Agentic AI Isn't Risky; the Way Orgs Deploy It Is TechTarget and Informa Tech’s Digital Business Combine.TechTarget and InformaTechTarget and Informa Tech’s Digital Business Combine.Together, we power an unparalleled network of 220+ online properties covering 10,000+ granular topics, serving an audience of 50+ million professionals with original, objective content from trusted sources. We help you gain critical insights and make more informed decisions across your business priorities.Dark Reading Resource LibraryBlack Hat NewsOmdia CybersecurityAdvertiseNewsletter Sign-UpNewsletter Sign-UpCybersecurity TopicsRelated TopicsApplication SecurityCybersecurity CareersCloud SecurityCyber RiskCyberattacks & Data BreachesCybersecurity AnalyticsCybersecurity OperationsData PrivacyEndpoint SecurityICS/OT SecurityIdentity & Access Mgmt SecurityInsider ThreatsIoTMobile SecurityPerimeterPhysical SecurityRemote WorkforceThreat IntelligenceVulnerabilities & ThreatsRecent in Cybersecurity TopicsThreat IntelligenceAI-Assisted Exploit Development Outpaces Scanner DetectionAI-Assisted Exploit Development Outpaces Scanner DetectionbyElizabeth MontalbanoMay 27, 20265 Min ReadApplication SecurityFeeding Frenzy: 'Megalodon' Malware Infects Thousands of GitHub ReposFeeding Frenzy: 'Megalodon' Malware Infects Thousands of GitHub ReposbyRob WrightMay 26, 20264 Min ReadWorld Related TopicsDR GlobalMiddle East & AfricaAsia PacificLatin AmericaSee AllThe EdgeDR TechnologyEventsRelated TopicsUpcoming EventsPodcastsWebinarsSEE ALLResourcesRelated TopicsResource LibraryNewslettersPodcastsReportsVideosWebinarsWhite PapersHeard It From a CISOReporters' NotebookDark Reading's 20thPartner PerspectivesMeet the EditorsAdvertise With Us About UsDark Reading Resource LibraryApplication SecurityCyber RiskVulnerabilities & ThreatsCybersecurity OperationsNewsAgentic AI Isn't Risky; the Way Orgs Deploy It IsAI agents aren't black boxes — they're models interacting with software tools. The risk lies in their overlap.Nate Nelson,Contributing WriterMay 28, 20265 Min ReadSource: Rawf8 via Alamy Stock PhotoIn the mad dash to deploy agentic artificial intelligence (AI) technology, developers aren't taking enough time to understand how their programs work, and they're inadvertently generating a whole lot of very old-fashioned vulnerabilities.The universe of AI agents in the advanced economies of today's world is immeasurably large; literally, nobody has any clue how many of these things are out there. Some recent data suggests that somewhere around a third of organizations have either already adopted or will adopt, agentic AI tech soon, but even those measurements rest on self-reporting and generalized data, or loose predictions. Contrary to popular belief, however, the agents themselves are not black boxes. In an unusually long presentation at Infosecurity Europe next month, researchers at Acronis are going to attempt to correct this unhelpful narrative by demonstrating how these bots work at a fundamental level. And by picking apart how AI agents work, they argue, an even more interesting finding emerges: that the cybersecurity vulnerabilities in this tech are not the fault of the AI; they're mostly a byproduct of traditionally bad coding.Related:Feeding Frenzy: 'Megalodon' Malware Infects Thousands of GitHub Repos"What people don't understand is that agentic systems still rely on a lot of old world technology and a lot of old world vulnerabilities," says Acronis senior security researcher Eliad Kimhy. As agentic AI tech spreads more and more, "What we are going to see being abused are plain old vulnerabilities in software. And if you don't understand that, you're going to write bad software, and you're going to rely on your large language model (LLM) to do the rest. That's a bad approach."The Vulnerabilities in Agentic AILast fall, researchers discovered a critical vulnerability in Salesforce. If an attacker planted a malicious prompt in a certain kind of Salesforce form, an AI agent interpreting it on the back end might carry out its instructions. The issue was made worse by the fact that Salesforce was still whitelisting an expired, easily purchasable domain.Early this year, a researcher discovered a dangerous exploit chain in ServiceNow. Thanks to an overly permissive chatbot — protected only by a factory default credential — that could be authenticated as any user simply by supplying their email address, the researcher found that he could access and create powerful AI agents in any company's ServiceNow instance.What do these stories, and so many more like it, have in common?Since agentic AI has introduced so much new risk to organizations, one might reasonably assume that agentic AI technology is itself risky. But considering the sorts of vulnerabilities — lack of input sanitization, hardcoded credentials, insufficient access controls — what's new and "intelligent" about any of that?Related:Shai-Hulud Hackers TeamPCP: Lucky or Skilled?"I think the flashy thing — the fun types of hack, the types of hack that everybody wants to talk about — is jailbreaks. That's not really the point of failure we need to think about," Kimhy argues. The more significant point of failure is more unique to agents themselves, Acronis says. It lives right at the intersection between the AI and the traditional software it interacts with. To understand why that intersection is so dangerous, one first needs a fundamental understanding of how AI agents work.How AI Agents Work"The problem is that, a lot of the time, people look at these agentic systems as a black box. They think, OK, there's input, there's some magic happening in the middle, and then there's output — we don't know what's going on [in the middle]. The message that we're interested in helping people understand is that it is not a black box," Kimhy says.From a zoomed out perspective, an AI agent can be thought of as a system of two halves. "It's an ecosystem that includes, on one hand, deterministic systems which are tools, basically old world software. A function that takes an argument just like any other