Subscribe to the Non-Human & AI Identity Journal

Agentjacking

An attack pattern where a malicious party feeds deceptive content into an AI agent workflow so the agent carries out the attacker’s intent. The risk is not only prompt manipulation, but the use of trusted tool channels and credentials to turn ordinary input into unauthorized action.

Expanded Definition

Agentjacking is a class of attack in which deceptive content steers an AI agent into taking actions the attacker wanted, often by abusing the agent’s trusted tool access rather than merely altering its text output. In NHI and agentic AI environments, the concern is not just “bad prompts” but unauthorized execution through credentials, API keys, browser sessions, or delegated workflow permissions. That makes agentjacking a governance problem as much as a model-safety problem.

The term is still evolving across vendors, but the practical pattern is consistent: an agent ingests untrusted content, treats it as actionable context, and then uses legitimate authority to perform harmful operations. This is why guidance from the OWASP Agentic AI Top 10 and the NIST AI Risk Management Framework matters: both emphasize that agent behavior must be constrained, monitored, and validated when external input can influence actions.

The most common misapplication is treating agentjacking as simple prompt injection, which occurs when teams ignore the downstream execution path and fail to control the tools, tokens, and approvals the agent can reach.

Examples and Use Cases

Implementing defenses against agentjacking rigorously often introduces extra approval steps and tighter tool scoping, requiring organisations to weigh automation speed against blast-radius reduction.

  • An agent reads an attacker-crafted email, interprets the content as a legitimate work instruction, and uses a connected ticketing or messaging tool to send privileged data to the wrong recipient.
  • A coding agent ingests hostile repository content and, through a valid CI/CD token, runs destructive commands or pushes unsafe changes, similar to patterns discussed in the Amazon Q AI Coding Agent Compromised analysis.
  • An enterprise assistant consumes calendar or document data that contains hidden instructions, then follows those instructions via legitimate integrations, a scenario aligned with the Gemini AI Breach — Google Calendar Prompt Injection case study.
  • A support agent with OAuth access is induced to expose account information or trigger account actions, echoing the CoPhish OAuth Token Theft via Copilot Studio pattern.
  • Security teams test whether an agent can be induced to delete, exfiltrate, or rewrite records by feeding malicious instructions into a source the agent already trusts, an approach discussed in OWASP NHI Top 10 and the MITRE ATLAS adversarial AI threat matrix.

These cases show that agentjacking is not limited to chat surfaces; it is a workflow attack that becomes dangerous when an AI agent can act on behalf of a human or service identity.

Why It Matters in NHI Security

Agentjacking becomes severe because AI agents frequently operate with standing privileges, reusable secrets, and broad access to business systems. When those credentials are reachable from a manipulated workflow, a single malicious input can become a real-world action. That is the NHI risk shift: the attacker does not need to steal the token first if the agent will use it for them.

This matters especially in environments where visibility is already weak. NHI Mgmt Group reports that only 5.7% of organisations have full visibility into their service accounts, which means many teams cannot reliably tell which identities an agent can invoke or which tools those identities can reach. In parallel, the combination of agent orchestration and mismanaged secrets can make a compromise move fast and hard to contain, especially when a platform behaves as though all trusted inputs are equally safe.

For governance, the right response is to bound authority, separate untrusted content from executable instructions, and review every tool call as an access event. Practitioners usually notice agentjacking only after an agent has already sent data, changed state, or triggered an unwanted workflow, at which point the issue becomes operationally unavoidable to address.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Agentic AI Top 10, OWASP Non-Human Identity Top 10 and CSA MAESTRO address the attack and risk surface, while NIST AI RMF and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.

Framework Control / Reference Relevance
OWASP Agentic AI Top 10 A1 Covers prompt injection and tool abuse paths that enable agentjacking.
OWASP Non-Human Identity Top 10 NHI-01 Agentjacking exploits trusted NHI channels, secrets, and over-privileged access.
NIST AI RMF Addresses AI system risk from untrusted inputs affecting behavior and outcomes.
NIST Zero Trust (SP 800-207) Zero trust limits implicit trust in content, sessions, and downstream tool execution.
CSA MAESTRO Models agentic AI threats, including compromised orchestration and tool misuse.

Assess manipulation paths and add safeguards for agent autonomy, monitoring, and accountability.