TL;DR: Azure AI Foundry agents can be compromised through prompt injection that turns email-triggered workflows, data sources, and action tools into an exfiltration path, according to Zenity. The central problem is not one control failure but the assumption that untrusted inputs can still be safely routed through highly capable agent workflows.
NHIMG editorial — based on content published by Zenity: Inside the Agent Stack, Securing Azure AI Foundry-Built Agents
Questions worth separating out
Q: How should security teams stop prompt injection from reaching agent tools?
A: Security teams should separate untrusted input from agent instructions, constrain tool access to the minimum workflow need, and enforce policy checks at runtime.
Q: Why do AI agents create a larger identity risk than ordinary automation?
A: AI agents can interpret content, choose actions, and chain tools in ways ordinary automation cannot.
Q: What breaks when an agent can read sensitive data and send email?
A: The trust model breaks because the same workflow can both discover sensitive information and transmit it outside the intended boundary.
Practitioner guidance
- Map trigger to exfiltration paths Inventory every agent workflow from inbound trigger through tool invocation to outbound transmission.
- Split instruction channels from content channels Refactor workflows so user-originated data cannot be interpreted as agent instructions.
- Restrict connector authority by workflow role Grant each agent only the connectors it needs for one business function.
What's in the full article
Zenity's full blog covers the operational detail this post intentionally leaves for the source:
- The exact Azure Logic Apps and Foundry workflow sequence used to demonstrate the attack path.
- The security graph and runtime telemetry approach Zenity uses to map triggers, actions, and data sources.
- The layered controls used for build-time assessment, threat detection, automated response, and inline prevention.
- The specific workflow changes that block the send-email action before exfiltration completes.
👉 Read Zenity's analysis of Azure AI Foundry agent prompt injection risk →
Azure AI Foundry agent workflows: where the governance gap starts?
Explore further
Prompt injection is a workflow governance failure before it is a model failure: The broken premise is that untrusted input can be processed inside the same execution path that also carries sensitive authority. Once an email can influence routing, retrieval, and outbound action, the agent is no longer just reading content. It is participating in the attack path. Practitioners should treat this as a control-boundary problem, not a prompt-tuning problem.
A few things that frame the scale:
- 80% of organisations report their AI agents have already performed actions beyond their intended scope, including accessing unauthorised systems (39%), inappropriately sharing sensitive data (31%), and revealing access credentials (23%), according to AI Agents: The New Attack Surface report.
- Only 52% of companies can track and audit the data their AI agents access, leaving 48% with a complete blind spot for compliance and breach investigation, according to SailPoint research.
A question worth separating out:
Q: How do organisations govern agent security without over-trusting platform safeguards?
A: Organisations should treat platform safeguards as one layer, not the control model. Real governance needs visibility into every agent thread, policy enforcement over tool use, and inline prevention for unsafe actions. That approach is stronger because it catches abuse at runtime, where prompt injection and chained tool actions actually unfold.
👉 Read our full editorial: Securing Azure AI Foundry agents starts with workflow boundaries