function, and produces a deterministic result. The tool that is connected to a non-deterministic system, which is the LLM. That LLM works by understanding probabilities. These two things together form a system," Kimhy explains.Related:For Enterprises, Security Remains Agentic AI's Biggest ChallengeCrucially, it is in the juxtaposition of the deterministic and non-deterministic halves that most agentic vulnerabilities arise.In their presentation, Kimhy and his colleague, Acronis lead security researcher Syed Aizad, will demonstrate how this works using a sample AI agent underpinning a travel booking platform. Using cutting-edge reasoning agents, connected to totally inoffensive tools, any number of vulnerabilities still arise. A user might ask for their booking information, for instance, and the agent might supply it to them without realizing that the user might be lying about who they are. This is not the fault of the agent; it's a simple matter of authentication. Researchers demonstrated this exact scenario last December, using a program powered by a Microsoft Copilot Studio agent to leak personally identifying information (PII).How to Secure Agentic TechnologyIt would be perfectly straightforward to design an authentication check for an AI agent, of course. But are slapdash "Agentforce" or "Now Assist" agents, or increasingly common vibe coded programs, accounting for that and a thousand potentially other vulnerable interactions between those deterministic and non-deterministic halves?"People are going to [deploy agentic AI] without a deep understanding of how these systems work, and how they're connected to each other. And that's incredibly important to understand. The fixes for the LLM itself are not the same as the fixes for the software," he says, adding that "more specifically, a lot of focus is now on the non-deterministic side. That's the sexy part. But that's really only half the picture, maybe even less than half the picture."Kimhy's conference catchphrase is "old world principles with a new world spin": applying time-tested cybersecurity principles to this new tech. This includes preventing agents from leaking data with standard token-based authentication, or applying access controls to the AI, just as one would a human employee."We need to first incorporate old world thinking, to understand that [traditional software principles] have always been a part of this system, and these tools need to be considered," he explains. "But we need to put a new world twist on it, because now we've connected [that software] to something that is unpredictable in a lot of ways. And that is something that I think there's just not enough awareness of."About the AuthorNate NelsonContributing WriterNate Nelson is a journalist and award-winning scriptwriter. In addition to Dark Reading he writes for Darknet Diaries, the most popular show in cybersecurity across all media.He began his career as a freelancer, ghostwriting Forbes and CNBC op-eds for executives in tech and finance. Then he transitioned to journalism at Threatpost, where he covered cybersecurity news and trends. Throughout those years he co-created a cybersecurity podcast, Malicious Life, which in its day climbed into the Top 20 technology podcasts charts on Apple Podcasts and Spotify.He holds degrees from New York University and Bard College. As a born and bred New Yorker, he enjoys a superiority complex, but is polite enough to keep it to himself.See more from Nate NelsonWant more Dark Reading stories in your Google search results?Add Us NowMore InsightsIndustry ReportsHow Organizations Are Managing Incident ResponseHow Enterprises Are Developing Secure ApplicationsInside RSAC 2026: security leaders reveal the risks redefining your defense strategyEssential News & Insights from Black Hat USA 2025How Enterprises Are Harnessing Emerging Technologies in CybersecurityAccess More ResearchWebinarsThe Frontier AI Era: Why Cybersecurity Must Move at Machine SpeedBuild vs. Buy: The Hidden Cost of Building Your Own AI Security StackDefending in the Shadow Era: When the CVE Feed Goes DarkBuilding SecOps That Make the Most of Every DollarAI-Powered Credential Security: Intelligence Without ExposureMore WebinarsEditor's ChoiceCybersecurity Operations20 Leaders Who Built the CISO Era: 2 Decades of Change20 Leaders Who Built the CISO Era: 2 Decades of ChangebyDark Reading Editorial TeamMay 12, 202641 Min ReadApplication SecurityIt's Patch Tuesday for Microsoft & Not a Zero-Day In SightIt's Patch Tuesday for Microsoft & Not a Zero-Day In SightbyJai VijayanMay 12, 20265 Min ReadWant more Dark Reading stories in your Google search results?Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.SubscribeWebinarsThe Frontier AI Era: Why Cybersecurity Must Move at Machine SpeedTuesday, June 23, 2026 1:00 PM EDTBuild vs. Buy: The Hidden Cost of Building Your Own AI Security StackThurs, June 25, 2026, at 1pm ESTDefending in the Shadow Era: When the CVE Feed Goes DarkTues, June 16, 2026 at 1pm ESTBuilding SecOps That Make the Most of Every DollarThurs, July 9, 2026 at 1pm ESTAI-Powered Credential Security: Intelligence Without ExposureWed, June 17, 2026, at 1pm ESTMore WebinarsBlack Hat USA | Mandalay Bay, Las VegasThe premier cybersecurity event of the year returns to Mandalay Bay with a re‑engineered, six‑day program built to ignite innovation, push boundaries, and bring the global security community together like never before. Use code: DARKREADING to save $200 on a Briefings pass or $100 on a Business pass.GET YOUR PASSDiscover MoreBlack HatOmdiaWorking With UsAbout UsAdvertiseReprintsJoin UsNewsletter Sign-UpFollow UsCopyright © 2026 TechTarget, Inc. d/b/a Informa TechTarget. This website is owned and operated by Informa TechTarget, part of a global network that informs, influences and connects the world’s technology buyers and sellers. All copyright resides with them. Informa PLC’s registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. TechTarget, Inc.’s registered office is 275 Grove St. Newton, MA 02466.Home|Cookie Policy|Privacy|Terms of UseYour Privacy Choices

