Terug naar Blog

AI-agenten worden werknemers. We moeten beginnen ze te beveiligen als werknemers.

Prompt-injectie is niet langer het hele verhaal. Naarmate AI-agenten tools, geheugen en autonomie krijgen, moet beveiliging het hele systeem sturen, niet alleen het model.

The AI industry has spent the last few years obsessing over prompt injection—worrying that a malicious prompt might trick a chatbot into producing an unintended response.

But prompt injection is no longer the whole story.

Today's AI systems are rapidly evolving from passive assistants into autonomous agents. They don't just answer questions anymore. They access files, parse emails, invoke APIs, execute multi-step workflows, and make operational decisions on behalf of users.

And the moment an AI system gains the ability to act, the security playbook changes completely.

A recent USENIX Security 2026 paper, SoK: Attack and Defense Landscape of Agentic AI Systems by Kim et al., provides one of the most comprehensive analyses of agent security to date. The researchers reviewed 128 academic papers, identified 51 attack techniques and 60 defense strategies, and proposed a framework for understanding the emerging security challenges of autonomous AI systems.

Their central conclusion is straightforward:

For organizations building, deploying, or relying on AI-powered products, that should serve as a wake-up call.

The more autonomy an AI agent gains, the larger its attack surface becomes.

Why Agent Security Is Different

Traditional software follows predefined logic. Traditional LLM applications primarily generate text. Agentic systems operate differently.

They combine language models with external tools, memory systems, databases, APIs, and autonomous decision-making capabilities. An enterprise agent can read an incoming email, retrieve information from internal documentation, query a CRM, update a database, and send a response—all within a single workflow.

That flexibility is what makes agents so powerful. It's also what makes them difficult to secure.

The USENIX paper argues that focusing solely on model safety is insufficient. Security must be evaluated across the entire agent ecosystem: the model, its memory, its tools, its data sources, and the actions it can perform.

The Seven Dimensions of Agent Risk

The researchers identify seven key dimensions that influence an agent's security posture:

  • Input Trust — Where does information originate?
  • Data Access Sensitivity — What information can the agent access?
  • Workflow Autonomy — Can it independently decide what to do next?
  • Action Capability — Can it modify, delete, or transmit data?
  • Memory Persistence — Does information persist across sessions?
  • Tool Availability — What external systems can it invoke?
  • User Interface Power — How much influence does it have over user decisions?

Consider the difference between a customer-support chatbot and an autonomous executive assistant.

Every additional capability increases utility. But it also expands the attack surface and creates new opportunities for misuse, manipulation, or unintended behavior.

Security becomes less about protecting a model and more about governing a complex system.

Context Is the New Security Boundary

For decades, cybersecurity has focused on three principles: confidentiality, integrity, and availability. Those principles remain essential.

But agentic AI introduces a new challenge: contextual security.

An agent can have strong authentication, encrypted communications, and strict access controls, yet still fail catastrophically because it acts on malicious or manipulated information.

Imagine an agent processing a seemingly harmless PDF uploaded by an external party. Hidden instructions inside the document tell the agent to ignore previous guidance, retrieve sensitive information, and transmit it elsewhere.

This distinction matters because many emerging AI attacks exploit information flow rather than software vulnerabilities.

The system was not compromised through stolen credentials.

The infrastructure was not breached.

The agent simply followed the wrong context.

For agentic systems, context becomes a security boundary just as important as authentication, encryption, or network segmentation.

Why Memory Creates New Risks

AI memory is often presented as a user experience feature. The argument is simple: better memory enables better personalization.

But memory also creates persistence. And persistence creates risk.

The USENIX paper highlights how attackers may attempt to poison long-term memory stores with malicious instructions or misleading information. Once written into memory, that content can influence future decisions long after the original interaction has ended.

Unlike a temporary prompt injection attack, memory poisoning can persist across workflows, users, and time. The result is a fundamentally different security challenge.

Memory is no longer just a convenience feature.

Memory is infrastructure.

And infrastructure requires governance.

The Most Dangerous Agents Are the Ones With Permissions

The greatest risks in agentic AI do not necessarily come from the intelligence of the model. They come from the authority granted to it.

A model that generates an incorrect paragraph is inconvenient. An agent with access to customer records, internal documents, financial systems, communication platforms, and automation tools can create real-world consequences.

As organizations connect agents to increasingly powerful systems, the focus must shift from model capability to operational control.

The critical question is no longer “How smart is the model?” It is: “What is the model allowed to do?”

Building Trustworthy Agent Systems

The paper's broader lesson is that agent security requires defense-in-depth.

Organizations deploying AI agents should prioritize:

  • Trusted vs. untrusted data — Strong separation between trusted and untrusted data sources
  • Permission boundaries — Explicit limits around what agents can do
  • Memory governance — Controls for long-term memory systems
  • Human approval — Sign-off for high-risk operations
  • Audit and observability — Comprehensive logging and monitoring
  • Tool access policies — Clear rules for external integrations

These principles mirror long-established cybersecurity practices because, increasingly, AI agents resemble employees more than software features.

The Bigger Lesson

The industry frequently describes AI agents as digital employees. That analogy is becoming increasingly accurate.

Employees receive training. Employees operate under policies. Employees have defined permissions. Employees are monitored. Employees can make mistakes.

AI agents are no different. The only difference is that they can make mistakes at machine speed.

The most successful AI products of the next decade will not simply have the most capable models. They will have the strongest trust architecture.

Intelligence attracts users.

Trust keeps them.

Protecting context, not just data

At PrivateNote.ai, we believe protecting context is becoming just as important as protecting data itself. As AI systems gain access to more of our personal notes, business knowledge, and operational workflows, security must extend beyond storage and encryption to include the information agents consume, remember, and act upon.