By NHI Mgmt Group Editorial TeamPublished 2026-01-22Domain: Agentic AI & NHIsSource: HiddenLayer

TL;DR: A graph-level backdoor can rewrite tool-call URLs in real time, silently redirecting agentic requests through attacker-controlled infrastructure while leaving the user-facing response unchanged, according to HiddenLayer research. The attack turns model execution into a supply chain compromise and makes graph-level inspection a prerequisite for safe deployment.


At a glance

What this is: This research shows how a backdoored agentic model can silently rewrite tool-call URLs at runtime and exfiltrate traffic through attacker infrastructure.

Why it matters: It matters because IAM, NHI, and agentic AI teams cannot rely on prompt-layer controls alone when the execution path itself can be manipulated.

👉 Read HiddenLayer's research on Agentic ShadowLogic and tool-call hijacking


Context

Agentic AI systems do not just generate text. They issue tool calls that can reach databases, APIs, email systems, and file stores, which means the real security boundary is no longer the response the user sees but the action the model actually executes. In this case, the risk is a tool-call hijack inside the model graph itself, which bypasses the usual trust assumptions around output filtering and prompt review.

For identity and access teams, the important question is not only whether the model is allowed to call tools, but whether the execution path can be altered after approval. That moves the discussion from prompt safety to runtime control integrity, supply chain integrity, and workload-level trust. The article is about a backdoor in the model file, which is a typical supply chain exposure pattern for agentic systems.


Key questions

Q: What breaks when a tool-calling model can rewrite its own requests?

A: The approval model breaks because the action that was reviewed is no longer the action that executes. In agentic systems, that means trust is being placed in a request that can be mutated after generation and before dispatch. Teams need to validate the final request separately from the model output.

Q: Why do agentic systems increase the risk of hidden proxy attacks?

A: Agentic systems increase the risk because they create a trusted path from model output to external systems, and that path often includes URLs, headers, and other data that can be intercepted. If the model can alter its own tool call, an attacker can redirect traffic without changing the visible conversation.

Q: How should security teams validate downloaded models before using them in production?

A: Security teams should treat downloaded models as executable artefacts and inspect them for unusual graph logic, embedded state, and tool-call manipulation before deployment. Provenance alone is not enough if the runtime behaviour can be altered inside the model itself.

Q: What should organisations do when AI tools may carry credentials in request paths?

A: Organisations should remove credentials from request paths, reduce reliance on query-based authentication, and constrain where agent traffic can be sent. If the proxy layer can see the credential, the proxy layer can potentially expose it, so request hygiene matters as much as model hygiene.


Technical breakdown

How graph-level backdoors alter tool-call execution

The attack sits inside the model’s computational graph rather than in the prompt. Instead of waiting for malicious input, the backdoor watches token generation inside a tool-call block, detects a URL pattern, and swaps the model’s intended destination for an attacker-controlled proxy. Because the change happens during generation, the user-facing conversation can remain clean while the downstream action is redirected. This is different from prompt injection, which targets instruction following. Here, the compromise is embedded in the execution layer, so the model is behaving normally from the outside while the tool call itself is silently rewritten.

Practical implication: inspect model graphs and exported artefacts before deployment, not just prompts and outputs.

Why KV cache state makes the hijack persistent

The attack uses KV cache positions as hidden state to track whether the model is inside a tool call, whether hijacking has started, and which injected token comes next. That matters because the cache gives the backdoor memory across generation steps without relying on external systems or a separate controller. In practice, the model can move from monitoring to injection and back again within one forward pass. This creates an execution-time control channel that is invisible to ordinary application logging because the malicious logic is embedded in the same state machinery the model uses for normal inference.

Practical implication: treat model state and cache behaviour as part of the attack surface when validating agentic deployments.

Why proxy-based interception turns tool use into data theft

Once the URL is rewritten to attacker infrastructure, the proxy can log requests, inspect parameters, and potentially alter responses before forwarding them on. That means the model is not only making a call to the wrong place, it is creating a man-in-the-middle path over the original transaction. If credentials are embedded in query strings or headers, they can be exposed as part of normal tool use. The key failure mode is that the system still appears to work, which delays detection and makes compromise harder to distinguish from routine agent activity.

Practical implication: assume tool-call destinations and credentials may be observable unless you enforce independent egress and request validation.


Threat narrative

Attacker objective: The attacker wants to observe, redirect, and potentially manipulate agentic tool traffic without the user noticing the compromise.

  1. Entry occurs when a user deploys a backdoored model file that already contains malicious graph logic inside the agentic tool-calling path.
  2. Escalation happens when the backdoor detects a URL inside a tool call, rewrites the destination to attacker-controlled infrastructure, and preserves the visible response.
  3. Impact is achieved when the proxy logs requests, captures embedded credentials or parameters, and can modify responses or inject additional payloads.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.


NHI Mgmt Group analysis

Tool-call integrity is now an identity problem, not just a model-safety problem. Once a model can rewrite its own downstream action path, the real control boundary shifts from the prompt to the execution artefact. That means tool calls behave like privileged machine identities whose authority can be subverted after approval. Practitioners should treat model graphs as governance objects, not just ML artefacts.

Allowing a model to decide the destination of a tool call collapses the assumption that execution is fixed after authorisation. That assumption was designed for systems where the approved action remains stable through execution. It fails when the actor can mutate the request before dispatch, because the approved intent and the executed action diverge inside the same session. The implication is that reviewers must rethink what they are certifying when the execution path itself is mutable.