Agentic artificial intelligence technology introduces new risks to organizations, but the primary danger lies not in the technology itself, but in the manner in which it is deployed. Agentic AI agents are not opaque black boxes; rather, they function by interacting with existing software tools, meaning the security vulnerabilities they introduce are predominantly a consequence of pre-existing flaws in the underlying software code. Researchers argue that the cybersecurity weaknesses observed in agentic systems are largely a byproduct of traditionally poor coding practices rather than inherent flaws in the AI models.

The proliferation of agentic AI technology has highlighted vulnerabilities stemming from classic software weaknesses, such as inadequate input sanitization, hardcoded credentials, and insufficient access controls. For instance, flaws in agentic systems have been exposed through attacks leveraging these traditional vulnerabilities. A critical vulnerability was discovered in Salesforce where a malicious prompt within a specific form could be interpreted by an AI agent to execute instructions, exacerbated by the system's reliance on an expired, easily obtainable domain. Similarly, a dangerous exploit chain was found in ServiceNow, where an overly permissive chatbot, protected only by factory default credentials, allowed an attacker to authenticate as any user simply by providing an email address, enabling the creation of powerful AI agents across the enterprise.

The most significant failure point in agentic systems resides at the junction between the deterministic components—the traditional software tools—and the non-deterministic component, the large language model (LLM). This juxtaposition forms an ecosystem where vulnerabilities emerge because the system relies on the interplay between established software principles and unpredictable probabilistic reasoning. As security researcher Eliad Kimhy suggests, the focus should shift from superficial issues like jailbreaks to understanding this intersection of the AI and the software it operates within.

Understanding the architecture of an AI agent requires recognizing it as a composite system, comprising deterministic systems (tools) and a non-deterministic system (the LLM) working together. This combination creates inherent exposure. For example, an agent operating a travel booking platform might provide user information without proper authentication checks, exposing personally identifying information, which is an authentication failure rather than a flaw unique to the agent. Securing this technology thus necessitates applying established cybersecurity principles to the new architecture. This involves implementing measures such as token-based authentication for preventing data leakage and applying granular access controls to the AI, mirroring the controls applied to human employees.

Ultimately, the challenge for securing agentic technologies requires incorporating "old world principles with a new world spin." This means acknowledging that traditional software principles are fundamental to the system, and those tools must be thoroughly considered. While attention is rightly focused on the non-deterministic side of the AI, a complete security posture requires understanding how these elements are connected and ensuring that the underlying software infrastructure adheres to rigorous security standards, as the fixes for the software are equally essential to securing the agent.