AI agent workflows and fragile intent: are your tests keeping up?

TL;DR: AI security testing has moved from model prompts to full agent workflows, where tools, APIs, memory, and multi-step interactions create a larger attack surface and make input or output filtering insufficient, according to Lasso Security. Coverage now has to be continuous, behavioral, and intent-aware because agents can drift, be redirected, and act outside their intended scope without obvious single-step failures.

NHIMG editorial — based on content published by Lasso Security: AI Security Testing Has a Coverage Problem. Automated AI Red Teaming Fixes It

By the numbers:

• 48% of cybersecurity professionals now identify agentic AI and autonomous systems as the top attack vector heading into 2026.
• 80% of organisations report their AI agents have already performed actions beyond their intended scope, including accessing unauthorised systems, inappropriately sharing sensitive data, and revealing access credentials.

Questions worth separating out

Q: How should security teams test AI agents that use multiple tools and APIs?

A: Security teams should test the full workflow, not just the prompt and response.

Q: Why do AI agents create more security risk than chatbots?

A: AI agents can take actions, not just generate text.

Q: How do you know if AI security testing is actually working?

A: Testing is working when it finds behavior that single-turn checks miss, especially tool misuse, context drift, and scope expansion across realistic workflows.

Practitioner guidance

• Build a complete agent inventory List every AI agent and workflow-connected system, including model, tools, memory sources, and external APIs.
• Test for multi-turn redirection Use conversation sequences that gradually shift context and challenge fragile intent, then measure whether the agent stays within the original task boundary across the full interaction.
• Treat system prompts as security-sensitive assets Version, review, and test prompts alongside other privileged configuration because prompt changes can alter agent behaviour as much as code changes.

What's in the full article

Lasso Security's full blog post covers the operational detail this post intentionally leaves for the source:

• Step-by-step testing coverage across single-turn, multi-turn, and bespoke workflows for agentic systems
• Examples of fragile-intent probing across realistic customer support and internal workflow scenarios
• Inventory and reconnaissance methods for discovering prompts, tools, APIs, and connected services before testing begins
• How automated red teaming findings can be converted into runtime guardrails

👉 Read Lasso Security's analysis of AI security testing coverage for agent workflows →

AI agent workflows and fragile intent: are your tests keeping up?

Explore further

View Full Forum →  |  NHI Foundation Course →