AI Agents Are Here—So Are the Threats: Unit 42 Unveils the Top 10 AI Agent Security Risks

As AI agents transition from experimental systems to production-scale applications, their growing autonomy introduces novel security challenges. In a comprehensive new report, “AI Agents Are Here. So Are the Threats,” Palo Alto Networks’ Unit 42 reveals how today’s agentic architectures—despite their innovation—are vulnerable to a wide range of attacks, most of which stem not from the frameworks themselves, but from the way agents are designed, deployed, and connected to external tools.

To evaluate the breadth of these risks, Unit 42 researchers constructed two functionally identical AI agents—one built using CrewAI and the other with AutoGen. Despite architectural differences, both systems exhibited the same vulnerabilities, confirming that the underlying issues are not framework-specific. Instead, the threats arise from misconfigurations, insecure prompt design, and insufficiently hardened tool integrations—issues that transcend implementation choices.

Understanding the Threat Landscape

The report outlines ten core threats that expose AI agents to data leakage, tool exploitation, remote code execution, and more:

1. Prompt Injection and Overly Broad Prompts
   Prompt injection remains a potent vector, enabling attackers to manipulate agent behavior, override instructions, and misuse integrated tools. Even without classic injection syntax, loosely defined prompts are prone to exploitation.
2. Framework-Agnostic Risk Surfaces
   The majority of vulnerabilities originate not in the frameworks (e.g., CrewAI or AutoGen), but in application-layer design: insecure role delegation, improper tool access policies, and ambiguous prompt scoping.
3. Unsafe Tool Integrations
   Many agentic applications integrate tools (e.g., code execution modules, SQL clients, web scrapers) with minimal access control. These integrations, when not properly sanitized, dramatically expand the agent’s attack surface.
4. Credential Exposure
   Agents can inadvertently expose service credentials, tokens, or API keys—allowing attackers to escalate privileges or impersonate agents across environments.
5. Unrestricted Code Execution
   Code interpreters within agents, if not sandboxed, permit execution of arbitrary payloads. Attackers can use these to access file systems, networks, or metadata services—frequently bypassing traditional security layers.
6. Lack of Layered Defense
   Single-point mitigations are insufficient. A robust security posture demands defense-in-depth strategies that combine prompt hardening, runtime monitoring, input validation, and container-level isolation.
7. Prompt Hardening
   Agents must be configured with strict role definitions, rejecting requests that fall outside predefined scopes. This reduces the likelihood of successful goal manipulation or instruction disclosure.
8. Runtime Content Filtering
   Real-time input and output inspection—such as filtering prompts for known attack patterns—is critical for detecting and mitigating dynamic threats as they emerge.
9. Tool Input Sanitization
   Structured input validation—checking formats, enforcing types, and limiting values—is essential to prevent SQL injections, malformed payloads, or cross-agent misuse.
10. Code Executor Sandboxing
    Execution environments must restrict network access, drop unnecessary system capabilities, and isolate temporary storage to reduce the impact of potential breaches.

Simulated Attacks and Practical Implications

To illustrate these risks, Unit 42 deployed a multi-agent investment assistant and simulated nine attack scenarios. These included:

• Extracting Agent Instructions and Tool Schemas
  By leveraging prompt engineering, attackers could enumerate all internal agents, retrieve their task definitions, and understand tool APIs—facilitating downstream attacks.
• Credential Theft via Metadata Services
  Using malicious Python scripts injected into code interpreters, attackers accessed GCP metadata endpoints and exfiltrated service account tokens.
• SQL Injection and BOLA Exploits
  Agents relying on unvalidated input for database queries were susceptible to both SQL injection and broken object-level authorization (BOLA), allowing attackers to read arbitrary user data.
• Indirect Prompt Injection
  Malicious websites embedded instructions that caused agents to send user conversation histories to attacker-controlled domains, highlighting risks tied to autonomous browsing or reading tools.

Each of these scenarios exploited common design oversights, not novel zero-days. This underscores the urgent need for standardized threat modeling and secure agent development practices.

Defense Strategies: Moving Beyond Patchwork Fixes

The report emphasizes that mitigating these threats requires holistic controls:

• Prompt hardening should limit instruction leakage, restrict tool access, and enforce task boundaries.
• Content filtering must be applied both pre- and post-inference, detecting anomalous patterns in agent interactions.
• Tool integrations should be rigorously tested using static (SAST), dynamic (DAST), and dependency (SCA) analysis.
• Code execution environments must employ strict sandboxing, including network egress filtering, syscall restrictions, and memory capping.

Palo Alto Networks recommends its AI Runtime Security and AI Access Security platforms as part of a layered defense approach. These solutions provide visibility into agent behaviors, monitor for misuse of third-party generative AI tools, and enforce enterprise-level policies on agent interactions.

Conclusion

The rise of AI agents marks a significant evolution in autonomous systems. But as Unit 42’s findings reveal, their security must not be an afterthought. Agentic applications extend the vulnerability surface of LLMs by integrating external tools, enabling self-modification, and introducing complex communication patterns—any of which can be exploited without sufficient safeguards.

Securing these systems demands more than robust frameworks—it requires deliberate design choices, continuous monitoring, and layered defenses. As enterprises begin to adopt AI agents at scale, now is the time to establish security-first development practices that evolve alongside the intelligence they’re building.

Check out the Full Guide. Also, don’t forget to follow us on Twitter and join our Telegram Channel and LinkedIn Group. Don’t Forget to join our 90k+ ML SubReddit.

read more