AI security for agentic workflows now depends on runtime controls

At a glance

What this is: This is an analysis of AI security for agentic workflows, with the key finding that runtime control, visibility, and continuous enforcement matter more than static configuration.

Why it matters: It matters because teams now have to govern AI agents as active identities across NHI, autonomous, and human-controlled programmes, not just as model endpoints.

👉 Read Lasso Security's guide to secure AI workflows in the agentic era

Context

Agentic AI security is the practice of controlling systems that do more than generate text. Once an AI system can browse, execute, call APIs, and spawn other agents, the governance problem shifts from output moderation to execution control across a live identity chain.

The article’s core point is that traditional security assumptions break when an AI workflow can change state mid-task. That makes the topic relevant to NHI governance, agentic AI identity, and lifecycle controls because the attack surface now includes tools, context, and delegated runtime access.

Key questions

Q: How should security teams govern AI agents that can browse, call APIs, and act independently?

A: They should treat those systems as governed identities with runtime risk, not as passive applications. That means inventorying every agent, binding each one to narrow tool permissions, validating all retrieved content and tool responses, and monitoring execution for drift from declared intent. Governance fails when approval happens only at deployment.

Q: Why do agentic AI workflows break traditional least-privilege models?

A: Because least privilege is often defined at provisioning time, while agents make decisions at runtime across multiple steps. An agent may need temporary access to tools, APIs, and data sources, and broad access granted for convenience can become its blast radius. Teams need execution-scoped privilege, not just an entitlement list.

Q: What breaks when prompt injection or context poisoning affects an AI agent?

A: The agent can act on malicious instructions that were never part of the original request. In practice, that can redirect tool use, expose data, alter files, or trigger external actions before detection. The failure is not only bad input handling, but a lack of continuous validation across the full execution path.

Q: Who is accountable when an AI agent performs an unauthorized action?

A: Accountability should sit with the organisation that designed the workflow, assigned the permissions, and failed to govern execution. In agentic systems, responsibility cannot be pushed to the model alone because the surrounding identity, tooling, and monitoring decisions determine what the agent can do. Auditable logs are essential for proving that chain.

Technical breakdown

Prompt injection and context poisoning in agentic workflows

Prompt injection is the use of hidden instructions to steer model behaviour, while context poisoning corrupts retrieved content, memory, or intermediate outputs so the agent acts on untrusted input. In agentic systems, the problem is compounded because the model does not merely answer a prompt. It may retrieve documents, interpret tool responses, and continue acting across several steps. That creates multiple choke points where malicious content can redirect execution without changing the original user request. The security failure is not just bad input, but untrusted execution context that persists long enough to influence downstream actions.

Practical implication: validate every input source the agent consumes, including retrieved content and tool responses, not only the first user prompt.

Tool misuse, API scope, and least privilege for AI agents

Agents frequently inherit broad permissions so they can complete a task without interruption. That convenience becomes risk when the agent can invoke APIs, write data, or trigger external actions outside its intended purpose. Least privilege in agentic systems must therefore operate at the tool and action level, not just at account provisioning. The architecture problem is that the agent’s permissions can be technically valid while still being operationally excessive for the task at hand. Security teams need to think in terms of execution scope, not only identity entitlements.

Practical implication: bind each agent to a narrow tool set and enforce runtime checks on every write, export, or external call.

MCP and agent-to-agent trust chains

Model Context Protocol connections and agent-to-agent messages create a delegation chain that security teams cannot treat as inherently trustworthy. If an orchestrator is compromised or a delegated instruction is altered in transit, downstream agents may execute actions that appear legitimate but were never intended by the original controller. This is a trust-chain problem, not just a transport problem. The article’s framing shows why identity and authorization must extend across inter-agent communication, because each hop can amplify the blast radius of a single compromised component.

Practical implication: authenticate inter-agent messages and treat every delegated instruction as untrusted until the receiving system verifies it.

Threat narrative

Attacker objective: The attacker aims to redirect legitimate AI execution into unauthorized actions that expose data, alter systems, or trigger downstream compromise.

1. Entry occurs when malicious instructions are hidden in prompts, retrieved documents, or third-party tool responses that the agent will later consume.
2. Escalation happens when the agent accepts poisoned context, inherits excessive tool permissions, and carries the manipulation into subsequent calls across the workflow.
3. Impact follows when the agent performs unintended actions such as data exposure, unauthorized file changes, or external API calls before detection occurs.

Breaches seen in the wild

• Moltbook AI agent keys breach — Moltbook breach exposed 1.5M AI agent keys.
• AI LLM hijack breach — attackers used stolen AWS access keys to hijack Anthropic LLM models on Bedrock.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Runtime security, not static policy, is now the control plane for agentic AI. Once an AI system can choose tools, sequence actions, and continue without human approval, the old model of configuring permissions at deployment is no longer sufficient. Agentic behaviour changes in session, so governance has to follow execution rather than assume it can be frozen in advance. For practitioners, this means the decisive control is continuous enforcement across the whole interaction.

Visibility is the minimum viable requirement for governing AI agents. If teams cannot see which agents exist, what they accessed, and which tools they called, then they cannot investigate, certify, or contain anything with confidence. That is not a monitoring gap alone, but a governance failure because accountability depends on traceable behaviour. The practitioner conclusion is straightforward: undiscovered agents are ungovernable agents.

