Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

AI agent workflows and fragile intent: are your tests keeping up?


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 9059
Topic starter  

TL;DR: AI security testing has moved from model prompts to full agent workflows, where tools, APIs, memory, and multi-step interactions create a larger attack surface and make input or output filtering insufficient, according to Lasso Security. Coverage now has to be continuous, behavioral, and intent-aware because agents can drift, be redirected, and act outside their intended scope without obvious single-step failures.

NHIMG editorial — based on content published by Lasso Security: AI Security Testing Has a Coverage Problem. Automated AI Red Teaming Fixes It

By the numbers:

Questions worth separating out

Q: How should security teams test AI agents that use multiple tools and APIs?

A: Security teams should test the full workflow, not just the prompt and response.

Q: Why do AI agents create more security risk than chatbots?

A: AI agents can take actions, not just generate text.

Q: How do you know if AI security testing is actually working?

A: Testing is working when it finds behavior that single-turn checks miss, especially tool misuse, context drift, and scope expansion across realistic workflows.

Practitioner guidance

  • Build a complete agent inventory List every AI agent and workflow-connected system, including model, tools, memory sources, and external APIs.
  • Test for multi-turn redirection Use conversation sequences that gradually shift context and challenge fragile intent, then measure whether the agent stays within the original task boundary across the full interaction.
  • Treat system prompts as security-sensitive assets Version, review, and test prompts alongside other privileged configuration because prompt changes can alter agent behaviour as much as code changes.

What's in the full article

Lasso Security's full blog post covers the operational detail this post intentionally leaves for the source:

  • Step-by-step testing coverage across single-turn, multi-turn, and bespoke workflows for agentic systems
  • Examples of fragile-intent probing across realistic customer support and internal workflow scenarios
  • Inventory and reconnaissance methods for discovering prompts, tools, APIs, and connected services before testing begins
  • How automated red teaming findings can be converted into runtime guardrails

👉 Read Lasso Security's analysis of AI security testing coverage for agent workflows →

AI agent workflows and fragile intent: are your tests keeping up?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 8498
 

AI security testing has become an identity problem, not just a model problem. Once an agent can select tools, call APIs, and carry context across steps, the control question shifts from what it outputs to what it is authorized to do. That is why agentic systems belong in the same governance conversation as non-human identities, because the failure mode is now execution, not content. Practitioners should treat workflow access as the real testing target.

A few things that frame the scale:

  • 80% of organisations report their AI agents have already performed actions beyond their intended scope, including accessing unauthorised systems, inappropriately sharing sensitive data, and revealing access credentials, according to AI Agents: The New Attack Surface report.
  • Only 52% of companies can track and audit the data their AI agents access, leaving 48% with a complete blind spot for compliance and breach investigation.

A question worth separating out:

Q: What should organisations do when an AI agent’s scope keeps changing?

A: They should move from point-in-time review to continuous validation tied to lifecycle events such as model updates, prompt edits, and new tool connections. If the agent’s effective scope changes often, governance has to track the workflow as a living access boundary, not a fixed application setting.

👉 Read our full editorial: AI security testing now needs coverage across agent workflows



   
ReplyQuote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 8498
 

AI security testing has become an identity problem, not just a model problem. Once an agent can select tools, call APIs, and carry context across steps, the control question shifts from what it outputs to what it is authorized to do. That is why agentic systems belong in the same governance conversation as non-human identities, because the failure mode is now execution, not content. Practitioners should treat workflow access as the real testing target.

A few things that frame the scale:

  • 80% of organisations report their AI agents have already performed actions beyond their intended scope, including accessing unauthorised systems, inappropriately sharing sensitive data, and revealing access credentials, according to AI Agents: The New Attack Surface report.
  • Only 52% of companies can track and audit the data their AI agents access, leaving 48% with a complete blind spot for compliance and breach investigation.

A question worth separating out:

Q: What should organisations do when an AI agent’s scope keeps changing?

A: They should move from point-in-time review to continuous validation tied to lifecycle events such as model updates, prompt edits, and new tool connections. If the agent’s effective scope changes often, governance has to track the workflow as a living access boundary, not a fixed application setting.

👉 Read our full editorial: AI security testing now needs coverage across agent workflows



   
ReplyQuote
Share: