The Top 10 AI Security Threats Seen in the Wild ─ Part 2

In Part 1 of this blog series, we exposed the OWASP LLM Top 10: vulnerabilities in the words AI says. But AI no longer stops at conversation. 

We’re entering the Agentic AI era, where AI doesn’t just respond, it acts. These agents can execute workflows, update infrastructure, call APIs, orchestrate other agents, even make purchases, all without waiting for human confirmation. 

That means the attack surface now includes every connected API, tool, and system an agent can reach. The blast radius grows exponentially because autonomous actions can ripple across dozens of systems in seconds. And with fewer human checkpoints, bad decisions don’t just happen; they execute at machine speed. 

If LLM vulnerabilities are about getting a bad answer, Agentic AI vulnerabilities are about taking a bad action. The stakes and the defenses must change. 

Aviatrix Cloud Native Security Fabric (CNSF) reimagines cloud network security with a holistic, comprehensive security solution that covers AI vulnerabilities. By creating a protective control layer across an entire complex network – single-cloud, hybrid, or multicloud – CNSF provides zero trust controls that prevent AI agents from unmonitored control and access:  

• Comprehensive visibility that can flag suspicious activity 

• Egress traffic inspection to prevent data theft 

• High-performance encryption to protect data in transit 

• Seamless integration with CI/CD pipelines to create repeatable, secure architecture 

In Part 1, we explored how CNSF can help protect your network from LLM vulnerabilities. Here, we’ll go through the OWASP Agentic AI Top 10 and how CNSF can also protect networks from agentic AI misuse.  

Why Agentic AI Vulnerabilities Matter More

Traditional security teams are used to thinking about misconfigurations, phishing, or credential theft. But with Agentic AI: 

• The attack surface expands dramatically — every connected API, tool, and system the agent can reach is now in scope. 

• Blast radius grows — actions can affect dozens of systems in seconds. 

• Autonomous execution means less human oversight — bad decisions don’t wait for a “send” button. 

• Attacks can be persistent — a poisoned memory or hijacked goal can drive harmful actions for weeks. 

The State of the OWASP Agentic AI Top 10

OWASP hasn’t yet finalized its Agentic AI Top 10, but the Securing Agentic Applications Guide (v1.0) marks the first major step. 

Drawn from lab testing, red team exercises, and early production deployments, it identifies priority risks already seen in repeatable attack patterns, real-world incidents, and vetted proof-of-concept exploits. 

The guide reflects contributions from a global community of researchers, AI engineers, and practitioners, using the same public feedback, case data, and consensus process that shaped the LLM Top 10. 

Bottom line: this is actionable intelligence you can use now, even before OWASP stamps it “final.” 

The Emerging OWASP Agentic AI Top 10: Real-World Context and CNSF Network-Layer Mitigations 

1. Goal Hijacking

In goal hijacking, malicious actors manipulate an AI agent’s objectives, causing it to pursue harmful or unintended goals. For example, a logistics AI could be tricked into prioritizing delivery to attacker-controlled addresses instead of legitimate customers. These attacks can disrupt operations, cause financial loss, and damage your reputation. 

In-the-Wild Example: A former employee tricked the chatbot for a Chevrolet dealership into agreeing to sell a $70,000 car for $1.  

How Aviatrix CNSF Can Help

Aviatrix CNSF can use network segmentation and comprehensive visibility to defeat hijacking attempts. It can enforce traffic segmentation to limit agent access to sensitive APIs and inspect command-and-control traffic for abnormal task execution. 

2. Tool & API Abuse

Tool and API Abuse is when an attacker exploits the AI’s connected tools or APIs for unauthorized purposes. Imagine an agent with API access to cloud storage deleting or exfiltrating sensitive files. These attacks can cause your organization to lose data, violate compliance regulations, and suffer operational downtime.  

In-the-Wild Example: Proof-of-concept exploits demonstrated ChatGPT plug-ins leaked private GitHub repositories without explicit user consent. 

How Aviatrix CNSF Can Help

CNSF can apply identity-aware network policy to control which APIs agents can call and under what conditions. CNSF bases its authentication on workload identity rather than static IP addresses that can change, and its security policies cover a distributed network even across clouds and locations.  

3. Prompt Injection

In this type of attack, an attacker inserts malicious instructions into input data to override intended agent behavior. Prompt injection is a tactic used against both LLMs and agentic AI. An example of an attack on an AI agent is a customer support AI reading a poisoned FAQ entry that causes it to reveal confidential troubleshooting commands. These attacks can expose data, cause organizations to breach compliance standards, and lose customer trust.  

In-the-Wild Example: US AISI agents ran a series of prompt injection experiments, including testing injection tasks that exfiltrated large amounts of user data – for example, sending a user’s entire suite of cloud files to an unknown recipient.  

How Aviatrix CNSF Can Help

Aviatrix CNSF can inspect and sanitize inbound data flows to prevent prompt injection. It can also restrict agent access to sensitive internal resources. 

4. Supply Chain Manipulation

Supply chain manipulation involves compromising dependencies, data sources, or tools an AI relies on. For example, an AI agent uses a corrupted software library that includes hidden malicious commands. These attacks can cause widespread compromise across dependent workflows and data pipelines. 

In-the-Wild Example: PromptHub, a shared library developers can use to reuse prompts, had a vulnerability that allowed attackers to embed malicious proxy configurations into public AI agents. These proxies could have allowed attackers to access sensitive data like OpenAI API keys.  

