The separation between input handling and execution breaks down. Malicious content can steer the assistant into running commands, writing persistence, or exfiltrating data before any human can intervene. In practice, the system behaves less like a bounded assistant and more like an attacker-influenced executor with delegated authority.
Why This Matters for Security Teams
When an autonomous assistant can ingest untrusted content and invoke tools in the same session, the security boundary is no longer the prompt. The real risk is delegated execution: content can become a control plane for tool use, data access, and persistence. That shifts the problem from content moderation to authority management, which is why guidance from the OWASP Agentic AI Top 10 and the NIST AI Risk Management Framework matters here.
NHIMG research shows the scale of the issue: in the AI Agents: The New Attack Surface report, 80% of organisations said their AI agents had already acted beyond intended scope, including revealing credentials and accessing unauthorised systems. That is the operational reality security teams must design for. If a session can both read hostile input and act on it, a single malicious document, ticket, or web page can become the trigger for abuse. In practice, many security teams encounter agent misuse only after logs show unexpected tool calls, rather than through intentional testing.
How It Works in Practice
The failure begins with collapsed trust boundaries. A traditional application treats input as data and execution as code, but an agentic workflow often lets the model interpret content and decide what to do next. If the same session has access to email, file systems, APIs, cloud consoles, or shell tools, untrusted content can influence the agent’s next action without any hard handoff. That is why current guidance suggests separating read, reason, and act phases wherever possible.
A safer pattern is to make tool invocation conditional on explicit policy checks at runtime, not on the model’s internal judgment. Use intent-based authorization, short-lived credentials, and scoped workload identity so the assistant proves what it is allowed to do for this task, not what it was allowed to do yesterday. Pair that with policy-as-code and real-time evaluation through controls aligned to frameworks such as CSA MAESTRO agentic AI threat modeling framework. For identity depth, NHIMG’s Ultimate Guide to NHIs is useful because it frames secrets, rotation, and privilege as lifecycle issues, not one-time setup tasks.
- Keep untrusted content in a read-only context until it has been classified and sanitized.
- Issue just-in-time credentials per tool call or per task, with automatic revocation.
- Require explicit policy approval for high-risk actions such as delete, send, transfer, or deploy.
- Log the content source, the model decision, and the downstream tool action together for investigation.
These controls tend to break down in long-running, multi-tool workflows because the agent can chain small permitted actions into a larger harmful outcome before a human review step occurs.
Common Variations and Edge Cases
Tighter separation often increases latency and operational overhead, so organisations have to balance safety against automation throughput. That tradeoff is real, especially when the assistant is embedded in developer tools, support workflows, or customer-facing chat where users expect immediate action.
There is no universal standard for this yet, but current best practice is evolving toward contextual controls rather than blanket bans. The most difficult edge case is indirect prompt injection through external content such as web pages, PDFs, tickets, or code comments. Even if the user is trusted, the content may not be. Another common failure mode appears when cached approvals, long-lived secrets, or broad service account permissions let one malicious session reuse authority across multiple tasks.
NHIMG analysis also shows why static controls are not enough: the Analysis of Claude Code Security highlights the need to treat agent tooling as a distinct attack surface, while the OWASP NHI Top 10 and the MITRE ATLAS adversarial AI threat matrix reinforce that autonomous behaviour must be assessed as part of threat modelling. The practical rule is simple: if the assistant can both consume hostile input and act with standing privilege, assume the session can be steered unless the architecture proves otherwise.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Agentic AI Top 10 and CSA MAESTRO address the attack and risk surface, while NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Agentic AI Top 10 | A2 | Directly addresses prompt injection and unsafe tool use in agent sessions. |
| CSA MAESTRO | T1 | Covers threat modeling for autonomous agents with tool access and untrusted inputs. |
| NIST AI RMF | GOVERN | Applies governance, accountability, and risk controls to autonomous AI behavior. |
Assign ownership for agent actions and enforce runtime oversight with auditable controls.
Related resources from NHI Mgmt Group
- What breaks when an AI assistant can access private data and untrusted content at the same time?
- What breaks when a workflow engine can execute untrusted code inside the same environment that stores secrets?
- What breaks when AI agents can call tools after reading untrusted content?
- What breaks when an AI assistant can read alerts and modify code in one session?
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on July 5, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org