Graph-level backdoors create identity blast radius through trusted automation paths. A model that sits inside an enterprise agent stack can inherit access to APIs, databases, and collaboration tools, then redirect that access through attacker infrastructure without tripping ordinary user controls. This is why AI agent governance and NHI governance now meet at the same point: the delegated identity may be legitimate, but the execution channel is not. Practitioners should assume the blast radius includes every system reachable by the agent.

Supply chain trust in agentic AI is now inseparable from workload identity governance. Downloading a model from a public repository is no longer a harmless content acquisition step when the file can carry hidden execution logic. That mirrors classic NHI supply chain risk, where a trusted artefact becomes the identity path into production. The field needs to treat model provenance, runtime inspection, and execution control as one governance chain.

Runtime inspection has to move below the conversation layer if organisations want meaningful assurance. Prompt filters, content moderation, and response review do not see a backdoor that alters the tool call after the model has already appeared to behave correctly. The control gap is not a missing policy statement but a missing inspection point at the graph and execution layer. Practitioners should use this as a trigger to re-evaluate where trust is actually being granted.

From our research:

  • 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures, according to the Ultimate Guide to NHIs.
  • Only 5.7% of organisations have full visibility into their service accounts, which means most teams would struggle to spot a hidden tool-call path or compromised runtime identity in time.
  • For a broader breach lens, read 52 NHI Breaches Analysis for patterns that show how compromised non-human access turns into downstream system impact.

What this signals

Tool-call rewriting changes the programme boundary. Teams that separate IAM, PAM, and AI governance will miss this class of attack if the model graph is treated as outside identity scope. The practical shift is to review model provenance, egress policy, and request integrity together, because the attack lives between identity issuance and execution.

With 97% of NHIs carrying excessive privileges in our research, the issue is not just whether an agent can call a tool, but what it can reach once the call is altered. That makes least privilege an execution problem as much as an entitlement problem, especially when the destination can be changed after approval.

The next control conversation should focus on the trust chain from model file to outbound request. If a model can be swapped, modified, or backdoored before deployment, then runtime safeguards alone will never be sufficient, which is why graph inspection and supply chain review now belong in the same control narrative.


For practitioners

  • Inspect model graphs before deployment Scan exported ONNX or equivalent artefacts for conditional branches, unexpected state storage, and logit manipulation inside tool-calling paths before approving the model for production use.
  • Separate approval from execution Validate that the destination, parameters, and headers of every tool call are independently checked after generation and before dispatch, rather than trusting model-produced arguments.
  • Constrain egress for agent tools Route agent tool traffic through controlled network boundaries so that unexpected proxies, redirects, or destination changes are visible and blocked where possible.
  • Review credential placement in tool traffic Eliminate API keys, presigned URLs, and authentication material from query strings and other request elements that could be logged or relayed through a proxy.
  • Add provenance checks to model intake Require signed provenance, internal approval, and security review for models pulled from public repositories before they are allowed to power agentic workflows.

Key takeaways

  • Agentic ShadowLogic shows that a model can preserve the appearance of normal behaviour while silently changing the tool call that actually executes.
  • The attack matters because it turns trusted agent traffic into a proxy path that can expose URLs, parameters, and embedded credentials.
  • The control point is not only prompt safety but model provenance, graph inspection, and independent validation of the final request before dispatch.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Agentic AI Top 10 and OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.

FrameworkControl / ReferenceRelevance
OWASP Agentic AI Top 10Agent tool misuse and hidden execution logic map directly to agentic application risks.
OWASP Non-Human Identity Top 10NHI-04Backdoored model artefacts and hidden request rewriting are supply chain and identity-path issues.
NIST Zero Trust (SP 800-207)PR.AC-4The model changes a trusted request path, undermining least-privilege assumptions at execution time.

Inspect tool-use boundaries and validate outputs against the actual executed request path.


Key terms

  • Tool-call hijack: A tool-call hijack is a manipulation of the action a model sends to an external system after the model has already appeared to decide correctly. In agentic environments, the danger is that the visible response remains normal while the executed request is silently redirected or altered.
  • Graph-level backdoor: A graph-level backdoor is malicious logic embedded in a model’s computational graph rather than in its prompt or surrounding application code. It can trigger on runtime conditions, persist through deployment artefacts, and change behaviour without obvious signs in the user-facing conversation.
  • Execution boundary: The execution boundary is the point where an approved action becomes a real outbound request, file write, API call, or other system change. For agentic AI, this boundary matters because the model may influence the request content, destination, or timing after the user has already approved the task.

What's in the full report

HiddenLayer's full research covers the operational detail this post intentionally leaves for the source:

  • Figure-by-figure walkthrough of the ONNX graph logic used to detect URL generation inside tool calls
  • Token-by-token explanation of the KV cache state that keeps the backdoor aligned across generation steps
  • Demonstration artefacts showing how the proxy logs, rewrites, and response injection behave in practice
  • Implementation detail on the model-scanner approach used to detect suspicious graph payloads before deployment

👉 HiddenLayer's full post covers the backdoor mechanics, proxy behaviour, and deployment risks in detail.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or governance in your organisation, it is worth exploring.
NHIMG Editorial Note
Published by the NHIMG editorial team on 2026-01-22.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org