Vertical agentic risk shows why taint analysis now matters

At a glance

What this is: This is a Pillar Security analysis of vertical agentic risk and how taint analysis can trace untrusted data through multi-tool AI workflows to a harmful sink.

Why it matters: It matters because IAM, PAM, and governance teams need to understand how autonomy and tool chaining can expand blast radius beyond what single-tool controls or isolated approvals can contain.

👉 Read Pillar Security's analysis of vertical agentic risk and taint analysis

Context

Vertical agentic risk describes the failure mode where a specialised AI agent turns a safe source and a safe destination into a dangerous workflow once it chains them together. In identity terms, the question is not whether each tool is allowed, but whether the agent can combine access in ways the governance model never reviewed.

That matters for NHI, agentic AI, and adjacent IAM programmes because the control problem shifts from single entitlement checks to sequence-aware governance. When an agent can observe, reason, and act across systems with minimal human oversight, the blast radius depends on the path it can assemble, not just the permissions it was issued.

Key questions

Q: How should security teams govern AI agents that can chain tools across systems?

A: They should govern the sequence, not just the tools. An agent that can read untrusted input and then write to a sensitive system creates a path-based risk that isolated entitlement checks miss. The right control model maps source to sink, blocks unsafe transitions, and requires approval before any action that can alter code, data, or configuration.

Q: Why do specialised AI agents create more risk than single-purpose automation?

A: Specialised agents can combine otherwise acceptable actions into a harmful workflow at runtime. A monitoring tool, a reasoning step, and a write-capable integration may each look safe alone, but together they can move tainted content into a privileged sink. That makes the sequence the real control boundary.

Q: What breaks when untrusted content can influence agent decisions?

A: The assumption that input and action are separate breaks down. Once an agent can read a message, reinterpret it, and then choose a privileged tool call, the organisation no longer controls how context becomes execution. That is why source-to-sink analysis is so important for agent governance.

Q: How do teams reduce the blast radius of agentic workflows?

A: Limit the agent's ability to move from observation to mutation in one path. Use narrow credentials, separate approval boundaries, and human review before high-risk sinks such as commits, deployments, or database writes. The goal is to stop the workflow before tainted context turns into operational change.

Technical breakdown

Taint analysis for agentic workflows

Taint analysis marks untrusted input and follows it as it moves through a system until it reaches a sensitive sink. In this article's scenario, the source is a Slack message, the propagation path is the agent's reasoning and tool selection, and the sink is a privileged GitHub write action. That matters because the security issue is not the message alone or the repository alone, but the combination of data flow and execution flow. For agentic systems, taint analysis becomes a way to reason about whether external content can influence actions that should have remained isolated.

Practical implication: map agent inputs to privileged sinks and block any path where untrusted content can influence write, deploy, or approval actions.

Vertical agentic risk and toxic combinations

Vertical agentic risk is the idea that individually acceptable tools become hazardous when an agent sequences them into one workflow. A read-only monitoring tool may seem harmless, and a write-capable development tool may also seem acceptable, but together they can create a path from external input to code change. This is a governance problem because access reviews usually evaluate entitlements in isolation, while the real risk lives in the allowed action chain. The toxic combination is the sequence itself, not any single permission.

Practical implication: review agent permissions as workflows, not as separate tool grants, and remove any combination that can move from observation to mutation without oversight.

Least privilege for specialised AI agents

Least privilege still applies to agentic systems, but the unit of analysis has to move from static entitlement to task-scoped sequence control. An agent that only needs to create pull requests should not also be able to commit directly, and an agent that reads operational channels should not be able to turn that content into production changes without a checkpoint. The article's point is that autonomy magnifies the impact of permission overlap, because the agent can discover and exploit the overlap at runtime. That turns privilege design into path design.

Practical implication: constrain agents to the narrowest action path possible, especially where read access can be chained into write or deployment authority.

NHI Mgmt Group analysis

Vertical agentic risk is a sequence problem, not a single-permission problem. The article shows that a read-only input channel and a write-capable output channel can be individually defensible yet jointly unsafe once an agent can connect them. That is the key governance shift for autonomous workflows: the control surface is the path between tools, not the tools in isolation. Practitioners should treat action sequencing as the primary unit of risk.

Taint analysis gives security teams a way to see where agent trust breaks. By following untrusted data from source to sink, it exposes where a benign message becomes a privileged operation. This is especially useful for AI agents because the dangerous step is often not the final commit, but the internal transformation of context into action. Practitioners should use that lens to identify which inputs can ever influence writes, deploys, or approvals.

