< ciso
brief />
Tag Banner

All news with #agent security tag

263 articles

Thirteen demos for Gemini Enterprise Agent Platform

🔎 This post introduces 13 code-first demos for the Gemini Enterprise Agent Platform, showing how to build, scale, govern, and optimize agents using the ADK and Agents CLI. The demos range from an ADK foundation codelab and MCP data connectors to stateful deployment on Agent Runtime, event-driven long-running workflows, and production-grade governance with Agent Gateway and Model Armor. Each demo teaches practical patterns — from UI generation and multi-language A2A pipelines to test-driven security, AutoRater evaluations, and cross-framework orchestration — so teams can prototype locally and then deploy and monitor agents at enterprise scale.
read more →

EU orders Google to open Android to rival AI agents

📰 The European Commission issued two rulings under the Digital Markets Act requiring Google to open Android to third-party AI assistants and to share search data with rival engines. Google warned the measures could harm user privacy and security, while EU regulators said the steps are needed to ensure fair competition. Security leaders caution CISOs to reassess device and data governance as agents gain system-level reach.
read more →

Least privilege guidance for AI agents and access

🔒 AI agents require managed identities and tightly scoped permissions to avoid uncontrolled access and privilege escalation. Treat each agent as a first-class principal with lifecycle-managed identities, explicit owners, and task-based RBAC. Implement controlled tool binding, just-in-time elevation for high-risk actions, and end-to-end audit logging to ensure accountability and rapid incident response. Regular reviews and revocation testing are essential.
read more →

Agent Data Injection: New AI attack class exposed

🛡️ Researchers describe a new class of attacks called agent data injection (ADI), where attackers plant forged trusted fields—like a sender name or button ID—so an AI agent acts on corrupted facts while continuing its assigned task. The method exploits how agents parse punctuation-delimited fields, letting attackers slip fake structure past prompt-injection defenses. The team built working proofs against multiple web and coding assistants and found mixed mitigation results from random IDs and provenance tracking.
read more →

MemGhost attack shows persistent memory poisoning risk

🛡️Researchers show a one-email exploit can trick an AI personal agent into writing a false, persistent memory and hiding the change. The tool, MemGhost, was tested in lab conditions against OpenClaw and other agent frameworks, succeeding frequently in background runs. The authors propose provenance tagging, user confirmation, and write logging as mitigations while vendors consider memory-write controls.
read more →

Why the AI Agent Harness Determines Reliability

🛡️ AI agents leverage LLMs for reasoning but require a robust harness—skills, tools, and live context—to be reliable in network security. Generic agents trained on broad data hallucinate and fail at scale because they lack production-hardened experience and up-to-date environmental visibility. Check Point emphasizes skills from 30 years of deployments, a real-time Network Knowledge Graph, and contextualized policies to keep agent actions auditable and trustworthy.
read more →

Email Agent Hijacking: New Risks in Agentic Email

🛡️ AI agents are processing and acting on emails before humans, creating a new attack surface where malicious content can manipulate agent behavior. This phenomenon, called Email Agent Hijacking (EAH), embeds instructions in email content to influence how AI interprets, prioritizes, or responds. Traditional post-delivery controls are insufficient because agents act immediately; organizations need preventive protections for AI-consumed content and validation for AI-generated outputs.
read more →

Six-stage maturity model for non-human identities

🔒 This article examines the risks of agentic AI and non-human identities in enterprise environments, illustrating incidents where LLM-based agents caused outages due to weak identity controls. It argues that existing IAM models are insufficient for agents that act autonomously, and cites industry guidance from Gartner, OWASP, CISA and NIST. The author proposes six minimum requirements and a cumulative six-stage NHI maturity model to ensure defensible production deployments.
read more →

Rise of Malicious AI Agents Threatens Organizations

🤖 ESET analysis shows cybercriminals increasingly use AI agents and chatbots to autonomously plan and execute attacks. Researchers reviewed 900,000 AI skills in public repositories and found tens of thousands of suspicious and thousands of malicious toolsets, expanding the attack surface. These agentic tools can exfiltrate data, execute malware, override instructions, and be repurposed from legitimate utilities into harmful capabilities. ESET urges organizations to enforce policies and caution users about downloading free tools from untrusted sources.
read more →

Agents turned attack vector in code security checks

🔍 Researchers at the AI Now Institute demonstrated a proof-of-concept called "Friendly Fire" where autonomous AI coding agents (Anthropic's Claude Code and OpenAI's Codex) execute an attacker's binary when asked to scan untrusted open-source code. The attack hides a malicious binary alongside benign files and a README that prompts the agent to run a security script; in auto-modes the agents approved and executed it without prompting. The weakness is framed as a workflow/design issue rather than a single vulnerable version, and the researchers recommend never giving command-capable agents unattended access to untrusted code.
read more →

