]\">[9]\u003C\u002Fa>\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>💡 \u003Cstrong>Mental model\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cblockquote>\n\u003Cp>For agents, prompt injection functions like remote code execution on the orchestration layer.\u003C\u002Fp>\n\u003C\u002Fblockquote>\n\u003Ch3>From tool chaining to lateral movement\u003C\u002Fh3>\n\u003Cp>Once the attacker controls goals, each tool integration becomes a pivot:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Support inbox → CRM\u003C\u002Fli>\n\u003Cli>CRM → billing\u002Ffinancial systems\u003C\u002Fli>\n\u003Cli>Billing → cloud consoles, secrets, keys \u003Ca href=\"#source-5\" class=\"citation-link\" title=\"View source [5]\">[5]\u003C\u002Fa>\u003Ca href=\"#source-10\" class=\"citation-link\" title=\"View source [10]\">[10]\u003C\u002Fa>\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>Multi‑tool agents act as:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Pre‑wired privilege chains\u003C\u002Fli>\n\u003Cli>Ready‑made lateral movement paths across business and infrastructure systems \u003Ca href=\"#source-5\" class=\"citation-link\" title=\"View source [5]\">[5]\u003C\u002Fa>\u003Ca href=\"#source-10\" class=\"citation-link\" title=\"View source [10]\">[10]\u003C\u002Fa>\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>📊 \u003Cstrong>Layered risk across the stack\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cp>Research on multi‑agent portfolio systems shows threats span: \u003Ca href=\"#source-3\" class=\"citation-link\" title=\"View source [3]\">[3]\u003C\u002Fa>\u003C\u002Fp>\n\u003Cul>\n\u003Cli>\u003Cstrong>Perception\u003C\u002Fstrong>: inputs, retrieval, browsing\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Planning\u003C\u002Fstrong>: goal setting and decomposition\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Execution\u003C\u002Fstrong>: tool\u002FAPI calls and side effects\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Governance\u003C\u002Fstrong>: approvals, policies, audit \u003Ca href=\"#source-3\" class=\"citation-link\" title=\"View source [3]\">[3]\u003C\u002Fa>\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>A single compromise can cascade, e.g.:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Manipulated market data (perception) → unsafe trade plan (planning) → valid API calls (execution) in violation of policy (governance). \u003Ca href=\"#source-3\" class=\"citation-link\" title=\"View source [3]\">[3]\u003C\u002Fa>\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>Incidents are already real\u003C\u002Fh3>\n\u003Cp>Since 2025, documented incidents show agents: \u003Ca href=\"#source-4\" class=\"citation-link\" title=\"View source [4]\">[4]\u003C\u002Fa>\u003Ca href=\"#source-6\" class=\"citation-link\" title=\"View source [6]\">[6]\u003C\u002Fa>\u003Ca href=\"#source-10\" class=\"citation-link\" title=\"View source [10]\">[10]\u003C\u002Fa>\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Leaking internal data via retrieval or summarization\u003C\u002Fli>\n\u003Cli>Acting beyond intended scope or environment\u003C\u002Fli>\n\u003Cli>Handling workflows like:\n\u003Cul>\n\u003Cli>HR account provisioning\u003C\u002Fli>\n\u003Cli>Privileged secret rotation\u003C\u002Fli>\n\u003Cli>Export of audit and compliance logs \u003Ca href=\"#source-10\" class=\"citation-link\" title=\"View source [10]\">[10]\u003C\u002Fa>\u003C\u002Fli>\n\u003C\u002Ful>\n\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>⚠️ \u003Cstrong>Why this matters\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cblockquote>\n\u003Cp>Misuse of one such agent can chain privileges across HR, IT, finance, and compliance—mirroring classic, high‑value lateral movement. \u003Ca href=\"#source-10\" class=\"citation-link\" title=\"View source [10]\">[10]\u003C\u002Fa>\u003C\u002Fp>\n\u003C\u002Fblockquote>\n\u003Chr>\n\u003Ch2>3. Security Architecture: Zero Trust for Non‑Human Agents\u003C\u002Fh2>\n\u003Cp>If agents are lateral movement engines, architectures must treat them as high‑risk identities, not “smart chatbots” to be tamed with better prompts.\u003C\u002Fp>\n\u003Ch3>Treat agents as first‑class NHIs\u003C\u002Fh3>\n\u003Cp>Zero‑trust for agentic AI means each agent must: \u003Ca href=\"#source-5\" class=\"citation-link\" title=\"View source [5]\">[5]\u003C\u002Fa>\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Authenticate per tenant and environment\u003C\u002Fli>\n\u003Cli>Authorize per tool with least privilege\u003C\u002Fli>\n\u003Cli>Be continuously verified on every call, not just at session start\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>Enforcement must live outside the LLM; model reasoning cannot be trusted to self‑limit. \u003Ca href=\"#source-5\" class=\"citation-link\" title=\"View source [5]\">[5]\u003C\u002Fa>\u003C\u002Fp>\n\u003Cp>💡 \u003Cstrong>Design principle\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cblockquote>\n\u003Cp>Scope identity and policy at the tool boundary, not at the chat interface.\u003C\u002Fp>\n\u003C\u002Fblockquote>\n\u003Ch3>Chatbot defenses are insufficient\u003C\u002Fh3>\n\u003Cp>Legacy defenses (content filters, jailbreak detection, perimeter prompts):\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Were built for static chatbots\u003C\u002Fli>\n\u003Cli>Focus on output safety, not downstream side effects \u003Ca href=\"#source-4\" class=\"citation-link\" title=\"View source [4]\">[4]\u003C\u002Fa>\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>Modern guidance emphasizes securing: \u003Ca href=\"#source-4\" class=\"citation-link\" title=\"View source [4]\">[4]\u003C\u002Fa>\u003Ca href=\"#source-9\" class=\"citation-link\" title=\"View source [9]\">[9]\u003C\u002Fa>\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Tool invocation pathways\u003C\u002Fli>\n\u003Cli>Data domains and tenants\u003C\u002Fli>\n\u003Cli>Environment boundaries (dev\u002Fstage\u002Fprod)\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>A monolithic system prompt cannot reliably enforce all of this.\u003C\u002Fp>\n\u003Ch3>Discovery and layered threat modeling\u003C\u002Fh3>\n\u003Cp>Best practice starts with centralized discovery of \u003Cem>all\u003C\u002Fem> agents, including: \u003Ca href=\"#source-8\" class=\"citation-link\" title=\"View source [8]\">[8]\u003C\u002Fa>\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Shadow AI, low‑code, and vendor‑hosted agents\u003C\u002Fli>\n\u003Cli>Departmental experiments and prototypes\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>Minimum inventory fields:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Agent name and owner\u003C\u002Fli>\n\u003Cli>Tooling and APIs it can call\u003C\u002Fli>\n\u003Cli>Data domains, tenants, and environments it touches \u003Ca href=\"#source-8\" class=\"citation-link\" title=\"View source [8]\">[8]\u003C\u002Fa>\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>Risk‑assessment methods then map threats across:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Model, orchestration, tools, data, governance layers\u003C\u002Fli>\n\u003Cli>To find where broad scopes or shared credentials enable lateral movement \u003Ca href=\"#source-1\" class=\"citation-link\" title=\"View source [1]\">[1]\u003C\u002Fa>\u003Ca href=\"#source-3\" class=\"citation-link\" title=\"View source [3]\">[3]\u003C\u002Fa>\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>⚡ \u003Cstrong>Architecture checkpoint\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cblockquote>\n\u003Cp>If you cannot answer “which agents can touch production secrets in tenant X,” you are not ready for agentic AI.\u003C\u002Fp>\n\u003C\u002Fblockquote>\n\u003Ch3>Runtime policy gateways\u003C\u002Fh3>\n\u003Cp>Enterprise guidance converges on runtime controls between agents and tools: \u003Ca href=\"#source-4\" class=\"citation-link\" title=\"View source [4]\">[4]\u003C\u002Fa>\u003Ca href=\"#source-5\" class=\"citation-link\" title=\"View source [5]\">[5]\u003C\u002Fa>\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Policy‑aware gateways enforcing:\n\u003Cul>\n\u003Cli>Fine‑grained rules per tool\u002FAPI\u003C\u002Fli>\n\u003Cli>Tenant and environment isolation\u003C\u002Fli>\n\u003Cli>Rate limits and anomaly checks\u003C\u002Fli>\n\u003C\u002Ful>\n\u003C\u002Fli>\n\u003Cli>Centralized logs for every call and response\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>Even if the prompt layer is fully compromised, gateways can block model output from becoming dangerous real‑world actions. \u003Ca href=\"#source-4\" class=\"citation-link\" title=\"View source [4]\">[4]\u003C\u002Fa>\u003Ca href=\"#source-5\" class=\"citation-link\" title=\"View source [5]\">[5]\u003C\u002Fa>\u003C\u002Fp>\n\u003Chr>\n\u003Ch2>4. Engineering Patterns: Containing Blast Radius and Lateral Movement\u003C\u002Fh2>\n\u003Cp>Architecture defines guardrails; engineering patterns determine blast radius when agents are hijacked.\u003C\u002Fp>\n\u003Ch3>4.1 Scoped agents, not universal copilots\u003C\u002Fh3>\n\u003Cp>Surveys recommend small, narrow agents with: \u003Ca href=\"#source-2\" class=\"citation-link\" title=\"View source [2]\">[2]\u003C\u002Fa>\u003Ca href=\"#source-8\" class=\"citation-link\" title=\"View source [8]\">[8]\u003C\u002Fa>\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Strict tool whitelists\u003C\u002Fli>\n\u003Cli>IAM‑enforced data boundaries, not prompt‑based limits\u003C\u002Fli>\n\u003Cli>Separate identities per environment (prod vs sandbox)\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>💼 \u003Cstrong>Practical example\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cblockquote>\n\u003Cp>Use three scoped agents—“HR‑onboarding,” “IT‑logs‑export,” and “Finance‑payments”—instead of one broad “operations agent” with global access.\u003C\u002Fp>\n\u003C\u002Fblockquote>\n\u003Cp>If one is hijacked, the attacker’s reach is constrained. \u003Ca href=\"#source-2\" class=\"citation-link\" title=\"View source [2]\">[2]\u003C\u002Fa>\u003C\u002Fp>\n\u003Ch3>4.2 Deep telemetry and anomaly detection\u003C\u002Fh3>\n\u003Cp>Playbooks call for step‑level telemetry on every agent: \u003Ca href=\"#source-4\" class=\"citation-link\" title=\"View source [4]\">[4]\u003C\u002Fa>\u003Ca href=\"#source-10\" class=\"citation-link\" title=\"View source [10]\">[10]\u003C\u002Fa>\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Prompts, intermediate plans, chain‑of‑thought (with privacy controls)\u003C\u002Fli>\n\u003Cli>Tool\u002FAPI calls, parameters, and outputs\u003C\u002Fli>\n\u003Cli>Environment, tenant, identity, and user context\u003C\u002Fli>\n\u003Cli>Human approvals and overrides\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>📊 \u003Cstrong>Why telemetry matters\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cblockquote>\n\u003Cp>Without granular traces, you cannot reconstruct attacker movement or safely roll back actions. \u003Ca href=\"#source-4\" class=\"citation-link\" title=\"View source [4]\">[4]\u003C\u002Fa>\u003Ca href=\"#source-10\" class=\"citation-link\" title=\"View source [10]\">[10]\u003C\u002Fa>\u003C\u002Fp>\n\u003C\u002Fblockquote>\n\u003Cp>Telemetry also powers anomaly detection, e.g., an onboarding agent suddenly querying production key vaults.\u003C\u002Fp>\n\u003Ch3>4.3 Security testing for agents\u003C\u002Fh3>\n\u003Cp>Best practices integrate security testing into the agent SDLC: \u003Ca href=\"#source-8\" class=\"citation-link\" title=\"View source [8]\">[8]\u003C\u002Fa>\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Red‑teaming for direct and indirect prompt injection\u003C\u002Fli>\n\u003Cli>Fuzzing of tool invocation paths and parameters\u003C\u002Fli>\n\u003Cli>Simulations of poisoned data sources or compromised tools\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>Layered approaches like RoboPMS test across perception, planning, and execution to reveal cross‑layer failure modes. \u003Ca href=\"#source-3\" class=\"citation-link\" title=\"View source [3]\">[3]\u003C\u002Fa>\u003C\u002Fp>\n\u003Cp>⚠️ \u003Cstrong>Testing mindset\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cblockquote>\n\u003Cp>Treat agents like microservices that can be deceived, not “smart users” who will spot malicious content.\u003C\u002Fp>\n\u003C\u002Fblockquote>\n\u003Ch3>4.4 Policy at decision and execution layers\u003C\u002Fh3>\n\u003Cp>Zero‑trust work stresses that prompt‑level rules (“ignore untrusted input”) are not enough. \u003Ca href=\"#source-5\" class=\"citation-link\" title=\"View source [5]\">[5]\u003C\u002Fa> Robust designs enforce policy at:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>\u003Cstrong>Decision layer\u003C\u002Fstrong>:\n\u003Cul>\n\u003Cli>Policy engines that score, constrain, or veto candidate plans\u003C\u002Fli>\n\u003C\u002Ful>\n\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Execution layer\u003C\u002Fstrong>:\n\u003Cul>\n\u003Cli>Gateways requiring extra verification for high‑impact actions (fund transfer, key rotation, access changes) \u003Ca href=\"#source-4\" class=\"citation-link\" title=\"View source [4]\">[4]\u003C\u002Fa>\u003Ca href=\"#source-5\" class=\"citation-link\" title=\"View source [5]\">[5]\u003C\u002Fa>\u003C\u002Fli>\n\u003C\u002Ful>\n\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>Security guidance also recommends agent‑specific incident runbooks defining: \u003Ca href=\"#source-10\" class=\"citation-link\" title=\"View source [10]\">[10]\u003C\u002Fa>\u003C\u002Fp>\n\u003Cul>\n\u003Cli>When human approval is mandatory\u003C\u002Fli>\n\u003Cli>How to halt or quarantine misbehaving agents\u003C\u002Fli>\n\u003Cli>How to roll back actions from compromised sessions\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>💡 \u003Cstrong>Runbook tip\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cblockquote>\n\u003Cp>Maintain a global “kill switch” per agent identity to revoke credentials, quarantine workloads, and alert owners within minutes. \u003Ca href=\"#source-10\" class=\"citation-link\" title=\"View source [10]\">[10]\u003C\u002Fa>\u003C\u002Fp>\n\u003C\u002Fblockquote>\n\u003Chr>\n\u003Ch2>Conclusion: Design for Containment, Not Perfection\u003C\u002Fh2>\n\u003Cp>Agentic AI turns LLMs into autonomous actors that chain tools and move laterally across systems, converting prompts into operational risk rather than just unsafe text. \u003Ca href=\"#source-2\" class=\"citation-link\" title=\"View source [2]\">[2]\u003C\u002Fa>\u003Ca href=\"#source-4\" class=\"citation-link\" title=\"View source [4]\">[4]\u003C\u002Fa> Research shows chatbot‑era defenses miss this expanded surface, where prompt injection, goal hijacking, and cross‑system workflows combine into powerful lateral movement paths. \u003Ca href=\"#source-1\" class=\"citation-link\" title=\"View source [1]\">[1]\u003C\u002Fa>\u003Ca href=\"#source-3\" class=\"citation-link\" title=\"View source [3]\">[3]\u003C\u002Fa>\u003C\u002Fp>\n\u003Cp>A secure posture treats agents as high‑risk non‑human identities, applies zero‑trust to every tool call, and models threats across model, orchestration, tools, data, and governance layers. \u003Ca href=\"#source-5\" class=\"citation-link\" title=\"View source [5]\">[5]\u003C\u002Fa>\u003Ca href=\"#source-8\" class=\"citation-link\" title=\"View source [8]\">[8]\u003C\u002Fa> Practically, this means: constrained task‑specific agents, strong identity and least privilege, rich telemetry, rigorous red‑teaming, and runtime policy gateways that contain blast radius even when prompts or tools are compromised. \u003Ca href=\"#source-4\" class=\"citation-link\" title=\"View source [4]\">[4]\u003C\u002Fa>\u003Ca href=\"#source-10\" class=\"citation-link\" title=\"View source [10]\">[10]\u003C\u002Fa>\u003C\u002Fp>\n\u003Cp>Start by inventorying all agents, mapping their tools and data access, and inserting policy‑enforcing gateways between agents and critical systems. Then prioritize high‑impact workflows—credentials, financial operations, data exports—for stricter least privilege and human‑in‑the‑loop checks before scaling agents across the enterprise. \u003Ca href=\"#source-8\" class=\"citation-link\" title=\"View source [8]\">[8]\u003C\u002Fa>\u003Ca href=\"#source-10\" class=\"citation-link\" title=\"View source [10]\">[10]\u003C\u002Fa>\u003C\u002Fp>\n","Agentic AI turns large language models into autonomous AI agents that plan, decide, and execute workflows end‑to‑end. These agents:\n\n- Invoke tools and APIs  \n- Maintain state and memory  \n- Act acros...","safety",[],1567,8,"2026-05-20T01:15:21.455Z",[17,22,26,30,34,38,42],{"title":18,"url":19,"summary":20,"type":21},"Agentic ai security: Threats, defenses, evaluation, and open challenges — A Chhabra, S Datta, SK Nahin, P Mohapatra - IEEE Access, 2026 - ieeexplore.ieee.org","https:\u002F\u002Fieeexplore.ieee.org\u002Fabstract\u002Fdocument\u002F11447227\u002F","Agentic AI systems powered by Large Language Models (LLMs) and endowed with planning, tool use, memory, and autonomy are emerging as powerful and flexible platforms for automation. Their ability to au...","kb",{"title":23,"url":24,"summary":25,"type":21},"Agentic ai security: