[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"kb-article-microsoft-rampart-and-clarity-a-practical-blueprint-for-securing-ai-agents-in-production-en":3,"ArticleBody_DqrZvu8stuGJ2eq0Notm0QycI7uGITithVyXIKY":105},{"article":4,"relatedArticles":75,"locale":65},{"id":5,"title":6,"slug":7,"content":8,"htmlContent":9,"excerpt":10,"category":11,"tags":12,"metaDescription":10,"wordCount":13,"readingTime":14,"publishedAt":15,"sources":16,"sourceCoverage":58,"transparency":59,"seo":64,"language":65,"featuredImage":66,"featuredImageCredit":67,"isFreeGeneration":71,"trendSlug":58,"niche":72,"geoTakeaways":58,"geoFaq":58,"entities":58},"6a0e937fa83199a61232a86a","Microsoft RAMPART and Clarity: A Practical Blueprint for Securing AI Agents in Production","microsoft-rampart-and-clarity-a-practical-blueprint-for-securing-ai-agents-in-production","Autonomous AI agents now sit in workflows that can provision credentials, rotate keys, export audit logs, and apply Terraform plans from a single prompt. [3] They amplify existing risks—overshared documents, over‑permissioned systems, ungoverned content—by making them instantly reachable and actionable. [1]  \n\nMost public incidents so far involve privacy leaks, reputational damage, or operational disruption, but fully agentic systems are expanding the attack surface faster than governance can keep up. [4][7][11]  \n\n💡 **Thesis:** Use Microsoft RAMPART as the policy and runtime guardrail layer, and Clarity as the continuous evaluation and red‑teaming harness. Together, they offer a concrete, testable architecture for securing agents with the rigor of modern secure MLOps. [3][9]  \n\n---\n\n## 1. Why AI agent security needs dedicated frameworks like RAMPART and Clarity\n\nEnterprise agents are already trusted to:  \n\n- Provision and revoke credentials during onboarding  \n- Export compliance logs and rotate privileged secrets  \n- Manage regional keys and policy artifacts for regulated workloads [3]\n\nWith agents on these paths, every mis‑prompt or misconfiguration becomes a privileged security incident, not just a bad answer. [3] Traditional security assumed:  \n\n- Human operators and narrow APIs  \n- Static authorization at clear request boundaries  \n\nAgentic AI instead:  \n\n- Chains tools and maintains memory  \n- Crosses trust boundaries dynamically  \n- Can traverse SharePoint, Azure, Fabric, and SaaS in one prompt, surfacing overshared or ungoverned content [1]\n\n⚠️ **Governance gap:** Many organizations adopted generative AI without:  \n\n- Formal AI ethics or risk councils  \n- Standards for secure LLM use  \n- Defined controls against prompt injection, indirect instructions, data leakage, or “shadow AI” tools [1][4][5]\n\nThe ecosystem is splitting into:  \n\n- **AI for Security** – agents doing threat hunting and vuln research  \n- **Security for AI** – controls that protect agents and their tool chains [8]  \n\nRAMPART and Clarity sit firmly in **Security for AI**:  \n\n- RAMPART: enforce least privilege and runtime policy for tools and data  \n- Clarity: systematically test agent behavior, tools, and protocols before and after deployment [3][6][8]\n\n💼 **Example:** A small fintech wired a Copilot‑style agent to ticketing and CI; a flawed workflow let it promote staging config to production and take an API offline—no exploit, just missing guardrails and testing. RAMPART‑style runtime control and Clarity‑style harnesses target this class of failure. [9][10]\n\n**Mini‑conclusion:** Generic app security is insufficient. Agentic systems need frameworks that understand tools, memory, and protocol behavior—the layer where RAMPART and Clarity operate. [3][4][6][9]\n\n---\n\n## 2. Threat model for LLM‑powered agents: what RAMPART and Clarity must defend against\n\nRecent systematizations of agentic AI attacks converge on four domains: [4][6]  \n\n- **Input manipulation**: prompt injection, long‑context hijacks, multimodal adversarial content  \n- **Model compromise**: prompt\u002Fparameter backdoors, data poisoning  \n- **System and privacy attacks**: membership inference, retrieval\u002Fmemory poisoning  \n- **Protocol exploits**: MCP bugs, agent‑to‑agent or host‑to‑tool escapes [4][10][11]\n\nSurveys of LLM‑powered workflows list 30+ concrete attacks, including:  \n\n- Hidden tool extraction and cross‑session data leakage  \n- Adversarial content in RAG sources  \n- Exploits in MCP transports and agent messaging [4][10][11]\n\n📊 **Security baseline:** The OWASP Top 10 for LLMs highlights:  \n\n- Prompt injection and data poisoning  \n- Sensitive information disclosure  \n- Unsafe tool integrations—across the full lifecycle, not only inference time [5]\n\nSecure MLOps research shows a single pipeline misconfiguration can cause:  \n\n- Credential theft and poisoned datasets  \n- Compromised models or environments  \n\nAgents that orchestrate across these pipelines:  \n\n- Inherit and magnify such weaknesses  \n- Move laterally across tools with broad identity scopes  \n- Drift in behavior as prompts, tools, and models change [6][9]\n\n💼 **Real incidents** already include:  \n\n- A transcription agent leaking healthcare data from overshared folders  \n- A coding assistant deleting a production database after misreading a refactor request—pure tool and autonomy failures [10]  \n\nNational guidance now warns that agentic AI “should not be trusted to perform assigned tasks without taking dangerous detours,” urging standardized architectures, not prompt‑only fixes. [11]\n\nRAMPART and Clarity must therefore explicitly cover:  \n\n- Memory and retrieval poisoning  \n- Tool‑chain and protocol‑level exploits  \n- Cross‑agent and cross‑session manipulation across Enterprise AI and SaaS apps [6][8][11]\n\n**Mini‑conclusion:** A usable threat model for RAMPART and Clarity is end‑to‑end and protocol‑aware, grounded in secure MLOps\u002FLLMOps. Anything less misses dominant failure modes. [4][6][9]\n\n---\n\n## 3. RAMPART: policy, least‑privilege, and runtime control for AI agents\n\nRAMPART extends Microsoft’s data security posture (e.g., Purview DSPM), which discovers sensitive data and maps access across Microsoft 365, Azure, Fabric, and SaaS. [1]  \n\n- **DSPM:** who can access what  \n- **RAMPART:** what an agent may do with that access at runtime [1][3]\n\n### 3.1 Architectural role\n\nSecurity guidance for agentic AI stresses four phases: discovery, threat modeling, security testing, runtime controls. [3]  \n\nRAMPART focuses on runtime by:  \n\n- Mediating every tool call  \n- Enforcing least‑privilege policies per agent, user, and tool  \n- Attaching identity and purpose to each action  \n- Logging, scoring, and optionally blocking risky behavior [3][6]\n\nConceptual flow:\n\n```pseudo\non_tool_call(agent_id, user_id, tool, params):\n    ctx = resolve_context(agent_id, user_id)\n    policy = load_policy(agent_id, tool)\n    decision = evaluate(policy, ctx, params)\n    if decision == \"allow\":\n        log_action(ctx, tool, params, risk=\"low\")\n        return execute(tool, params)\n    if decision == \"step_up_auth\":\n        require_justification_or_mfa(user_id)\n        ...\n    block_and_alert(ctx, tool, params, risk=\"high\")\n```\n\nResearch proposes metrics such as:  \n\n- **Unsafe Action Rate** – fraction of calls violating policy  \n- **Privilege Escalation Distance** – gap between requested and granted privilege  \n\nRAMPART should emit these from tool logs for continuous monitoring. [6]  \n\nEnterprises increasingly want:  \n\n- A centralized policy layer  \n- Clear trust boundaries around tools and memories  \n\nAn open RAMPART becomes that control plane for Enterprise AI workloads. [8]\n\n### 3.2 Practical priorities\n\nSince most incidents involve privacy and access‑control failures, early RAMPART deployments should target identity and high‑risk tools. [3][7]  \n\nPriorities:  \n\n- Use managed\u002Fworkload identities with scoped, short‑lived tokens  \n- Flag database, shell, and credential‑vault tools as **high‑risk** with stricter policies  \n- Integrate with CI\u002FCD so new or changed agents\u002Ftools are:  \n  - Auto‑discovered  \n  - Given baseline policies and rate limits  \n  - Shipped with logging, rollback hooks, and default containment [7][9]\n\nOperationally, treat RAMPART configs as code:  \n\n- Policies in Git  \n- Validation in CI (lint, dry‑runs)  \n- Promotion via pull requests and change reviews  \n\nThis extends DevOps and MLOps discipline to agentic systems. [1][3][6][8][9]\n\n**Mini‑conclusion:** RAMPART is the runtime instrument for LLM‑driven agents, centralizing authorization, tool mediation, and telemetry and tying them to DSPM and existing DevSecOps pipelines. [1][3][6][8][9]\n\n---\n\n## 4. Clarity: red‑teaming, evaluation, and continuous assurance for AI agent behavior\n\nIf RAMPART is the guardrail layer, Clarity is the crash‑test lab.\n\nMicrosoft’s MDASH harness showed that coordinating 100+ specialized AI agents to find and validate vulnerabilities can outperform single‑model approaches on real‑world benchmarks, validating multi‑agent security evaluation. [2]  \n\nSecure MLOps research stresses lifecycle‑wide evaluation, mapping attacks to data, model, tool, and protocol phases; Clarity can encode this into reusable suites. [4][6][9][10]\n\n### 4.1 From taxonomy to tests\n\nClarity converts threat models into concrete tests across:  \n\n- **Data‑layer**: RAG poisoning, memory contamination  \n- **Tool‑layer**: privilege escalation, shell escape, resource abuse  \n- **Protocol‑layer**: MCP exploits, agent‑to‑agent deception [4][6][10]\n\nMetrics like Unsafe Action Rate and Privilege Escalation Distance become measurable through scripted attacks. [6][10] For example:\n\n```yaml\nscenario: \"rag_indirect_prompt_injection\"\nsteps:\n  - seed_corpus: poisoned_doc.md\n  - user_prompt: \"Summarize the Q3 report.\"\n  - expected_policy: no_external_http\n  - assertions:\n      - no_tool: \"http_request\"\n      - no_data_leak: [\"secrets\", \"customer_ssn\"]\nmetrics:\n  - unsafe_action_rate\n  - data_leakage_events\n```\n\nIndustry checklists call for centralized governance, OAuth‑protected tools, and monitored generative traffic; Clarity validates that these controls withstand realistic attacks. [5]\n\n### 4.2 Continuous integration and platforms\n\nRecent briefs highlight open‑source red‑teaming libraries and evaluation frameworks; Clarity can:  \n\n- Integrate them with Microsoft threat intelligence and benchmarks  \n- Standardize attack profiles for enterprise agents [2][10][11]\n\nAI‑native platforms are moving toward “secure‑by‑default” agent orchestration that unifies environment management, workflow engines, policy, and IaC. [9][12]  \n\nIn that context, Clarity should:  \n\n- Plug into CI\u002FCD as a required stage  \n- Run attack suites whenever prompts, tools, or models change  \n- Export metrics and findings to SIEM and incident workflows [6][9][12]\n\nA practical policy might require `clarity test --profile high_risk` on every pull request touching:  \n\n- Database or shell tools  \n- Agent routing logic  \n- System prompts for production agents  \n\nPipelines progress only if Unsafe Action Rate is below threshold and no critical violations occur. [4][6][9][10][11]\n\n⚠️ **Mindset:** Treat Clarity runs as non‑negotiable pre‑flight checks, not occasional pen‑tests. Agent behavior drifts; continuous evaluation is how you catch regressions. [2][6][9][10]\n\n**Mini‑conclusion:** Clarity turns threat taxonomies and Secure MLOps patterns into automated tests and metrics, providing continuous assurance as agents, tools, and protocols evolve. [2][4][6][9][10][11][12]\n\n---\n\n## Conclusion and next steps\n\nSecuring AI agents now demands the rigor that secure MLOps, DevOps, and IaC brought to traditional software—but aimed at tools, protocols like MCP, and emergent autonomy rather than static request\u002Fresponse flows. [1][3][6][8][9]  \n\n- **RAMPART**: runtime control plane to apply least‑privilege and containment to agent actions  \n- **Clarity**: systematic way to attack, measure, and harden those agents across their lifecycle [2][3][4][6][9][10][11][12]\n\nTogether, they form a practical, testable blueprint for bringing agentic AI safely into production.","\u003Cp>Autonomous AI agents now sit in workflows that can provision credentials, rotate keys, export audit logs, and apply Terraform plans from a single prompt. \u003Ca href=\"#source-3\" class=\"citation-link\" title=\"View source [3]\">[3]\u003C\u002Fa> They amplify existing risks—overshared documents, over‑permissioned systems, ungoverned content—by making them instantly reachable and actionable. \u003Ca href=\"#source-1\" class=\"citation-link\" title=\"View source [1]\">[1]\u003C\u002Fa>\u003C\u002Fp>\n\u003Cp>Most public incidents so far involve privacy leaks, reputational damage, or operational disruption, but fully agentic systems are expanding the attack surface faster than governance can keep up. \u003Ca href=\"#source-4\" class=\"citation-link\" title=\"View source [4]\">[4]\u003C\u002Fa>\u003Ca href=\"#source-7\" class=\"citation-link\" title=\"View source [7]\">[7]\u003C\u002Fa>\u003Ca href=\"#source-11\" class=\"citation-link\" title=\"View source [11]\">[11]\u003C\u002Fa>\u003C\u002Fp>\n\u003Cp>💡 \u003Cstrong>Thesis:\u003C\u002Fstrong> Use Microsoft RAMPART as the policy and runtime guardrail layer, and Clarity as the continuous evaluation and red‑teaming harness. Together, they offer a concrete, testable architecture for securing agents with the rigor of modern secure MLOps. \u003Ca href=\"#source-3\" class=\"citation-link\" title=\"View source [3]\">[3]\u003C\u002Fa>\u003Ca href=\"#source-9\" class=\"citation-link\" title=\"View source [9]\">[9]\u003C\u002Fa>\u003C\u002Fp>\n\u003Chr>\n\u003Ch2>1. Why AI agent security needs dedicated frameworks like RAMPART and Clarity\u003C\u002Fh2>\n\u003Cp>Enterprise agents are already trusted to:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Provision and revoke credentials during onboarding\u003C\u002Fli>\n\u003Cli>Export compliance logs and rotate privileged secrets\u003C\u002Fli>\n\u003Cli>Manage regional keys and policy artifacts for regulated workloads \u003Ca href=\"#source-3\" class=\"citation-link\" title=\"View source [3]\">[3]\u003C\u002Fa>\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>With agents on these paths, every mis‑prompt or misconfiguration becomes a privileged security incident, not just a bad answer. \u003Ca href=\"#source-3\" class=\"citation-link\" title=\"View source [3]\">[3]\u003C\u002Fa> Traditional security assumed:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Human operators and narrow APIs\u003C\u002Fli>\n\u003Cli>Static authorization at clear request boundaries\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>Agentic AI instead:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Chains tools and maintains memory\u003C\u002Fli>\n\u003Cli>Crosses trust boundaries dynamically\u003C\u002Fli>\n\u003Cli>Can traverse SharePoint, Azure, Fabric, and SaaS in one prompt, surfacing overshared or ungoverned content \u003Ca href=\"#source-1\" class=\"citation-link\" title=\"View source [1]\">[1]\u003C\u002Fa>\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>⚠️ \u003Cstrong>Governance gap:\u003C\u002Fstrong> Many organizations adopted generative AI without:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Formal AI ethics or risk councils\u003C\u002Fli>\n\u003Cli>Standards for secure LLM use\u003C\u002Fli>\n\u003Cli>Defined controls against prompt injection, indirect instructions, data leakage, or “shadow AI” tools \u003Ca href=\"#source-1\" class=\"citation-link\" title=\"View source [1]\">[1]\u003C\u002Fa>\u003Ca href=\"#source-4\" class=\"citation-link\" title=\"View source [4]\">[4]\u003C\u002Fa>\u003Ca href=\"#source-5\" class=\"citation-link\" title=\"View source [5]\">[5]\u003C\u002Fa>\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>The ecosystem is splitting into:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>\u003Cstrong>AI for Security\u003C\u002Fstrong> – agents doing threat hunting and vuln research\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Security for AI\u003C\u002Fstrong> – controls that protect agents and their tool chains \u003Ca href=\"#source-8\" class=\"citation-link\" title=\"View source [8]\">[8]\u003C\u002Fa>\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>RAMPART and Clarity sit firmly in \u003Cstrong>Security for AI\u003C\u002Fstrong>:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>RAMPART: enforce least privilege and runtime policy for tools and data\u003C\u002Fli>\n\u003Cli>Clarity: systematically test agent behavior, tools, and protocols before and after deployment \u003Ca href=\"#source-3\" class=\"citation-link\" title=\"View source [3]\">[3]\u003C\u002Fa>\u003Ca href=\"#source-6\" class=\"citation-link\" title=\"View source [6]\">[6]\u003C\u002Fa>\u003Ca href=\"#source-8\" class=\"citation-link\" title=\"View source [8]\">[8]\u003C\u002Fa>\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>💼 \u003Cstrong>Example:\u003C\u002Fstrong> A small fintech wired a Copilot‑style agent to ticketing and CI; a flawed workflow let it promote staging config to production and take an API offline—no exploit, just missing guardrails and testing. RAMPART‑style runtime control and Clarity‑style harnesses target this class of failure. \u003Ca href=\"#source-9\" class=\"citation-link\" title=\"View source [9]\">[9]\u003C\u002Fa>\u003Ca href=\"#source-10\" class=\"citation-link\" title=\"View source [10]\">[10]\u003C\u002Fa>\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Mini‑conclusion:\u003C\u002Fstrong> Generic app security is insufficient. Agentic systems need frameworks that understand tools, memory, and protocol behavior—the layer where RAMPART and Clarity operate. \u003Ca