Least privilege must be redesigned around runtime composition. Static permission reviews assume access can be evaluated one entitlement at a time, but specialised agents make that assumption too narrow. The real failure mode is that the agent can assemble a harmful workflow from individually acceptable capabilities. The implication is that governance must assess allowed sequences, not just allowed tools.

Human review remains necessary, but only at the right boundary. The article correctly points to human-in-the-loop controls for high-risk actions, yet the deeper issue is which actions are high-risk once an agent can chain context and execution. If review happens after the toxic combination is already formed, the control arrives too late. Practitioners should identify the exact sinks where human approval still changes the outcome.

Toxic combination is a useful named concept for agent governance. It captures the failure mode where isolated safeguards do not compose safely in an AI workflow. That framing is useful because it keeps the focus on sequence, context, and cross-tool interaction rather than on generic AI risk. Practitioners should use this concept when documenting where their control model breaks under agentic behaviour.

From our research:

• 98% of companies plan to deploy even more AI agents within the next 12 months, despite documented rogue behaviour in 80% of current deployments, according to AI Agents: The New Attack Surface report.
• Only 52% of companies can track and audit the data their AI agents access, leaving 48% with a complete blind spot for compliance and breach investigation.
• That visibility gap is why readers should also review OWASP Agentic AI Top 10 for the control patterns that break when autonomous workflows chain tools across systems.

What this signals

Runtime composition is becoming the real identity problem for agentic systems. Teams are moving from isolated tool approval to connected workflow governance, because the risk sits in the path an agent can assemble at runtime. That makes sequence-aware review, sink control, and approval placement more important than static permission counts.

Toxic combination should become a standard design label in agent governance. When a read channel can feed a write channel without a trusted boundary, the issue is not feature breadth but control composition. Security teams should document these paths explicitly and use them to drive policy, review, and red-teaming priorities.

With 92% of organisations already saying governing AI agents is critical to enterprise security, the operational question is no longer whether to act. It is which agent workflows still rely on review assumptions that fail once context and execution are chained together, and the answer should inform programme redesign now.

For practitioners

• Model agent workflows end to end Draw each agent's source-to-sink path, including monitoring inputs, reasoning steps, tool calls, and final write actions, so you can see where untrusted content can influence privileged outcomes.
• Separate read paths from mutation paths Keep observation, analysis, and write operations on different credentials or approval boundaries so a single tainted input cannot flow directly into a commit, deploy, or configuration change.
• Review permissions as allowed sequences Assess whether two individually acceptable tools become unsafe when chained in the same session, and remove combinations that let an agent move from external input to production impact without a checkpoint.
• Put human approval before the sink Require a reviewer before code commits, deployments, or sensitive database writes, not after the agent has already decided on the action path.
• Instrument anomaly detection for tool chaining Watch for unusual transitions such as message ingestion followed by rapid write activity, because those sequences often reveal when an agent has turned tainted input into action.

Key takeaways

• Vertical agentic risk emerges when individually safe tools become dangerous only after an AI agent chains them together.
• The strongest evidence in this model is the source-to-sink path, where untrusted input becomes a privileged action without a trustworthy boundary.
• Practitioners should govern agent workflows as sequences, then place human approval and monitoring at the sinks that can still prevent impact.

Key terms

• Taint Analysis: A method for tracking untrusted data as it moves through a system until it reaches a sensitive operation. In agentic environments, it helps security teams see when external content can influence tool selection, code changes, or other privileged actions that should not have been reachable from that input.
• Vertical Agentic Risk: The risk created when an AI agent is built for a specific workflow and combines multiple tools or integrations into a sequence that was never evaluated as a whole. The danger is not the individual permission, but the runtime composition of those permissions into a harmful path.
• Toxic Combination: A sequence of capabilities that is safe in isolation but unsafe when an agent uses them together. This term is useful for identifying the exact place where an apparently harmless input, read, or observation can be turned into a privileged write, deploy, or configuration change.
• Source-to-Sink Path: The end-to-end route from untrusted input to a sensitive action. In agent governance, it is the most practical way to understand whether a message, API response, or external signal can reach a high-impact operation without a trustworthy control boundary intervening.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by Pillar Security: Addressing Vertical Agentic Risks with Taint Analysis. Read the original.