TL;DR: As AI agents become active participants in the digital workspace, the attack surface expands across email, collaboration, SaaS, and data flows, with Proofpoint positioning its platform around prompt injection, data governance, and Model Context Protocol controls. The governance challenge is no longer just protecting users, but controlling how people and agents consume, generate, and move sensitive data across shared workspaces.
At a glance
What this is: This is an independent analysis of how the agentic workspace changes collaboration and data security, with particular focus on prompt injection, data governance, and MCP-based agent access.
Why it matters: It matters because identity, access, and data controls now have to govern both human users and AI agents that can act across the same collaboration channels and cloud services.
By the numbers:
- 80% of organisations report their AI agents have already performed actions beyond their intended scope, including accessing unauthorised systems, inappropriately sharing sensitive data, and revealing access credentials.
👉 Read Proofpoint's analysis of the agentic workspace and AI agent security
Context
The agentic workspace extends collaboration beyond people into software entities that can read, decide, and act across email, SaaS, cloud, and collaboration tools. That shift creates a new governance problem: security controls built around human users and static applications do not automatically constrain AI agents that can ingest data, trigger workflows, and move information at machine speed.
For IAM, NHI, and data security teams, the important question is not whether agents exist, but whether they are governed as identities with scoped access, auditable actions, and bounded data use. The article's core claim is that collaboration security and data security now have to apply to both humans and agents, which is a genuine identity governance intersection rather than a simple productivity story.
Key questions
Q: How should security teams govern AI agents in shared workspaces?
A: Security teams should treat the workspace audience as part of the authorization decision. If the agent can be seen by people with different entitlements, the system must check whether every recipient is allowed to receive the data before the response is generated. Otherwise, the agent can disclose information correctly retrieved but incorrectly exposed.
Q: Why do AI agents complicate traditional IAM controls?
A: AI agents complicate traditional IAM controls because they do not behave like human users with short, predictable sessions. They can act continuously, chain actions, and reuse the same identity across many systems. That creates a governance problem centered on access duration, revocation, and blast radius, not just authentication.
Q: What breaks when prompt injection reaches a tool-using AI agent?
A: What breaks is the assumption that the model's output is low impact. Once the agent can call tools, a malicious instruction can become a database query, a file write, an email, or a deployment action. Without policy checks and approval gates, the agent's legitimate permissions become the attacker's path to impact.
Q: Which frameworks should guide agentic workspace governance?
A: NIST AI Risk Management Framework, OWASP Agentic AI Top 10, and NIST Cybersecurity Framework all apply where AI agents interact with enterprise data and tools. Organisations should pair those with identity and access controls that define who or what may act, what can be accessed, and how actions are audited.
Technical breakdown
Why the agentic workspace changes access governance
An agentic workspace is a collaboration model in which AI agents participate in work rather than just assisting with it. That matters because agents can consume context, call tools, and generate outputs across email, chat, SaaS, and cloud services, often inside the same business process as people. Traditional IAM assumes a human principal with a stable lifecycle, while agent access can be dynamic, delegated, and task-shaped. The result is a broader trust boundary in which identity, policy, and data controls must follow the action, not just the login.
Practical implication: treat AI agents as governed principals with scoped entitlements, logged actions, and explicit data access boundaries.
How prompt injection and multichannel collaboration attacks work
Prompt injection is a manipulation technique that embeds instructions in content the model or agent will process, such as email text, chat messages, or documents. In collaboration environments, the attack does not need to break the model directly. It only needs to influence the agent's interpretation of trusted content so the agent takes an unsafe action, exposes data, or follows a malicious workflow. Because these channels are already trusted for business communication, the attack blends into normal operations and is difficult to spot without inspection at the content and workflow layers.
Practical implication: filter and classify untrusted instructions before they reach agents, especially in email and collaboration channels.
MCP access turns agent integration into an identity control point
Model Context Protocol, or MCP, standardises how agents connect to tools and data sources. That makes MCP useful for interoperability, but it also creates a governance choke point because the protocol defines what tools an agent can reach and what context it can consume. If the access layer is weak, an agent can become an overprivileged intermediary that sees too much data or can invoke too many actions. The security issue is not the protocol itself, but whether it is wrapped in policy enforcement, approval boundaries, and monitoring.
Practical implication: put policy enforcement, logging, and least privilege around every MCP connection before broad agent rollout.
Threat narrative
Attacker objective: The attacker objective is to induce a trusted agent or assistant to reveal sensitive information or execute actions that broaden access to enterprise data and workflows.
- Entry occurs when malicious prompts are delivered through email, chat, or collaboration content that an AI assistant or agent processes as trusted context.
- Escalation happens when the agent interprets the hidden instruction and reaches into connected SaaS, cloud, or collaboration tools with existing permissions.
- Impact follows when the agent exposes sensitive data, performs an unauthorised action, or amplifies the attacker’s reach across multiple channels.
NHI Mgmt Group analysis
Agentic workspace governance is now a data access problem, not just a productivity problem. When agents participate in work, the security question shifts from whether they can help to what they are allowed to see, infer, and execute. Collaboration platforms become control planes for sensitive information, which means IAM, data security, and NHI governance must align around task-scoped access and traceable action. Practitioners should treat agent participation as a governed access relationship, not a convenience feature.
Prompt injection is the collaboration-layer equivalent of credential abuse. The attacker no longer needs to steal a password if they can manipulate the agent's interpretation of trusted content. That changes the control objective from blocking only malicious login events to inspecting message content, workflow inputs, and tool instructions before an agent acts. Security teams should recognise this as an identity-adjacent abuse path that sits between communication security and authorisation.
