Straiker's red team discovered 87 exploits across production AI agents, with 24 instances following a pattern called "Living Off The Agent" (LOTA). If you're deploying autonomous AI agents, your traditional security controls aren't equipped to detect these attacks.
Red Team Discoveries
Agentic AI adoption has surged recently. Unlike traditional software, these agents make autonomous decisions, chain API calls, and interact with systems based on natural language instructions. This autonomy creates an attack surface that your current tools don't monitor.
The LOTA pattern involves attackers manipulating an agent's decision-making to execute malicious actions using the agent's legitimate access. Your SIEM sees authorized API calls. Your DLP sees data moving through approved channels. Your endpoint detection sees nothing suspicious because the agent is doing what it's designed to do—just with altered instructions.
Traditional detection methods fail here. You can't write a rule for "agent behaving suspiciously" when suspicious behavior looks identical to normal operations in your logs.
Key Findings
Agent authorization models bypass standard access controls. Your agents likely have broad API access. When an attacker compromises agent instructions, they inherit that access without triggering authentication failures. Review your agent service accounts—if an agent can read customer data "when needed," an attacker controlling that agent can read it whenever they want.
API security is your primary defense. Agents communicate through APIs, often using new protocols like Anthropic's Model Context Protocol (MCP). Each API call is a potential attack vector. Your API gateway needs to validate not just authentication tokens, but the semantic intent of requests. Rate limiting helps, but won't stop an attacker patient enough to exfiltrate data slowly through legitimate-looking queries.
Prompt injection is your new SQL injection. Just as you sanitize database inputs, you need to sanitize inputs to AI agents. The difference: SQL injection has predictable patterns you can block with prepared statements. Prompt injection is adversarial natural language. An attacker might hide instructions in a PDF your agent processes, or in metadata your agent reads. Your input validation needs to understand context, not just syntax.
Agent-to-agent communication creates blind spots. When agents call other agents, your security visibility drops. You see the initial request and final result, but the intermediate reasoning and data access happen in a black box. If you're implementing multi-agent systems, instrument the communication channels between agents with the same rigor you apply to external API calls.
Compliance frameworks haven't caught up. PCI DSS v4.0.1 Requirement 6.4.3 mandates that scripts run on payment pages come from trusted sources, but doesn't address AI agents that dynamically generate those scripts. ISO 27001 requires access controls, but doesn't specify how to audit an agent's autonomous decision to access sensitive data. You're operating in a gap between what standards require and what your technology does.
Implications for Your Team
You need detection that understands agent behavior, not just network traffic. Your current stack—SIEM, EDR, DLP—generates alerts based on known-bad patterns or policy violations. An agent following malicious instructions doesn't violate policy; it executes policy in an unintended way.
Start thinking about agent observability like application performance monitoring. You need to see:
- What data sources each agent accessed and why
- What reasoning led to each API call
- What instructions influenced each decision
- How agent behavior deviates from baseline patterns
Your API security posture determines your agent security posture. If your APIs trust bearer tokens without validating request context, an attacker with agent access can abuse any API the agent touches. This matters for SOC 2 compliance—your auditor will ask how you prevent unauthorized data access, and "the agent is authorized" won't satisfy them when that agent is compromised.
Action Items by Priority
Immediate (this week):
- Inventory every AI agent in production and map its API access scope
- Review service account permissions for agents—apply least privilege
- Enable detailed logging for all agent API calls, including request payloads
- Add rate limiting to APIs that agents use for data retrieval
Short-term (this quarter):
- Implement semantic validation at your API gateway—reject requests that don't match expected agent behavior patterns
- Build monitoring dashboards that show agent data access patterns over time
- Test your agents against prompt injection attacks—treat this like penetration testing
- Document agent reasoning chains for high-risk operations (data export, configuration changes, financial transactions)
Medium-term (next 6 months):
- Design an agent authorization model that separates reading capabilities from writing capabilities
- Implement agent-to-agent authentication if you're running multi-agent systems
- Update your incident response playbook to include agent compromise scenarios
- Work with your compliance team to map agent operations to control requirements in NIST CSF v2.0 and ISO/IEC 27001:2022
Long-term (next year):
- Evaluate specialized agent security platforms that understand LOTA patterns
- Build or buy tools that can audit agent decision-making in real-time
- Establish baseline behavior profiles for each agent and alert on deviations
- Contribute to industry standards development for agent security—the frameworks need to catch up to the technology
The Straiker findings show that production agents are vulnerable now. Your security architecture needs to assume agents will be targeted and build controls accordingly. Traditional perimeter security won't help when the attacker is inside your agent's decision loop.
