TL;DR: Context engineering failures can let attackers poison prompts, retrieval pipelines, and business logic so AI systems leak data or take unsafe actions, even when the model itself is not compromised, according to Pillar Security. The security boundary has shifted upward into context, where access control, sanitation, and runtime policy now determine trust.
NHIMG editorial — based on content published by Pillar Security: Securing Context Engineering
By the numbers:
- Today, these systems have failure rates ranging from 60% to 90%, often because they lack the situational data needed to ground their outputs.
- When AWS credentials are exposed publicly, attackers attempt access within an average of 17 minutes , and as quickly as 9 minutes in some cases.
Questions worth separating out
Q: How should security teams control context in agentic AI systems?
A: Security teams should treat context as a governed input, not an implementation detail.
Q: Why do context poisoning attacks matter if the model itself is secure?
A: They matter because the model is often not the target.
Q: What do teams get wrong about securing AI agents?
A: Teams often secure the application code while leaving prompts, retrieval sources, and orchestration paths loosely governed.
Practitioner guidance
- Map every runtime context source Inventory the documents, tickets, prompts, APIs, and orchestration inputs that can influence agent behavior, then classify which ones are trusted, untrusted, or conditional.
- Restrict context ingestion by role and purpose Apply role-based controls so only approved users, services, or agents can feed context into production workflows.
- Sanitize and classify all context before retrieval Remove unnecessary sensitive data such as PII, label source provenance, and prevent low-trust content from entering agent prompts or retrieval stores.
What's in the full article
Pillar Security's full blog covers the operational detail this post intentionally leaves for the source:
- A step-by-step breakdown of how context poisoning enters retrieval pipelines and changes model behaviour.
- Specific examples of runtime guardrails for prompts, orchestration tools, and business logic paths.
- Operational guidance for sanitising, classifying, and versioning context sources before they reach the model.
- The article's own walkthrough of Shift Up security practices for agentic AI environments.
👉 Read Pillar Security's analysis of context engineering attacks on agentic AI →
Context engineering attacks: what IAM and AI teams are missing?
Explore further
Context engineering is now an identity governance problem, not just an AI quality problem. The article shows that the decisive control point is who can shape the data an agent trusts at runtime. That moves the boundary of governance from model-centric review to source, retrieval, and orchestration control. For IAM and NHI teams, the practical implication is that trust in context must be managed like trust in credentials.
A few things that frame the scale:
- 98% of companies plan to deploy even more AI agents within the next 12 months, despite documented rogue behaviour in 80% of current deployments, according to AI Agents: The New Attack Surface report.
- Only 52% of companies can track and audit the data their AI agents access, leaving 48% with a complete blind spot for compliance and breach investigation.
A question worth separating out:
Q: How do organisations know whether their AI context controls are working?
A: They should be able to trace every agent decision back to a known context source, see which inputs were trusted at runtime, and detect when unapproved content was excluded or downgraded. If the team cannot reconstruct the context path during review or incident response, the controls are not yet effective.
👉 Read our full editorial: Context engineering exposes the real attack surface in agentic AI