href=\"#source-3\" class=\"citation-link\" title=\"View source [3]\">[3]\u003C\u002Fa>\u003Ca href=\"#source-4\" class=\"citation-link\" title=\"View source [4]\">[4]\u003C\u002Fa>\u003Ca href=\"#source-6\" class=\"citation-link\" title=\"View source [6]\">[6]\u003C\u002Fa>\u003Ca href=\"#source-9\" class=\"citation-link\" title=\"View source [9]\">[9]\u003C\u002Fa>\u003C\u002Fp>\n\u003Chr>\n\u003Ch2>2. Threat model for LLM‑powered agents: what RAMPART and Clarity must defend against\u003C\u002Fh2>\n\u003Cp>Recent systematizations of agentic AI attacks converge on four domains: \u003Ca href=\"#source-4\" class=\"citation-link\" title=\"View source [4]\">[4]\u003C\u002Fa>\u003Ca href=\"#source-6\" class=\"citation-link\" title=\"View source [6]\">[6]\u003C\u002Fa>\u003C\u002Fp>\n\u003Cul>\n\u003Cli>\u003Cstrong>Input manipulation\u003C\u002Fstrong>: prompt injection, long‑context hijacks, multimodal adversarial content\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Model compromise\u003C\u002Fstrong>: prompt\u002Fparameter backdoors, data poisoning\u003C\u002Fli>\n\u003Cli>\u003Cstrong>System and privacy attacks\u003C\u002Fstrong>: membership inference, retrieval\u002Fmemory poisoning\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Protocol exploits\u003C\u002Fstrong>: MCP bugs, agent‑to‑agent or host‑to‑tool escapes \u003Ca href=\"#source-4\" class=\"citation-link\" title=\"View source [4]\">[4]\u003C\u002Fa>\u003Ca href=\"#source-10\" class=\"citation-link\" title=\"View source [10]\">[10]\u003C\u002Fa>\u003Ca href=\"#source-11\" class=\"citation-link\" title=\"View source [11]\">[11]\u003C\u002Fa>\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>Surveys of LLM‑powered workflows list 30+ concrete attacks, including:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Hidden tool extraction and cross‑session data leakage\u003C\u002Fli>\n\u003Cli>Adversarial content in RAG sources\u003C\u002Fli>\n\u003Cli>Exploits in MCP transports and agent messaging \u003Ca href=\"#source-4\" class=\"citation-link\" title=\"View source [4]\">[4]\u003C\u002Fa>\u003Ca href=\"#source-10\" class=\"citation-link\" title=\"View source [10]\">[10]\u003C\u002Fa>\u003Ca href=\"#source-11\" class=\"citation-link\" title=\"View source [11]\">[11]\u003C\u002Fa>\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>📊 \u003Cstrong>Security baseline:\u003C\u002Fstrong> The OWASP Top 10 for LLMs highlights:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Prompt injection and data poisoning\u003C\u002Fli>\n\u003Cli>Sensitive information disclosure\u003C\u002Fli>\n\u003Cli>Unsafe tool integrations—across the full lifecycle, not only inference time \u003Ca href=\"#source-5\" class=\"citation-link\" title=\"View source [5]\">[5]\u003C\u002Fa>\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>Secure MLOps research shows a single pipeline misconfiguration can cause:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Credential theft and poisoned datasets\u003C\u002Fli>\n\u003Cli>Compromised models or environments\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>Agents that orchestrate across these pipelines:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Inherit and magnify such weaknesses\u003C\u002Fli>\n\u003Cli>Move laterally across tools with broad identity scopes\u003C\u002Fli>\n\u003Cli>Drift in behavior as prompts, tools, and models change \u003Ca href=\"#source-6\" class=\"citation-link\" title=\"View source [6]\">[6]\u003C\u002Fa>\u003Ca href=\"#source-9\" class=\"citation-link\" title=\"View source [9]\">[9]\u003C\u002Fa>\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>💼 \u003Cstrong>Real incidents\u003C\u002Fstrong> already include:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>A transcription agent leaking healthcare data from overshared folders\u003C\u002Fli>\n\u003Cli>A coding assistant deleting a production database after misreading a refactor request—pure tool and autonomy failures \u003Ca href=\"#source-10\" class=\"citation-link\" title=\"View source [10]\">[10]\u003C\u002Fa>\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>National guidance now warns that agentic AI “should not be trusted to perform assigned tasks without taking dangerous detours,” urging standardized architectures, not prompt‑only fixes. \u003Ca href=\"#source-11\" class=\"citation-link\" title=\"View source [11]\">[11]\u003C\u002Fa>\u003C\u002Fp>\n\u003Cp>RAMPART and Clarity must therefore explicitly cover:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Memory and retrieval poisoning\u003C\u002Fli>\n\u003Cli>Tool‑chain and protocol‑level exploits\u003C\u002Fli>\n\u003Cli>Cross‑agent and cross‑session manipulation across Enterprise AI and SaaS apps \u003Ca href=\"#source-6\" class=\"citation-link\" title=\"View source [6]\">[6]\u003C\u002Fa>\u003Ca href=\"#source-8\" class=\"citation-link\" title=\"View source [8]\">[8]\u003C\u002Fa>\u003Ca href=\"#source-11\" class=\"citation-link\" title=\"View source [11]\">[11]\u003C\u002Fa>\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>\u003Cstrong>Mini‑conclusion:\u003C\u002Fstrong> A usable threat model for RAMPART and Clarity is end‑to‑end and protocol‑aware, grounded in secure MLOps\u002FLLMOps. Anything less misses dominant failure modes. \u003Ca href=\"#source-4\" class=\"citation-link\" title=\"View source [4]\">[4]\u003C\u002Fa>\u003Ca href=\"#source-6\" class=\"citation-link\" title=\"View source [6]\">[6]\u003C\u002Fa>\u003Ca href=\"#source-9\" class=\"citation-link\" title=\"View source [9]\">[9]\u003C\u002Fa>\u003C\u002Fp>\n\u003Chr>\n\u003Ch2>3. RAMPART: policy, least‑privilege, and runtime control for AI agents\u003C\u002Fh2>\n\u003Cp>RAMPART extends Microsoft’s data security posture (e.g., Purview DSPM), which discovers sensitive data and maps access across Microsoft 365, Azure, Fabric, and SaaS. \u003Ca href=\"#source-1\" class=\"citation-link\" title=\"View source [1]\">[1]\u003C\u002Fa>\u003C\u002Fp>\n\u003Cul>\n\u003Cli>\u003Cstrong>DSPM:\u003C\u002Fstrong> who can access what\u003C\u002Fli>\n\u003Cli>\u003Cstrong>RAMPART:\u003C\u002Fstrong> what an agent may do with that access at runtime \u003Ca href=\"#source-1\" class=\"citation-link\" title=\"View source [1]\">[1]\u003C\u002Fa>\u003Ca href=\"#source-3\" class=\"citation-link\" title=\"View source [3]\">[3]\u003C\u002Fa>\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>3.1 Architectural role\u003C\u002Fh3>\n\u003Cp>Security guidance for agentic AI stresses four phases: discovery, threat modeling, security testing, runtime controls. \u003Ca href=\"#source-3\" class=\"citation-link\" title=\"View source [3]\">[3]\u003C\u002Fa>\u003C\u002Fp>\n\u003Cp>RAMPART focuses on runtime by:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Mediating every tool call\u003C\u002Fli>\n\u003Cli>Enforcing least‑privilege policies per agent, user, and tool\u003C\u002Fli>\n\u003Cli>Attaching identity and purpose to each action\u003C\u002Fli>\n\u003Cli>Logging, scoring, and optionally blocking risky behavior \u003Ca href=\"#source-3\" class=\"citation-link\" title=\"View source [3]\">[3]\u003C\u002Fa>\u003Ca href=\"#source-6\" class=\"citation-link\" title=\"View source [6]\">[6]\u003C\u002Fa>\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>Conceptual flow:\u003C\u002Fp>\n\u003Cpre>\u003Ccode class=\"language-pseudo\">on_tool_call(agent_id, user_id, tool, params):\n    ctx = resolve_context(agent_id, user_id)\n    policy = load_policy(agent_id, tool)\n    decision = evaluate(policy, ctx, params)\n    if decision == \"allow\":\n        log_action(ctx, tool, params, risk=\"low\")\n        return execute(tool, params)\n    if decision == \"step_up_auth\":\n        require_justification_or_mfa(user_id)\n        ...\n    block_and_alert(ctx, tool, params, risk=\"high\")\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>Research proposes metrics such as:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>\u003Cstrong>Unsafe Action Rate\u003C\u002Fstrong> – fraction of calls violating policy\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Privilege Escalation Distance\u003C\u002Fstrong> – gap between requested and granted privilege\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>RAMPART should emit these from tool logs for continuous monitoring. \u003Ca href=\"#source-6\" class=\"citation-link\" title=\"View source [6]\">[6]\u003C\u002Fa>\u003C\u002Fp>\n\u003Cp>Enterprises increasingly want:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>A centralized policy layer\u003C\u002Fli>\n\u003Cli>Clear trust boundaries around tools and memories\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>An open RAMPART becomes that control plane for Enterprise AI workloads. \u003Ca href=\"#source-8\" class=\"citation-link\" title=\"View source [8]\">[8]\u003C\u002Fa>\u003C\u002Fp>\n\u003Ch3>3.2 Practical priorities\u003C\u002Fh3>\n\u003Cp>Since most incidents involve privacy and access‑control failures, early RAMPART deployments should target identity and high‑risk tools. \u003Ca href=\"#source-3\" class=\"citation-link\" title=\"View source [3]\">[3]\u003C\u002Fa>\u003Ca href=\"#source-7\" class=\"citation-link\" title=\"View source [7]\">[7]\u003C\u002Fa>\u003C\u002Fp>\n\u003Cp>Priorities:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Use managed\u002Fworkload identities with scoped, short‑lived tokens\u003C\u002Fli>\n\u003Cli>Flag database, shell, and credential‑vault tools as \u003Cstrong>high‑risk\u003C\u002Fstrong> with stricter policies\u003C\u002Fli>\n\u003Cli>Integrate with CI\u002FCD so new or changed agents\u002Ftools are:\n\u003Cul>\n\u003Cli>Auto‑discovered\u003C\u002Fli>\n\u003Cli>Given baseline policies and rate limits\u003C\u002Fli>\n\u003Cli>Shipped with logging, rollback hooks, and default containment \u003Ca href=\"#source-7\" class=\"citation-link\" title=\"View source [7]\">[7]\u003C\u002Fa>\u003Ca href=\"#source-9\" class=\"citation-link\" title=\"View source [9]\">[9]\u003C\u002Fa>\u003C\u002Fli>\n\u003C\u002Ful>\n\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>Operationally, treat RAMPART configs as code:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Policies in Git\u003C\u002Fli>\n\u003Cli>Validation in CI (lint, dry‑runs)\u003C\u002Fli>\n\u003Cli>Promotion via pull requests and change reviews\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>This extends DevOps and MLOps discipline to agentic systems. \u003Ca href=\"#source-1\" class=\"citation-link\" title=\"View source [1]\">[1]\u003C\u002Fa>\u003Ca href=\"#source-3\" class=\"citation-link\" title=\"View source [3]\">[3]\u003C\u002Fa>\u003Ca href=\"#source-6\" class=\"citation-link\" title=\"View source [6]\">[6]\u003C\u002Fa>\u003Ca href=\"#source-8\" class=\"citation-link\" title=\"View source [8]\">[8]\u003C\u002Fa>\u003Ca href=\"#source-9\" class=\"citation-link\" title=\"View source [9]\">[9]\u003C\u002Fa>\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Mini‑conclusion:\u003C\u002Fstrong> RAMPART is the runtime instrument for LLM‑driven agents, centralizing authorization, tool mediation, and telemetry and tying them to DSPM and existing DevSecOps pipelines. \u003Ca href=\"#source-1\" class=\"citation-link\" title=\"View source [1]\">[1]\u003C\u002Fa>\u003Ca href=\"#source-3\" class=\"citation-link\" title=\"View source [3]\">[3]\u003C\u002Fa>\u003Ca href=\"#source-6\" class=\"citation-link\" title=\"View source [6]\">[6]\u003C\u002Fa>\u003Ca href=\"#source-8\" class=\"citation-link\" title=\"View source [8]\">[8]\u003C\u002Fa>\u003Ca href=\"#source-9\" class=\"citation-link\" title=\"View source [9]\">[9]\u003C\u002Fa>\u003C\u002Fp>\n\u003Chr>\n\u003Ch2>4. Clarity: red‑teaming, evaluation, and continuous assurance for AI agent behavior\u003C\u002Fh2>\n\u003Cp>If RAMPART is the guardrail layer, Clarity is the crash‑test lab.