This is the third in a five-part series on implementing Secure by Design principles in AI system development
In our previous articles, we explored the evolving AI security landscape and detailed how to build Secure by Design AI systems through the MLSecOps lifecycle. Now, we'll focus on a particularly challenging category of AI systems that demands special security consideration: agentic AI.
Agentic AI systems go beyond traditional AI models that simply respond to queries or perform single-task predictions. Instead, agentic AI systems can:
Unlike conventional AI that waits for human prompts, agentic AI proactively pursues objectives, leveraging various tools and information sources to achieve its goals. Examples include AI assistants that can book appointments, virtual agents that manage customer service interactions across multiple channels, and autonomous systems that optimize business processes with minimal supervision.
What makes these systems particularly powerful—and uniquly challenging from a security perspective—is their ability to chain together multiple capabilities and interactions with external systems to achieve complex outcomes.
When AI agents connect multiple AI systems, the attack surface broadens in a uniquely complex way—inaccurate information can propagate and amplify through the sequential action path of the system. For example, if any one AI in the system has an error or supplies inaccurate information, that can become the training data for the next system's processing, potentially creating a cascade of increasingly flawed outputs and actions.
This "error propagation" is particularly concerning when later systems in the chain lack mechanisms to verify or validate incoming information. Without appropriate checks, they may take action based on incorrect data, leading to real-world consequences ranging from minor inefficiencies to potentially harmful outcomes.
The challenge intensifies when systems operate across different domains with varying levels of transparency. Each handoff introduces potential for misinterpretation or context loss, especially when systems have different training foundations or operational parameters.
These complex risks highlight the need for reliable validation, meaningful metrics, policy decision and enforcement points, and even human “in the loop” oversight in multi-agent AI architectures and workloads.
Here’s a plausible real-world scenario to help illustrate:
Imagine a bank's AI misinterpreting a customer's transaction history during routine monitoring and incorrectly flagging legitimate international payments as "suspicious wire transfers" instead of "recurring business expenses," which leads to freezing their accounts and blocking a $10 million transaction - all because the original error got worse as it passed through each connected AI system. This highlights one reason why companies need safeguards between their AI tools to prevent small mistakes from causing big real-world consequences.
Agentic AI presents a fundamentally different security challenge than traditional AI systems because it embodies a hybrid nature: it contains both AI components (models, embeddings, vector stores) and traditional software elements (APIs, databases, authentication systems).
This dual composition creates a unique attack surface that cannot be secured through either traditional application security or AI security approaches alone. Instead, it requires a convergence of both disciplines:
For example, an attacker might use prompt injection to manipulate an AI agent into making API calls that appear legitimate but actually exfiltrate sensitive data. This attack vector doesn't exist in either traditional software or standalone AI models—it emerges specifically from their interaction within an agentic system.
This hybrid nature of agentic AI systems means that security teams must bring together two previously separate domains: MLSecOps and DevSecOps. While these approaches share common principles, they focus on different artifacts, tools, and vulnerabilities.
Attempting to secure agentic AI using only traditional DevSecOps practices would miss critical AI-specific vulnerabilities like prompt injection, model poisoning, or adversarial attacks. Similarly, applying only MLSecOps would fail to address the traditional software vulnerabilities in the APIs, databases, and integration points that agentic AI relies upon.
True security for agentic systems requires applying Secure by Design principles across both domains simultaneously, creating a unified approach that protects the entire system, not just its individual components.
Traditional organizations often have separate security workflows for application development and AI/ML development:
For agentic AI, these parallel tracks must converge into an integrated security approach. This means:
Implementing Secure by Design for agentic AI requires adapting the Cybersecurity and Infrastructure Security Agency's three principles to address the unique challenges of these hybrid systems.
Organizations developing agentic AI must take ownership of security outcomes across the entire technology stack—from the foundational models to the APIs that connect them to external systems. This means:
In practice, this might mean forming cross-functional security teams with expertise in both domains, or establishing clear handoffs and joint reviews between AI and application security specialists.
Transparency becomes even more critical—and more challenging—in agentic systems where decision-making spans multiple components. Organizations must document:
This transparency creates accountability and enables effective security governance of agentic AI throughout its lifecycle.
Effective security for agentic AI requires leadership that understands both AI risks and traditional application security. Executive teams must:
Defense in Depth (DiD) for agentic AI means implementing security controls at multiple layers across both AI and traditional software components:
Moving from principles to practice, here are specific security controls that address the unique risks of agentic AI:
Beyond basic input validation, agentic AI requires semantic analysis of inputs to detect potential prompt injections or manipulative queries. This means implementing:
Unlike traditional AI that simply generates outputs, agentic AI executes actions that must be monitored and controlled:
Agentic AI requires sophisticated permission models that go beyond simple role-based access:
For high-risk operations, human oversight provides an essential security layer:
Effective threat modeling for agentic AI must consider unique attack vectors that span the AI-software boundary:
Agentic AI systems often have access to multiple systems, creating risk of lateral movement where an attacker compromises one component to access others. Security teams must:
A sophisticated attack might use prompt injection to manipulate an agent into executing malicious code. Defenses include:
Attackers might trick agents into exfiltrating data through a series of seemingly benign actions. Mitigations include:
Agentic AI represents a fundamental shift in how we build and deploy AI systems—moving from passive models to active agents that make decisions and take actions. This shift demands an equally fundamental evolution in our security approach, bringing together MLSecOps and DevSecOps into a unified framework.
By applying Secure by Design principles across both AI and traditional software domains, organizations can build agentic systems that harness the power of autonomous AI while maintaining robust security. This doesn't require inventing entirely new security paradigms. It means thoughtfully adapting and combining proven practices from both domains to address the unique challenges of agentic AI.
As AI continues to evolve toward greater agency and autonomy, this unified security approach will become increasingly essential for protecting not just the AI components but the entire ecosystem in which they operate.
In the next part of our series, we'll examine specialized tools and technologies needed to implement Secure by Design principles effectively throughout the AI lifecycle, from testing and vulnerability management to monitoring and incident response.
Stay tuned for Part 4 of our series: Tools and Technologies for Secure by Design AI Systems
Ready to dive deeper? Get the full white paper: Securing AI’s Front Lines: Implementing Secure by Design Principles in AI System Development