Definition

Agent Security is the practice of protecting AI agents from unsafe tool use, prompt injection, data leakage, privilege misuse, and uncontrolled automation when they interact with real systems such as SIEM, SOAR, EDR, threat-intelligence platforms, and ticketing tools.

An AI agent is no longer a chat box. The moment you give a model a set of tools — search this index, isolate that host, post to this ticket — it becomes an active participant in your infrastructure. Agent Security is the discipline that asks: under what conditions is that participation safe, reviewable, and reversible?

The trust boundary moved

For most of the last decade, the trust boundary in a SOC was at the analyst console. A human read alerts, decided what to do, and operated tools. The audit story was simple: who logged in, what did they click.

When an agent sits between the alert and the tool, the trust boundary moves. The agent now holds privileges that used to be guarded by an interactive login. That's not inherently bad — agents are tireless, deterministic in shape, and good at the boring middle of incident handling. But the security work that used to live in the console UI needs to be redone at the agent's edge.

What can go wrong

The threat catalog for tool-calling agents is not exotic. It's mostly familiar risks reshaped by the agent's privileges:

  • Prompt injection. Untrusted content — emails, alert payloads, web pages — manipulates the agent into actions outside its remit.
  • Scope escalation. The agent calls a legitimate tool with arguments outside its authorized scope.
  • Exfiltration through tool arguments. Sensitive context smuggled into URLs, query strings, or webhook fields that travel to attacker-controlled endpoints.
  • Confused deputy. The agent's identity is used to do what the calling user could not.
  • Audit erasure. Agents that fail without leaving a structured record of what they tried to do.

What good Agent Security looks like

A working Agent Security posture is built from a small number of controls, applied at the boundary between the agent and the tools it can call:

  • Scoped tool surface. Agents see only the tools they need, with arguments constrained by schemas.
  • Policy engine. A separate, deterministic layer decides whether a specific call with specific arguments is allowed right now.
  • Approval modes. Consequential tools — containment, blocking, notification — require human authorization, with the right context surfaced for a fast decision.
  • Layered injection defense. Detection on input, output, and tool arguments, instead of a single filter that you hope catches everything.
  • Tamper-evident audit. Every tool call, argument, output, and approval is recorded and replayable.
The agent stays narrow on purpose. Productivity wins come from removing analyst toil, not from removing analyst judgment.

How to start

You do not need to solve the whole problem at once. The most useful first move is:

  1. Inventory the tools an agent can actually call, and the arguments each tool accepts.
  2. Define schemas for every tool's parameters; reject anything outside them.
  3. Move the call site behind a proxy you control. Now you have a place to put policy, redaction, approval, and audit.
  4. Pick the two or three tools whose misuse would do real harm. Put them behind review mode and design the approval UX before opening them up.

That is a complete Agent Security v1. Everything else — classifier-based injection detection, multi-agent session graphs, signed audit exports — sits on top of those four moves.

Related reading