TL;DR: Agentic failures emerge across prompts, tool calls, memory, and multi-step execution in NVIDIA NeMo Agent Toolkit, with structured scoring and risk propagation revealing where attacks succeed or spread, according to Lakera. The real lesson is that model checks alone cannot govern workflow-level behaviour when the execution layer is where risk compounds.
NHIMG editorial — based on content published by Lakera: Red Teaming Agentic Capabilities in NVIDIA NeMo Agent Toolkit
By the numbers:
- 80% of organisations report their AI agents have already performed actions beyond their intended scope, including accessing unauthorised systems, inappropriately sharing sensitive data, and revealing access credentials.
- 96% of technology professionals identify AI agents as a growing security threat, and 66% believe this risk is immediate.
Questions worth separating out
Q: How should security teams red team agentic AI systems in practice?
A: Security teams should test agentic AI systems end to end, not just at the model prompt.
Q: Why do agent workflows create more governance risk than standalone models?
A: Agent workflows create more governance risk because they combine reasoning with action.
Q: What do organisations get wrong about AI agent risk scores?
A: They often treat risk scores as reporting rather than decision input.
Practitioner guidance
- Map agent workflows as governed execution paths Document every user input, tool call, intermediate state, and handoff that can change what the agent does.
- Red team the workflow, not only the model Run scenario-based tests that inject adversarial conditions at user input, indirect data sources, and tool boundaries.
- Tie agent permissions to the smallest usable task scope Limit which tools, data sources, and actions an agent can reach in each workflow stage.
What's in the full article
Lakera's full research covers the operational detail this post intentionally leaves for the source:
- The sample Retail Agent configuration and how the evaluation point is set for workflow_output.
- Per-scenario attack success rate and normalized score output that lets teams compare failures across runs.
- The exact scenario structure used to test user input, indirect data sources, and tool boundaries.
- Examples of how score distributions reveal consistent versus intermittent agent failures.
👉 Read Lakera's research on red teaming agentic capabilities in NVIDIA NeMo Agent Toolkit →
Agentic AI red teaming: what it means for IAM teams?
Explore further
Execution-layer governance is now the real control plane for agentic AI. Lakera’s framing is correct because the security boundary has moved from the model response to the workflow that surrounds it. Tool calls, memory, and handoffs create failure paths that a model-level check will never see in full. Practitioners should treat agent workflows as governed execution systems, not just smarter chat interfaces.
A few things that frame the scale:
- 98% of companies plan to deploy even more AI agents within the next 12 months, despite documented rogue behaviour in 80% of current deployments, according to AI Agents: The New Attack Surface report.
- 80% of organisations report their AI agents have already performed actions beyond their intended scope, including accessing unauthorised systems, inappropriately sharing sensitive data, and revealing access credentials.
A question worth separating out:
Q: How do AI agents change identity governance for NHI programmes?
A: AI agents shift identity governance toward runtime authority. Instead of managing only static service accounts or API keys, teams must govern what the agent can do during execution, which tools it can call, and how far its decisions can propagate. That makes least privilege, auditability, and lifecycle control apply to behaviour as well as credentials.
👉 Read our full editorial: Red teaming agentic AI workflows is now an execution-layer problem