\u003C\u002Fp>\n\u003Cp>Microsoft’s MDASH harness showed that coordinating 100+ specialized AI agents to find and validate vulnerabilities can outperform single‑model approaches on real‑world benchmarks, validating multi‑agent security evaluation. \u003Ca href=\"#source-2\" class=\"citation-link\" title=\"View source [2]\">[2]\u003C\u002Fa>\u003C\u002Fp>\n\u003Cp>Secure MLOps research stresses lifecycle‑wide evaluation, mapping attacks to data, model, tool, and protocol phases; Clarity can encode this into reusable suites. \u003Ca href=\"#source-4\" class=\"citation-link\" title=\"View source [4]\">[4]\u003C\u002Fa>\u003Ca href=\"#source-6\" class=\"citation-link\" title=\"View source [6]\">[6]\u003C\u002Fa>\u003Ca href=\"#source-9\" class=\"citation-link\" title=\"View source [9]\">[9]\u003C\u002Fa>\u003Ca href=\"#source-10\" class=\"citation-link\" title=\"View source [10]\">[10]\u003C\u002Fa>\u003C\u002Fp>\n\u003Ch3>4.1 From taxonomy to tests\u003C\u002Fh3>\n\u003Cp>Clarity converts threat models into concrete tests across:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>\u003Cstrong>Data‑layer\u003C\u002Fstrong>: RAG poisoning, memory contamination\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Tool‑layer\u003C\u002Fstrong>: privilege escalation, shell escape, resource abuse\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Protocol‑layer\u003C\u002Fstrong>: MCP exploits, agent‑to‑agent deception \u003Ca href=\"#source-4\" class=\"citation-link\" title=\"View source [4]\">[4]\u003C\u002Fa>\u003Ca href=\"#source-6\" class=\"citation-link\" title=\"View source [6]\">[6]\u003C\u002Fa>\u003Ca href=\"#source-10\" class=\"citation-link\" title=\"View source [10]\">[10]\u003C\u002Fa>\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>Metrics like Unsafe Action Rate and Privilege Escalation Distance become measurable through scripted attacks. \u003Ca href=\"#source-6\" class=\"citation-link\" title=\"View source [6]\">[6]\u003C\u002Fa>\u003Ca href=\"#source-10\" class=\"citation-link\" title=\"View source [10]\">[10]\u003C\u002Fa> For example:\u003C\u002Fp>\n\u003Cpre>\u003Ccode class=\"language-yaml\">scenario: \"rag_indirect_prompt_injection\"\nsteps:\n  - seed_corpus: poisoned_doc.md\n  - user_prompt: \"Summarize the Q3 report.\"\n  - expected_policy: no_external_http\n  - assertions:\n      - no_tool: \"http_request\"\n      - no_data_leak: [\"secrets\", \"customer_ssn\"]\nmetrics:\n  - unsafe_action_rate\n  - data_leakage_events\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>Industry checklists call for centralized governance, OAuth‑protected tools, and monitored generative traffic; Clarity validates that these controls withstand realistic attacks. \u003Ca href=\"#source-5\" class=\"citation-link\" title=\"View source [5]\">[5]\u003C\u002Fa>\u003C\u002Fp>\n\u003Ch3>4.2 Continuous integration and platforms\u003C\u002Fh3>\n\u003Cp>Recent briefs highlight open‑source red‑teaming libraries and evaluation frameworks; Clarity can:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Integrate them with Microsoft threat intelligence and benchmarks\u003C\u002Fli>\n\u003Cli>Standardize attack profiles for enterprise agents \u003Ca href=\"#source-2\" class=\"citation-link\" title=\"View source [2]\">[2]\u003C\u002Fa>\u003Ca href=\"#source-10\" class=\"citation-link\" title=\"View source [10]\">[10]\u003C\u002Fa>\u003Ca href=\"#source-11\" class=\"citation-link\" title=\"View source [11]\">[11]\u003C\u002Fa>\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>AI‑native platforms are moving toward “secure‑by‑default” agent orchestration that unifies environment management, workflow engines, policy, and IaC. \u003Ca href=\"#source-9\" class=\"citation-link\" title=\"View source [9]\">[9]\u003C\u002Fa>\u003Ca href=\"#source-12\" class=\"citation-link\" title=\"View source [12]\">[12]\u003C\u002Fa>\u003C\u002Fp>\n\u003Cp>In that context, Clarity should:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Plug into CI\u002FCD as a required stage\u003C\u002Fli>\n\u003Cli>Run attack suites whenever prompts, tools, or models change\u003C\u002Fli>\n\u003Cli>Export metrics and findings to SIEM and incident workflows \u003Ca href=\"#source-6\" class=\"citation-link\" title=\"View source [6]\">[6]\u003C\u002Fa>\u003Ca href=\"#source-9\" class=\"citation-link\" title=\"View source [9]\">[9]\u003C\u002Fa>\u003Ca href=\"#source-12\" class=\"citation-link\" title=\"View source [12]\">[12]\u003C\u002Fa>\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>A practical policy might require \u003Ccode>clarity test --profile high_risk\u003C\u002Fcode> on every pull request touching:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Database or shell tools\u003C\u002Fli>\n\u003Cli>Agent routing logic\u003C\u002Fli>\n\u003Cli>System prompts for production agents\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>Pipelines progress only if Unsafe Action Rate is below threshold and no critical violations occur. \u003Ca href=\"#source-4\" class=\"citation-link\" title=\"View source [4]\">[4]\u003C\u002Fa>\u003Ca href=\"#source-6\" class=\"citation-link\" title=\"View source [6]\">[6]\u003C\u002Fa>\u003Ca href=\"#source-9\" class=\"citation-link\" title=\"View source [9]\">[9]\u003C\u002Fa>\u003Ca href=\"#source-10\" class=\"citation-link\" title=\"View source [10]\">[10]\u003C\u002Fa>\u003Ca href=\"#source-11\" class=\"citation-link\" title=\"View source [11]\">[11]\u003C\u002Fa>\u003C\u002Fp>\n\u003Cp>⚠️ \u003Cstrong>Mindset:\u003C\u002Fstrong> Treat Clarity runs as non‑negotiable pre‑flight checks, not occasional pen‑tests. Agent behavior drifts; continuous evaluation is how you catch regressions. \u003Ca href=\"#source-2\" class=\"citation-link\" title=\"View source [2]\">[2]\u003C\u002Fa>\u003Ca href=\"#source-6\" class=\"citation-link\" title=\"View source [6]\">[6]\u003C\u002Fa>\u003Ca href=\"#source-9\" class=\"citation-link\" title=\"View source [9]\">[9]\u003C\u002Fa>\u003Ca href=\"#source-10\" class=\"citation-link\" title=\"View source [10]\">[10]\u003C\u002Fa>\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Mini‑conclusion:\u003C\u002Fstrong> Clarity turns threat taxonomies and Secure MLOps patterns into automated tests and metrics, providing continuous assurance as agents, tools, and protocols evolve. \u003Ca href=\"#source-2\" class=\"citation-link\" title=\"View source [2]\">[2]\u003C\u002Fa>\u003Ca href=\"#source-4\" class=\"citation-link\" title=\"View source [4]\">[4]\u003C\u002Fa>\u003Ca href=\"#source-6\" class=\"citation-link\" title=\"View source [6]\">[6]\u003C\u002Fa>\u003Ca href=\"#source-9\" class=\"citation-link\" title=\"View source [9]\">[9]\u003C\u002Fa>\u003Ca href=\"#source-10\" class=\"citation-link\" title=\"View source [10]\">[10]\u003C\u002Fa>\u003Ca href=\"#source-11\" class=\"citation-link\" title=\"View source [11]\">[11]\u003C\u002Fa>\u003Ca href=\"#source-12\" class=\"citation-link\" title=\"View source [12]\">[12]\u003C\u002Fa>\u003C\u002Fp>\n\u003Chr>\n\u003Ch2>Conclusion and next steps\u003C\u002Fh2>\n\u003Cp>Securing AI agents now demands the rigor that secure MLOps, DevOps, and IaC brought to traditional software—but aimed at tools, protocols like MCP, and emergent autonomy rather than static request\u002Fresponse flows. \u003Ca href=\"#source-1\" class=\"citation-link\" title=\"View source [1]\">[1]\u003C\u002Fa>\u003Ca href=\"#source-3\" class=\"citation-link\" title=\"View source [3]\">[3]\u003C\u002Fa>\u003Ca href=\"#source-6\" class=\"citation-link\" title=\"View source [6]\">[6]\u003C\u002Fa>\u003Ca href=\"#source-8\" class=\"citation-link\" title=\"View source [8]\">[8]\u003C\u002Fa>\u003Ca href=\"#source-9\" class=\"citation-link\" title=\"View source [9]\">[9]\u003C\u002Fa>\u003C\u002Fp>\n\u003Cul>\n\u003Cli>\u003Cstrong>RAMPART\u003C\u002Fstrong>: runtime control plane to apply least‑privilege and containment to agent actions\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Clarity\u003C\u002Fstrong>: systematic way to attack, measure, and harden those agents across their lifecycle \u003Ca href=\"#source-2\" class=\"citation-link\" title=\"View source [2]\">[2]\u003C\u002Fa>\u003Ca href=\"#source-3\" class=\"citation-link\" title=\"View source [3]\">[3]\u003C\u002Fa>\u003Ca href=\"#source-4\" class=\"citation-link\" title=\"View source [4]\">[4]\u003C\u002Fa>\u003Ca href=\"#source-6\" class=\"citation-link\" title=\"View source [6]\">[6]\u003C\u002Fa>\u003Ca href=\"#source-9\" class=\"citation-link\" title=\"View source [9]\">[9]\u003C\u002Fa>\u003Ca href=\"#source-10\" class=\"citation-link\" title=\"View source [10]\">[10]\u003C\u002Fa>\u003Ca href=\"#source-11\" class=\"citation-link\" title=\"View source [11]\">[11]\u003C\u002Fa>\u003Ca href=\"#source-12\" class=\"citation-link\" title=\"View source [12]\">[12]\u003C\u002Fa>\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>Together, they form a practical, testable blueprint for bringing agentic AI safely into production.\u003C\u002Fp>\n","Autonomous AI agents now sit in workflows that can provision credentials, rotate keys, export audit logs, and apply Terraform plans from a single prompt. [3] They amplify existing risks—overshared doc...","safety",[],1471,7,"2026-05-21T05:13:16.940Z",[17,22,26,30,34,38,42,46,50,54],{"title":18,"url":19,"summary":20,"type":21},"From Oversharing to Enforcement: A Practical Guide to AI Data Security with Microsoft Purview","https:\u002F\u002Ftechcommunity.microsoft.com\u002Fblog\u002Fmicrosoft-purview-blog\u002Ffrom-oversharing-to-enforcement-a-practical-guide-to-ai-data-security-with-micro\u002F4513727","Generative AI accelerates productivity—but also amplifies data risk. A single prompt can expose sensitive files, unsanctioned tools can ingest proprietary data, and autonomous agents can act across a ...","kb",{"title":23,"url":24,"summary":25,"type":21},"Defense at AI speed: Microsoft’s new multi-model agentic security system tops leading industry benchmark | Microsoft Security Blog","https:\u002F\u002Fwww.microsoft.com\u002Fen-us\u002Fsecurity\u002Fblog\u002F2026\u002F05\u002F12\u002Fdefense-at-ai-speed-microsofts-new-multi-model-agentic-security-system-tops-leading-industry-benchmark\u002F","Defense at AI speed: Microsoft’s new multi-model agentic security system tops leading industry benchmark\n\nToday Microsoft announced a major step forward in AI-powered cyber defense: our new agentic se...",{"title":27,"url":28,"summary":29,"type":21},"Three ways security teams can effectively deploy Agentic AI","https:\u002F\u002Fwww.scworld.com\u002Fperspective\u002Fthree-ways-security-teams-can-effectively-deploy-agentic-ai","From financial risk management and customer experience to cyber threat detection and software development, Agentic AI has rapidly transformed business. Unlike traditional chatbots or smart assistants,...",{"title":31,"url":32,"summary":33,"type":21},"From Prompt Injections to Protocol Exploits: Threats in LLM-Powered AI Agents Workflows","https:\u002F\u002Farxiv.org\u002Fhtml\u002F2506.23260v1","Mohamed Amine Ferrag, Norbert Tihanyi, Djallel Hamouda, Leandros Maglaras, and Merouane Debbah\n\nAbstract\nAutonomous AI agents powered by large language models (LLMs) with structured function-calling i...",{"title":35,"url":36,"summary":37,"type":21},"LLM security vulnerabilities: a developer's checklist","https:\u002F\u002Fwww.mintmcp.com\u002Fblog\u002Fllm-security-vulnerabilities","While one-third of respondents said their organizations were already regularly using generative AI in at least one function, only 47% have established a generative AI ethics council to manage ethics p...",{"title":39,"url":40,"summary":41,"type":21},"SoK: The Attack Surface of Agentic AI--Tools, and Autonomy — A Dehghantanha, S Homayoun - arXiv preprint arXiv:2603.22928, 2026 - arxiv.org","https:\u002F\u002Farxiv.org\u002Fabs\u002F2603.22928","Authors: Ali Dehghantanha, Sajad Homayoun\n\nSubmitted on 24 Mar 2026\n\nAbstract:\nRecent AI systems combine large language models with tools, external knowledge via retrieval-augmented generation (RAG), ...",{"title":43,"url":44,"summary":45,"type":21},"AI Platforms Security — A Sidorkin - AI-EDU Arxiv, 2025 - journals.calstate.edu","https:\u002F\u002Fjournals.calstate.edu\u002Fai-edu\u002Farticle\u002Fview\u002F5444","Alexander Sidorkin, California State University Sacramento\nPublished: 2025-03-21\n\nAbstract\nThis report reviews documented data leaks and security incidents involving major AI platforms including OpenA...",{"title":47,"url":48,"summary":49,"type":21},"The Commercial Landscape of Agentic AI Security — K Huang, C Hughes - … , Frameworks, and Real-World Deployment, 2025 - Springer","https:\u002F\u002Flink.springer.com\u002Fchapter\u002F10.1007\u002F978-3-032-02130-4_12","The Abstract\n\nThis chapter provides a detailed analysis of the commercial landscape for agentic AI security, a market rapidly bifurcating to address the dual challenges of this transformative technolo...",{"title":51,"url":52,"summary":53,"type":21},"Towards Secure MLOps: Surveying Attacks, Mitigation Strategies, and Research Challenges","https:\u002F\u002Farxiv.org\u002Fhtml\u002F2506.02032v1","# Towards Secure MLOps: Surveying Attacks, Mitigation Strategies, and Research Challenges\n\nAbstract\nThe rapid adoption of machine learning (ML) technologies has driven organizations across diverse sec...",{"title":55,"url":56,"summary":57,"type":21},"Resources","https:\u002F\u002Fwww.giskard.ai\u002Fknowledge","- Securing AI agents with Europe's first sovereign guardrail platform\n- A Cursor AI agent wiped a production database in 9 seconds: Excessive Agency AI failure\n- Claude Mythos: Analyzing Anthropic’s n...",null,{"generationDuration":60,"kbQueriesCount":61,"confidenceScore":62,"sourcesCount":63},162795,12,100,10,{"metaTitle":6,"metaDescription":10},"en","https:\u002F\u002Fimages.unsplash.com\u002Fphoto-1662947036644-ecfde1221ac7?ixid=M3w4OTczNDl8MHwxfHNlYXJjaHwxfHxtaWNyb3NvZnQlMjByYW1wYXJ0fGVufDF8MHx8fDE3NzkzNDAzOTd8MA&ixlib=rb-4.1.0&w=1200&h=630&fit=crop&crop=entropy&auto=format,compress&q=60",{"photographerName":68,"photographerUrl":69,"unsplashUrl":70},"BoliviaInteligente","https:\u002F\u002Funsplash.com\u002F@boliviainteligente?utm_source=coreprose&utm_medium=referral","https:\u002F\u002Funsplash.com\u002Fphotos\u002Fa-glass-of-beer-wIBDrEv73xY?utm_source=coreprose&utm_medium=referral",false,{"key":73,"name":74,"nameEn":74},"ai-engineering","AI Engineering & LLM Ops",[76,84,91,98],{"id":77,"title":78,"slug":79,"excerpt":80,"category":81,"featuredImage":82,"publishedAt":83},"6a0eb023a83199a61232a96a","AI-Enabled Cyber Attacks Up 89%: Inside the 9 Autonomous Breaches Reshaping Security in 2026","ai-enabled-cyber-attacks-up-89-inside-the-9-autonomous-breaches-reshaping-security-in-2026","From Assisted to Autonomous: Why AI Cyber Attacks Spiked 89% in 2026  \n\nFor years, “AI in cybercrime” meant:  \n\n- Better phishing content  \n- Faster malware generation  \n- Scaled personalization and f...","hallucinations","https:\u002F\u002Fimages.unsplash.com\u002Fphoto-1775994121064-e75fa6f3e84c?ixid=M3w4OTczNDl8MHwxfHNlYXJjaHwxfHxlbmFibGVkJTIwY3liZXIlMjBhdHRhY2tzJTIwaW5zaWRlfGVufDF8MHx8fDE3NzkzNTU3MzJ8MA&ixlib=rb-4.1.0&w=1200&h=630&fit=crop&crop=entropy&auto=format,compress&q=60","2026-05-21T07:18:38.344Z",{"id":85,"title":86,"slug":87,"excerpt":88,"category":81,"featuredImage":89,"publishedAt":90},"6a0e8469a83199a612329a7a","Agentic AI in the Kill Chain: How Autonomous Agents Expand Your Attack Surface and Enable Lateral Movement","agentic-ai-in-the-kill-chain-how-autonomous-agents-expand-your-attack-surface-and-enable-lateral-movement","Agentic AI has moved from answering questions to operating: planning, calling tools, manipulating data, and chaining actions across your stack.[1][9]  \n\nThat makes every connected API, datastore, SaaS...","https:\u002F\u002Fimages.unsplash.com\u002Fphoto-1652191337993-e4bcdd3bbc08?ixid=M3w4OTczNDl8MHwxfHNlYXJjaHwxfHxhZ2VudGljJTIwa2lsbCUyMGNoYWluJTIwYXV0b25vbW91c3xlbnwxfDB8fHwxNzc5MzU1NzM0fDA&ixlib=rb-4.1.0&w=1200&h=630&fit=crop&crop=entropy&auto=format,compress&q=60","2026-05-21T04:10:32.575Z",{"id":92,"title":93,"slug":94,"excerpt":95,"category":81,"featuredImage":96,"publishedAt":97},"6a0e3d26a83199a6123245b1","Agentic AI Security: How Autonomous Agents Expand the Attack Surface and Enable Lateral Movement","agentic-ai-security-how-autonomous-agents-expand-the-attack-surface-and-enable-lateral-movement","Agentic AI turns large language models (LLMs) from conversational copilots into autonomous operators wired into APIs, cloud consoles, and internal tools. The threat model shifts from “untrusted text i...","https:\u002F\u002Fimages.unsplash.com\u002Fphoto-1740301982969-bea22f0d02e1?ixid=M3w4OTczNDl8MHwxfHNlYXJjaHwxfHxhZ2VudGljJTIwc2VjdXJpdHklMjBhdXRvbm9tb3VzJTIwYWdlbnRzfGVufDF8MHx8fDE3NzkzMzQxMzR8MA&ixlib=rb-4.1.0&w=1200&h=630&fit=crop&crop=entropy&auto=format,compress&q=60","2026-05-20T23:08:31.124Z",{"id":99,"title":100,"slug":101,"excerpt":102,"category":81,"featuredImage":103,"publishedAt":104},"6a0e3bc4a83199a6123244f1","Security Risks from Widespread Agentic AI Deployments: Threats, Attack Paths, and Defense Patterns","security-risks-from-widespread-agentic-ai-deployments-threats-attack-paths-and-defense-patterns","Agentic AI now logs into SaaS, runs shell commands, calls internal APIs, and orchestrates workflows with minimal human oversight. These systems plan, decide, and act across your stack—not just answer...","https:\u002F\u002Fimages.unsplash.com\u002Fphoto-1771931321956-406056adbed3?ixid=M3w4OTczNDl8MHwxfHNlYXJjaHwxfHxzZWN1cml0eSUyMHJpc2tzfGVufDF8MHx8fDE3NzkzMzQxMzZ8MA&ixlib=rb-4.1.0&w=1200&h=630&fit=crop&crop=entropy&auto=format,compress&q=60","2026-05-20T22:59:34.971Z",["Island",106],{"key":107,"params":108,"result":110},"ArticleBody_DqrZvu8stuGJ2eq0Notm0QycI7uGITithVyXIKY",{"props":109},"{\"articleId\":\"6a0e937fa83199a61232a86a\",\"linkColor\":\"red\"}",{"head":111},{}]