Threats, defenses, evaluation, and open challenges — A Chhabra, S Datta, SK Nahin, P Mohapatra - arXiv preprint arXiv …, 2025 - arxiv.org","https:\u002F\u002Farxiv.org\u002Fabs\u002F2510.23883","Author(s): Anshuman Chhabra, Shrestha Datta, Shahriar Kabir Nahin, Prasant Mohapatra\n\nAbstract:\nAgentic AI systems powered by large language models (LLMs) and endowed with planning, tool use, memory, ...",{"title":27,"url":28,"summary":29,"type":21},"From threat to trust: assessing security risks of agentic AI systems: M. Leo et al. — M Leo, F Tan, T Miao, G Anand - … Journal of Information Security, 2026 - Springer","https:\u002F\u002Flink.springer.com\u002Farticle\u002F10.1007\u002Fs10207-025-01185-y","Abstract\n\nAgentic artificial intelligence (AI) systems are expected to have transformative impacts across sectors, including critical areas like finance and healthcare. Their architectural complexity,...",{"title":31,"url":32,"summary":33,"type":21},"Securing AI agents: The enterprise security playbook for the agentic era","https:\u002F\u002Ftechcommunity.microsoft.com\u002Fblog\u002Fmarketplace-blog\u002Fsecuring-ai-agents-the-enterprise-security-playbook-for-the-agentic-era\u002F4503627","Securing AI agents: The enterprise security playbook for the agentic era\n\nAI agents don't just generate text anymore — they take actions. That single shift changes everything about how we think about ...",{"title":35,"url":36,"summary":37,"type":21},"Agentic AI Security: How to Govern Autonomous Agents with Zero Trust","https:\u002F\u002Fwww.zentera.net\u002Fcybersecurity\u002Fagentic-ai-security","Executive Summary\n\nTraditional cybersecurity models are becoming insufficient in the face of a fundamental shift in how enterprise systems operate, creating a new challenge: agentic artificial intelli...",{"title":39,"url":40,"summary":41,"type":21},"How to Secure Agentic AI in the Enterprise: Best Practices for 2026","https:\u002F\u002Fwww.lasso.security\u002Fblog\u002Fagentic-ai-best-practices","## What Is Agentic AI?\n\nMost enterprise AI deployments started with a chatbot, a copilot, or a model answering questions inside a defined interface. Agentic AI is a different category. These systems p...",{"title":43,"url":44,"summary":45,"type":21},"Three ways security teams can effectively deploy Agentic AI","https:\u002F\u002Fwww.scworld.com\u002Fperspective\u002Fthree-ways-security-teams-can-effectively-deploy-agentic-ai","From financial risk management and customer experience to cyber threat detection and software development, Agentic AI has rapidly transformed business. Unlike traditional chatbots or smart assistants,...",null,{"generationDuration":48,"kbQueriesCount":49,"confidenceScore":50,"sourcesCount":51},289611,10,100,7,{"metaTitle":6,"metaDescription":10},"en","https:\u002F\u002Fimages.unsplash.com\u002Fphoto-1758600588238-8687e5bb66b8?ixid=M3w4OTczNDl8MHwxfHNlYXJjaHwxfHxhZ2VudGljJTIwbmV3JTIwbGF0ZXJhbCUyMG1vdmVtZW50fGVufDF8MHx8fDE3NzkyMzk3MjJ8MA&ixlib=rb-4.1.0&w=1200&h=630&fit=crop&crop=entropy&auto=format,compress&q=60",{"photographerName":56,"photographerUrl":57,"unsplashUrl":58},"Vitaly Gariev","https:\u002F\u002Funsplash.com\u002F@silverkblack?utm_source=coreprose&utm_medium=referral","https:\u002F\u002Funsplash.com\u002Fphotos\u002Fperson-exercising-in-front-of-a-colorful-geometric-wall-DTroLYR1jfs?utm_source=coreprose&utm_medium=referral",false,{"key":61,"name":62,"nameEn":62},"ai-engineering","AI Engineering & LLM Ops",[64,72,79,86],{"id":65,"title":66,"slug":67,"excerpt":68,"category":69,"featuredImage":70,"publishedAt":71},"6a0d87781234c70c8f16908c","How AI Hallucinations Are Creating Real Security Risks in Critical Infrastructure","how-ai-hallucinations-are-creating-real-security-risks-in-critical-infrastructure","Large language models (LLMs) now sit in the core of Enterprise AI stacks:  \n\n- SOC copilots triaging security threats)  \n- OT dashboards summarizing telemetry  \n- Cloud copilots modifying IAM  \n- Conv...","hallucinations","https:\u002F\u002Fimages.unsplash.com\u002Fphoto-1751448555253-f39c06e29d82?ixid=M3w4OTczNDl8MHwxfHNlYXJjaHwxfHxoYWxsdWNpbmF0aW9ucyUyMGNyZWF0aW5nJTIwcmVhbCUyMHNlY3VyaXR5fGVufDF8MHx8fDE3NzkyNzU5NDZ8MA&ixlib=rb-4.1.0&w=1200&h=630&fit=crop&crop=entropy&auto=format,compress&q=60","2026-05-20T10:15:22.822Z",{"id":73,"title":74,"slug":75,"excerpt":76,"category":11,"featuredImage":77,"publishedAt":78},"6a0d41101234c70c8f168eff","Illinois’ New AI Regulation Push: What Dev and ML Teams Need to Prepare For","illinois-new-ai-regulation-push-what-dev-and-ml-teams-need-to-prepare-for","Illinois is moving from AI experimentation to enforceable rules. If you build or deploy models touching Illinois workers or residents, treat compliance as a core design constraint.\n\n---\n\n1. Why Illino...","https:\u002F\u002Fimages.unsplash.com\u002Fphoto-1673241564420-9ca6abde6a0b?ixid=M3w4OTczNDl8MHwxfHNlYXJjaHwxfHxpbGxpbm9pcyUyMG5ldyUyMHJlZ3VsYXRpb24lMjBwdXNofGVufDF8MHx8fDE3NzkyNTM5MzN8MA&ixlib=rb-4.1.0&w=1200&h=630&fit=crop&crop=entropy&auto=format,compress&q=60","2026-05-20T05:12:12.002Z",{"id":80,"title":81,"slug":82,"excerpt":83,"category":69,"featuredImage":84,"publishedAt":85},"6a0d35641234c70c8f168e00","Mercor AI’s 4TB Data Breach: How a LiteLLM Supply Chain Attack Exposed a Hidden Meta Partnership","mercor-ai-s-4tb-data-breach-how-a-litellm-supply-chain-attack-exposed-a-hidden-meta-partnership","A 4TB data breach on the Mercor AI platform, reportedly enabled by a compromised LiteLLM‑style router, exemplifies a systemic LLM supply chain failure rather than a one‑off bug.[7][8] In LLM systems,...","https:\u002F\u002Fimages.unsplash.com\u002Fphoto-1696258686286-1191184126aa?ixid=M3w4OTczNDl8MHwxfHNlYXJjaHw0Nnx8YXJ0aWZpY2lhbCUyMGludGVsbGlnZW5jZSUyMHRlY2hub2xvZ3l8ZW58MXwwfHx8MTc3OTI2OTk2Nnww&ixlib=rb-4.1.0&w=1200&h=630&fit=crop&crop=entropy&auto=format,compress&q=60","2026-05-20T04:22:09.212Z",{"id":87,"title":88,"slug":89,"excerpt":90,"category":69,"featuredImage":91,"publishedAt":92},"6a0d33e81234c70c8f168d4e","Mercor’s 4TB AI Data Breach: How a LiteLLM Supply‑Chain Attack Broke an LLM Hiring Platform","mercor-s-4tb-ai-data-breach-how-a-litellm-supply-chain-attack-broke-an-llm-hiring-platform","LLM apps now depend on a fragile, fast‑changing supply chain: model providers, routers, RAG stores, agents, and many libraries in between.[1][7] When any central link fails, everything upstream is exp...","https:\u002F\u002Fimages.unsplash.com\u002Fphoto-1717501219074-943fc738e5a2?ixid=M3w4OTczNDl8MHwxfHNlYXJjaHw2MXx8YXJ0aWZpY2lhbCUyMGludGVsbGlnZW5jZSUyMHRlY2hub2xvZ3l8ZW58MXwwfHx8MTc3OTI2OTk2OXww&ixlib=rb-4.1.0&w=1200&h=630&fit=crop&crop=entropy&auto=format,compress&q=60","2026-05-20T04:17:18.681Z",["Island",94],{"key":95,"params":96,"result":98},"ArticleBody_4cbs7gbycvcmJjwXqEjzUQX9FOtPCcgaECaccpe4jGQ",{"props":97},"{\"articleId\":\"6a0d09d41234c70c8f167ef5\",\"linkColor\":\"red\"}",{"head":99},{}]