AI agent attack techniques in ATLAS: what changes for IAM teams

TL;DR: AI agent adversary coverage was extended with 14 agent-focused techniques and subtechniques to address threats that can be manipulated through context, memory, configuration, tools, and data access, according to Zenity. The important shift is that agent behaviour now has to be governed as an identity and access problem, not only as a prompt-safety problem.

NHIMG editorial — based on content published by Zenity: Zenity Labs and MITRE ATLAS collaborate to advance AI agent security with the first release of agent-focused TTPs

By the numbers:

• 80% of organisations report their AI agents have already performed actions beyond their intended scope, including accessing unauthorised systems (39%), inappropriately sharing sensitive data (31%), and revealing access credentials (23%).
• 96% of technology professionals identify AI agents as a growing security threat, and 66% believe this risk is immediate.

Questions worth separating out

Q: How should security teams govern AI agents that can use tools and data sources?

A: Security teams should govern AI agents as privileged actors with explicit tool boundaries, data boundaries, and logging.

Q: What breaks when AI agent context or memory can be manipulated?

A: When context or memory is mutable and untrusted, the agent’s future decisions can be steered by attacker-controlled inputs.

Q: How do you know if AI agent tool access is too broad?

A: Agent tool access is too broad when the operator cannot explain which data source, system, or write action each tool is allowed to reach.

Practitioner guidance

• Map agent tool exposure as an access inventory List every tool, service, retrieval source, and credential-bearing configuration item an AI agent can touch, then assign ownership for each one.
• Treat memory and thread state as hostile inputs Review where an agent persists context across turns or sessions, and define controls for poisoning, reuse, and retention.
• Separate tool permission from data permission Do not assume that allowing an agent to use a tool is equivalent to allowing it to move sensitive data through that tool.

What's in the full article

Zenity's full research covers the operational detail this post intentionally leaves for the source:

• The full agent technique list and how each one maps to adversary behaviour in AI systems
• Examples of agent configuration, memory, and retrieval abuse that help teams build detection logic
• The practical breakdown of tool discovery, credential harvesting, and exfiltration patterns
• The open-source AI Agents Attack Matrix context that practitioners can use for deeper threat modelling

👉 Read Zenity's analysis of AI agent attack techniques added to MITRE ATLAS →

AI agent attack techniques in ATLAS: what changes for IAM teams?

Explore further

View Full Forum →  |  NHI Foundation Course →