A zero-click exploit chain is a compromise path that does not require a user to take an obvious action such as opening a message or approving a prompt. In agent environments, it can involve inherited permissions, manipulated context, or hidden data flows that alter behaviour without visible interaction.
Expanded Definition
A zero-click exploit chain is a sequence of conditions that lets an attacker influence a system without requiring a visible user action such as opening a file, clicking a link, or approving a prompt. In NHI and agentic AI environments, the chain often emerges through inherited permissions, poisoned context, tool routing, hidden payloads, or unsafe trust between services and agents. That makes it broader than a classic exploit against one endpoint, because the attacker is chaining weak assumptions across identity, context, and execution.
Definitions vary across vendors when zero-click is used for mobile spyware, messaging attacks, or AI agent compromise. In NHI security, the useful distinction is whether the chain bypasses human confirmation and operates through pre-authorised pathways, rather than whether a specific app was involved. Guidance from the NIST Cybersecurity Framework 2.0 helps anchor the issue in protective controls, but the zero-click pattern itself is still evolving in agentic systems. The most common misapplication is treating any automated compromise as zero-click, which occurs when no one checks whether the attacker actually needed an implicit trust path or just exploited a weak password.
Examples and Use Cases
Implementing zero-click defenses rigorously often introduces friction in orchestration and debugging, requiring organisations to weigh automation speed against tighter inspection of context, identity, and tool access.
- An AI agent receives a maliciously crafted task from a trusted workflow and calls a sensitive API because inherited scope was never reduced.
- A hidden instruction in retrieved content causes an agent to exfiltrate secrets stored in a connected vault, without any human approving the action.
- A service account used by an agent platform is over-privileged, allowing a single poisoned event to cascade into multiple downstream tool calls.
- The DeepSeek breach illustrates how exposed data and credential surfaces can magnify downstream abuse when adversaries can reach systems without obvious interaction.
- Attack patterns discussed in LLMjacking: How Attackers Hijack AI Using Compromised NHIs show how compromised NHI assets can be used to trigger agent behaviour from the outside.
For adjacent context, the OWASP Top 10 for Large Language Model Applications is useful for understanding prompt and tool abuse patterns that can appear in these chains.
Why It Matters in NHI Security
Zero-click exploit chains are dangerous because they convert routine automation into an attack surface with little or no warning. When agents can act on inherited permissions, a single hidden trigger can lead to secret exposure, privilege escalation, fraudulent actions, or silent data movement across multiple systems. This is why NHI governance has to focus on the full execution path, not just the original login event. The 52 NHI Breaches Analysis is a reminder that compromise often follows weak identity hygiene, over-trust, and poor lifecycle control rather than a single dramatic exploit. In secrets-heavy environments, the risk compounds quickly: NHIMG research reports that exposed AWS credentials are often targeted within 17 minutes on average, and sometimes in as little as 9 minutes, which leaves very little time to detect and contain a chain once it starts. Organisationally, zero-click patterns often remain invisible until anomalous API use, data loss, or agent drift forces an investigation, at which point the chain has already become operationally unavoidable to address.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Agentic AI Top 10 and OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Agentic AI Top 10 | A3 | Zero-click chains in agents map to tool misuse and hidden instruction abuse. |
| OWASP Non-Human Identity Top 10 | NHI-01 | Inherited permissions and hidden trust paths are core NHI exploit-chain risks. |
| NIST CSF 2.0 | PR.AC-4 | Least-privilege access is essential when an exploit chain bypasses user action. |
Minimise standing access and validate every non-human identity trust path.
Related resources from NHI Mgmt Group
- Why are zero-click attacks especially dangerous for AI agents?
- What breaks when a vulnerability is judged hard to exploit but AI can chain exploitation automatically?
- How should security teams reduce lateral movement risk after a fast exploit chain succeeds?
- What should teams do when a runtime already blocks part of the exploit chain?
