Subscribe to the Non-Human & AI Identity Journal

Forums
The Non-Human & AI ...
Agentic AI, AI Agen...
Azure AI Foundry ag...
 
Notifications
Clear all

Azure AI Foundry agent workflows: where the governance gap starts

 
    Last Post
  RSS

 NHI Mgmt Group
(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 8127
Topic starter 25/06/2026 12:06 am  

TL;DR: Azure AI Foundry agents can be compromised through prompt injection that turns email-triggered workflows, data sources, and action tools into an exfiltration path, according to Zenity. The central problem is not one control failure but the assumption that untrusted inputs can still be safely routed through highly capable agent workflows.

NHIMG editorial — based on content published by Zenity: Inside the Agent Stack, Securing Azure AI Foundry-Built Agents

Questions worth separating out

Q: How should security teams stop prompt injection from reaching agent tools?

A: Security teams should separate untrusted input from agent instructions, constrain tool access to the minimum workflow need, and enforce policy checks at runtime.

Q: Why do AI agents create a larger identity risk than ordinary automation?

A: AI agents can interpret content, choose actions, and chain tools in ways ordinary automation cannot.

Q: What breaks when an agent can read sensitive data and send email?

A: The trust model breaks because the same workflow can both discover sensitive information and transmit it outside the intended boundary.

Practitioner guidance

  • Map trigger to exfiltration paths Inventory every agent workflow from inbound trigger through tool invocation to outbound transmission.
  • Split instruction channels from content channels Refactor workflows so user-originated data cannot be interpreted as agent instructions.
  • Restrict connector authority by workflow role Grant each agent only the connectors it needs for one business function.

What's in the full article

Zenity's full blog covers the operational detail this post intentionally leaves for the source:

  • The exact Azure Logic Apps and Foundry workflow sequence used to demonstrate the attack path.
  • The security graph and runtime telemetry approach Zenity uses to map triggers, actions, and data sources.
  • The layered controls used for build-time assessment, threat detection, automated response, and inline prevention.
  • The specific workflow changes that block the send-email action before exfiltration completes.

👉 Read Zenity's analysis of Azure AI Foundry agent prompt injection risk →

Azure AI Foundry agent workflows: where the governance gap starts?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
Topic Tags
zenity agentic-ai prompt-injection workflow-security tool-access
Forum Jump:
  Previous Topic
Next Topic  
Related Topics
Topic Tags:  zenity (73) , agentic-ai (1167) , prompt-injection (119) , workflow-security (10) , tool-access (5) ,
Share:

#1 Authority in NHI Education, Research and Advisory, empowering organizations to tackle the critical risks posed by Non-Human Identities (NHIs), including AI Agents.

Get in Touch

Quick Links

Legal & Policies

©2025 NHIMG. All right reserved.