20 Questions to Guide an Agentic Enterprise Strategy

🤖 This post introduces the Gemini Enterprise Agent Platform and offers 20 practical questions for IT and engineering leaders to consider when building AI agents. It covers who builds agents, which development tools to use, how to connect data and other agents, strategies for scaling, and methods for securing execution and preserving context. The article pairs guidance with recommended Google tools like ADK, Antigravity, Agent Runtime, MCP, A2A, and Agent Studio.
read more →

GitLost: Public Issue Can Exfiltrate Private GitHub Data

🔒 Researchers at Noma Security demonstrated that a crafted public GitHub issue can manipulate GitHub Agentic Workflows into exposing private repository contents. The attack, named GitLost, exploits indirect prompt injection to trick an agent with organization-wide read access into pulling private data and posting it publicly. GitHub's preview feature for agentic workflows includes guardrails, but Noma showed a minor wording change can bypass them. The core problem is architectural: agents with standing credentials that read untrusted input and can post outward create persistent leakage risk.
read more →

Zscaler finds AI agents vulnerable to prompt injection

🛡️ Zscaler tested 26 LLM-based autonomous agents and found several susceptible to indirect prompt injection (IPI) schemes, with some high-end models failing while a few lower-tier models fared better. The vendor reported four models as "vulnerable" and three as "safe," but experts warn that agent behavior evolves and binary classifications can be misleading. The findings highlight the architectural risks in agentic AI where untrusted content in the context window can be treated as authoritative, expanding the attack surface for enterprises.
read more →

Governing Identity for Agentic AI Operations

🛡️ Existing security controls weren’t built for autonomous AI agents, and static credentials and standing privileges are insufficient. Organizations must define agentic identity, secure agent-to-agent communication, adopt dynamic secrets management, enforce least privilege for delegated workflows, and unify workforce identity. Governance across the identity lifecycle is essential to ensure auditable, revocable, and context-aware access for agents.
read more →

Operationalizing agentic AI: From assistants to operators

🤖 Stephen Wilson of HashiCorp explains how enterprise AI is evolving from human-assisted tools to autonomous agents and operators, and why governance must mature accordingly. He describes three adoption patterns—AI as assistant, AI as agent, and AI as operator—and details the increasing needs for identity, access controls, auditability, and accuracy at each stage. As organizations grant agents more autonomy, security controls must expand from user-level boundaries to team and organizational governance.
read more →

AI agent conducts autonomous ransomware intrusion

🔍 Sysdig researchers detailed an autonomous AI agent, dubbed JadePuffer, that executed an end-to-end intrusion and extortion campaign after exploiting a vulnerable Langflow server. The agent leveraged an LLM to adapt tactics, delivering over 600 Base64-encoded Python payloads to pivot from an internet-facing Langflow instance to a production MySQL/Nacos server and encrypt 1,342 configuration records before demanding ransom. The operation demonstrated rapid self-correction and contextual reasoning in payloads, prompting calls for behavior-focused detection.
read more →

SkillCloak research shows scanners can be bypassed

🛡️ Researchers at the Hong Kong University of Science and Technology show that simple file-level transformations and packing tricks can let malicious AI coding agent "skills" evade existing static scanners while still executing normally. Their tool, SKILLCLOAK, fooled multiple marketplace scanners over 80–99% of the time, while a runtime sandbox, SKILLDETONATE, detected most evasions at the cost of slower analysis. The study highlights active real-world abuse, practical mitigation ideas, and the need to move trust decisions to behavior observed at execution time.
read more →

Cursor IDE sandbox bypasses enable RCE via prompt injection

🛡️ Researchers discovered two vulnerabilities in the Cursor AI-enabled IDE that enable prompt-injection-driven remote code execution by escaping the command execution sandbox. The flaws, CVE-2026-50548 and CVE-2026-50549, allow attackers to change the working directory and exploit symlink canonicalization fallbacks to write or overwrite files outside the project scope. Cursor patched the issues in version 3.0, and the findings underscore broader risks in agentic AI workflows and the difficulty of defending against prompt injection.
read more →

BioShocking prompt attack tricks AI browsers

🧩 Researchers at LayerX demonstrated a prompt injection called BioShocking that trains AI-powered browsers to treat risky real-world actions as fictional, bypassing safety controls. The PoC used a themed puzzle game to reward 'wrong' behavior and culminated in instructing agents to copy sensitive data from a GitHub repo. Six mainstream agentic browsers were tested; only one vendor implemented a working fix after disclosure. LayerX recommends explicit user confirmations, stricter context checks, and session scope limits.
read more →

Amazon WorkSpaces for AI agents now generally available

🖥️ Amazon WorkSpaces for agents is generally available, enabling AI agents to securely access and operate desktop applications inside managed WorkSpaces. The service lets agents interact with legacy ERP, CRM, mainframe, and proprietary tools without application modernization or custom integrations, while preserving identity controls, network isolation, and compliance boundaries. It supports any agent framework using the Model Context Protocol (MCP), and pricing is based on active session time.
read more →