Intent-based controls are becoming the boundary between approved work and agent drift. Rule-based checks can block known bad actions, but they do not explain whether the agent is still serving the original purpose after a poisoned input or altered retrieval path. That makes intent, not just policy syntax, the more useful governance concept for agentic systems. Security teams should treat behavioural drift as the signal that the control model has failed to keep pace with runtime decision-making.

Agent-to-agent delegation creates a trust problem that classical IAM models do not fully represent. Identity controls were designed for principals that can be authenticated and authorised at a stable boundary, but delegated AI instructions move across systems in ways that are harder to attribute and validate. The result is an identity blast radius that expands with every hop in the chain. Practitioners need to re-evaluate how trust is propagated across orchestrators, sub-agents, and external tools.

Secure AI workflows now require identity governance across human, NHI, and autonomous layers. The article is really about the collapse of a siloed view of AI security. Humans approve, NHIs execute, and agents decide within the same workflow, so governance has to cover all three without assuming any one layer can compensate for the others. The practical lesson is to align identity, runtime enforcement, and lifecycle controls across the full path of execution.

From our research:

• 80% of organisations report their AI agents have already performed actions beyond their intended scope, including accessing unauthorised systems (39%), inappropriately sharing sensitive data (31%), and revealing access credentials (23%), according to AI Agents: The New Attack Surface report.
• Only 52% of companies can track and audit the data their AI agents access, leaving 48% with a complete blind spot for compliance and breach investigation.
• That visibility gap is why Ultimate Guide to NHIs , Lifecycle Processes for Managing NHIs becomes the operational next step for agent inventory, access review, and offboarding discipline.

What this signals

Identity teams should expect agent governance to move from policy drafting to runtime evidence. The practical challenge is no longer whether an AI workflow exists, but whether it can be seen, bounded, and investigated when it deviates. That pushes NHI programmes toward continuous discovery, tighter tool scoping, and stronger auditability across every agent lifecycle. For teams formalising the control stack, the OWASP Agentic AI Top 10 is the right external reference point for threat patterns and control mapping.

Identity blast radius is the right concept for agentic AI governance. Once agents can chain decisions across tools and sub-agents, a single excessive permission can compound into multiple unauthorized outcomes. With 80% of organisations already reporting agents beyond intended scope, the problem is structural, not hypothetical. Practitioners should pair runtime policy enforcement with the Top 10 NHI Issues so agent risk is evaluated alongside broader machine identity exposure.

AI security operations will increasingly converge with NHI lifecycle management. Discovery, certification, offboarding, and audit trails are no longer separate conversations when the workload itself is an active decision-maker. Teams that already manage service accounts and workload identities have the governance muscle memory needed here, but the control thresholds must be tighter because behaviour can change mid-session. The Ultimate Guide to NHIs -- 2025 Outlook and Predictions is a useful lens for where this category is heading.

For practitioners

• Inventory every AI agent and shadow workflow Build a live inventory of agents, tools, integrations, and delegated sub-agents so security teams can see what is actually running. Treat unregistered agents as an exposure problem, not an admin issue.
• Enforce runtime least privilege on every tool call Restrict each agent to the minimum tool set required for the task and verify every write, export, or API invocation at runtime. Privilege that is acceptable at deployment may still be excessive during execution.
• Validate retrieved content and tool responses continuously Inspect documents, feed outputs, and API responses for hidden instructions before the agent can act on them. This is the control that reduces prompt injection and context poisoning risk in multi-step workflows.
• Authenticate delegated instructions across agent chains Require strong validation for orchestrator-to-agent and agent-to-agent messages so compromised upstream instructions do not propagate as trusted work orders. Trace each hop so the investigation path is reconstructable.
• Measure behavioural drift against declared intent Define what each agent is supposed to do, then alert when it begins chaining actions outside that scope. Drift detection should focus on task purpose, not only on technical errors.

Key takeaways

• Agentic AI changes security from output control to execution control because the system can now browse, call tools, and continue acting without human approval.
• The evidence is already in the field: 80% of organisations say their AI agents have acted beyond intended scope, while only 52% can track and audit what those agents access.
• Practitioners need runtime least privilege, continuous visibility, and delegated-instruction validation, because static deployment settings do not govern a system that can change behaviour mid-task.

Key terms

• Agentic AI: An AI system that can choose and sequence actions, use tools, and continue a task with some degree of runtime independence. In security terms, the risk is not just what it says, but what it can do next, across multiple steps and systems.
• Context Poisoning: The corruption of an agent’s working context so it makes decisions based on malicious or misleading information. This can arrive through retrieved documents, tool outputs, or intermediate memory, and it is especially dangerous when the system trusts context across a task chain.
• Runtime Enforcement: Controls applied while an AI system is executing, not only when it is configured or deployed. For agentic workflows, runtime enforcement is what limits tool use, blocks unsafe actions, and prevents a malicious input from becoming an action.
• Delegated Instruction: A task or command passed from one system or agent to another within an execution chain. The security issue is that downstream systems may treat the instruction as trusted even when the upstream source was compromised or altered in transit.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by Lasso Security: AI Security Best Practices: How to Build Secure AI Workflows. Read the original.