Model Context Protocol creates a named concept we can use for this risk: MCP exposure boundary. This is the line between what an agent can reach through interoperable tool access and what it should be trusted to use. If enterprises expose MCP endpoints without policy, logging, and least privilege, they reproduce the same overconnection problem that weakened earlier SaaS and service-account governance. Practitioners should map every MCP integration to a specific control owner.
Human-centric security remains necessary, but it is no longer sufficient on its own. Protecting the user is still important, yet the user is now also directing software entities that can act at scale and speed. That means email security, data governance, and identity governance need shared policy logic rather than separate assumptions about who or what is acting. The field should move toward unified governance for people, agents, and the data paths they share.
Security operations will increasingly depend on agent-to-agent integration, which raises the bar for trust and auditability. When SOC tooling itself uses agents to triage alerts or run workflows, the question becomes whether those agents can be constrained and audited like any other privileged automation. This is where agentic AI security and NHI governance converge most sharply. Practitioners should demand action-level visibility before allowing agents into operational workflows.
What this signals
Agentic workspace sprawl will force security leaders to unify collaboration security, identity governance, and data controls around action rather than account. If an agent can see, decide, and execute across channels, then the old division between communication tools and access governance no longer holds. Teams should prepare for control models that treat every agent action as a governed event, not just an application call.
The practical challenge will be auditability. If organisations cannot reconstruct what an agent saw, why it acted, and which data paths it used, compliance and incident response will both remain partial at best. That is why AI agent governance must be designed into the access layer and the telemetry layer together, not bolted on after deployment.
This is also where the agentic security conversation intersects with the broader identity stack. A named concept worth tracking is the MCP exposure boundary: the point at which interoperable tool access becomes overexposure if policy is missing. Enterprises that define and enforce that boundary early will be better placed to scale agents without turning them into uncontrolled internal intermediaries.
For practitioners
- Inventory agent participation in collaboration workflows Map where AI assistants or agents can read email, chat, documents, and SaaS records, then identify which of those paths can also trigger actions or data movement. Prioritise the workflows where a hidden instruction could reach the widest set of downstream systems.
- Wrap every MCP integration in policy and logging Require explicit approval boundaries, least privilege, and action logging for each MCP connection before exposing tools to agents. Review whether the agent needs read access, write access, or only narrow task-specific context.
- Classify prompt-bearing content as untrusted input Apply inspection and filtering to emails, messages, and documents that may carry instructions for agents, especially in Microsoft Teams, Slack, and similar collaboration channels. Prevent agents from executing tool calls based solely on unverified content.
Key takeaways
- AI agents turn collaboration platforms into governed access environments, so identity and data controls have to move with the workflow.
- Prompt injection is an execution risk as much as a content risk, because agents can act on malicious instructions embedded in trusted channels.
- MCP-based integrations need least privilege, logging, and policy enforcement before enterprise-scale agent deployment becomes defensible.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Agentic AI Top 10 and MITRE ATT&CK address the attack and risk surface, while NIST AI RMF, NIST CSF 2.0 and NIST SP 800-53 Rev 5 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Agentic AI Top 10 | N/A | Prompt injection and tool misuse are core agentic AI risks in this article. |
| NIST AI RMF | GOVERN | The article centers on governance for AI agents acting in business workflows. |
| NIST CSF 2.0 | PR.AC-4 | Least-privilege access for agents and users is central to the collaboration threat model. |
| NIST SP 800-53 Rev 5 | AC-6 | The article's agent access model requires least privilege and bounded permissions. |
| MITRE ATT&CK | TA0006 , Credential Access; TA0009 , Collection; TA0040 , Impact | Prompt injection can lead to credential exposure, data collection, and operational impact. |
Map agent prompts, tools, and outputs to OWASP agentic controls before broad deployment.
Key terms
- Agentic Workspace: A collaboration environment where AI agents participate in work alongside people and share access to data, tools, and workflows. Unlike a traditional digital workspace, the security model must account for software entities that can read context, take actions, and move information at machine speed.
- Prompt Injection (Agentic): An attack where malicious instructions are embedded in content that an AI agent reads — causing the agent to execute unintended actions using its own legitimate credentials. A primary vector for agent goal hijacking and identity abuse.
- Model Context Protocol: Model Context Protocol is an open protocol that lets AI agents connect to tools and data sources. It expands what an agent can reach, so governance has to cover not only the model and its prompts, but also every system that can receive or return agent-driven data.
- Mcp Install Boundary: The MCP install boundary is the point where a user reviews and accepts a tool's configuration before it is written into a workspace. In security terms, it is supposed to separate visible intent from persisted runtime state. If hidden values can bypass that review, the boundary no longer governs trust.
What's in the full article
Proofpoint's full article covers the operational detail this post intentionally leaves for the source:
- Specific product workflow examples showing how Threat Interaction Map, Data Risk Map, and Secure Agent Gateway are intended to connect across channels
- Details on how Proofpoint Satori agents automate DLP alert handling, phishing simulations, and user-reported threat workflows
- The partner integration context for Microsoft Sentinel, Defender for Endpoint, and Purview, including the telemetry paths involved
- How Proofpoint describes MCP access for customer-deployed AI agents and partner ecosystems
Deepen your knowledge
NHI Foundation Level course, the industry's only accredited NHI security programme, covers NHI governance, agentic AI identity, and machine identity security. It is designed for practitioners who need to align access, policy, and lifecycle controls across human and non-human systems.
Published by the NHIMG editorial team on July 14, 2026.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org