How Aviatrix CNSF Can Help

CNSF can monitor outbound calls to external dependencies, giving security teams visibility. It can also enforce allowlists for trusted domains. 

5. Memory Poisoning

Memory poisoning means injecting false or malicious data into the agent’s long-term memory to alter future decisions. For example, an attacker could feed false transaction histories into a financial agent to manipulate investment strategies. Memory poisoning can cause financial mismanagement, fraud, and regulatory scrutiny. 

In-the-Wild Example: A memory injection attack on AI chatbots can poison an AI model's memory with deceptive information, changing its responses to other users.  

How CNSF Can Help

CNSF can inspect inter-service communication for anomalies and flag them for security teams to evaluate. It can also use network segmentation to segment memory services from external write access, preventing attackers from feeding false information. 

6. Over-Permissioned Execution 

AI agents with unnecessarily broad access (e.g., full CI/CD rights) can be hijacked to manipulate production pipelines.  

In-the-Wild Example: While no AI agent has yet been exploited this way, an analogous GitHub Action compromise exposed CI/CD secrets across thousands of repos—demonstrating the explosive risk of overprivileged automation. 

How CNSF Can Help 

CNSF is aligned with zero trust principles and can enforce least privilege at the network layer, preventing agents from getting more permissions than necessary. It can also log and alert on privilege escalations, preventing this necessary step in a cyberattack.  

7. Multi-Agent Collusion 

Multiple AI agents can collude stealthily using covert signals, such as steganography, to bypass oversight. Controlled academic demonstrations have proven this possible, underlining a risk that could migrate into production systems. 

In-the-Wild Example: Simulated in academic labs with cooperating agents defeating safety filters. 

How CNSF Can Help 

One of CNSF’s most powerful features is monitoring east-west traffic, or traffic within your network – an area that many security tools ignore because they’re working from the old “implicit trust” model of on-premises environments. CNSF can monitor and control east-west traffic between agents to prevent this kind of coordination. It can also enforce segmentation boundaries, preventing AI agents from accessing more than a piece of the network at a time. 

8. Data Exfiltration via Covert Channels 

Attackers can hide malicious prompts in innocuous files—like images or Word docs—that trick AI agents into leaking sensitive data.  

In-the-Wild Example: Trend Micro has shown this in practice with multi-modal agents, proving covert exfiltration is more than a theoretical vector. 

How CNSF Helps 

CNSF can inspect egress traffic for anomalous encoding patterns. It can also block unsanctioned outbound channels, preventing attacks from getting the data out of the system.  

9. Unsafe Autonomous Actions 

Unsafe autonomous actions refer to AI agents independently performing high-impact actions without adequate safeguards. For example, AI could shut down energy grid substations after misinterpreting a maintenance alert. These attacks could cause critical infrastructure disruption and safety hazards. 

In-the-Wild Example: While no public cases of AI agents autonomously causing catastrophic outages have been reported yet, there are close analogs in automation and industrial IoT failures where unsupervised systems triggered significant disruption. The concern is that agentic AI extends these risks into more dynamic and less predictable environments. 

How CNSF Helps 

CNSF can require policy checks and human approval for high-risk network calls. You can set these requirements as network-wide and automatically enforced, even if your network spans multiple clouds and edge locations, making them easy to set and enforce. 

10. Persistent Compromise 

In persistent compromise, attackers establish ongoing control over the agent, its tools, or data sources. For example, an attacker could plant hidden goals and access tokens in an agent’s configuration, enabling long-term control. These attacks can cause chronic data leakage, systemic sabotage, and ongoing compliance risk. 

In-the-Wild Example: Direct evidence in AI agent contexts is still emerging, but parallels exist in long-term botnet infections and advanced persistent threats (APTs) where attackers embed themselves into automation loops for months or years. Persistent AI compromise is expected to follow similar patterns. 

How CNSF Can Help 

CNSF continuously monitors for anomalous agent behaviors and can revoke credentials dynamically when compromise is suspected. 

Conclusion: The End of “Old Security” 

The OWASP Agentic AI Top 10 isn’t a hypothetical. It’s a preview of where the next wave of AI breaches will land. If Part 1 was about manipulation through language, Part 2 is about operational takeover: attacks that spread through connected systems and propagate on their own. 

Together, these two lists make one thing clear: AI has introduced an entirely new class of vulnerabilities that traditional tools can’t contain. Exploitation is already happening, and automation multiplies the damage. 

Security has to accelerate. Defenses must move at machine speed, enforcing policy at runtime to stop compromise before it cascades. That containment line, enforced in real time, is the difference between a controlled incident and the next headline breach. 

Take a free security assessment to find blind spots and hidden vulnerabilities in your network. 

Learn more about how Aviatrix secures AI workloads.  

References 

ArXiv, “Secret Collusion among AI Agents: Multi-Agent Deception via Steganography,” revised July 25, 2025, https://arxiv.org/abs/2402.07510.  

Bank Info Security, “Attackers Can Manipulate AI Memory to Spread Lies ,” March 12, 2025, https://www.bankinfosecurity.com/attackers-manipulate-ai-memory-to-spread-lies-a-27699.  

DataBreach Today, “Malicious AI Agent in LangSmith May Have Exposed API Data,” June 20, 2025, https://www.databreachtoday.com/malicious-ai-agent-in-langsmith-may-have-exposed-api-data-a-28769?highlight=true.  

The Hacker News, “GitHub Action Compromise Puts CI/CD Secrets at Risk in Over 23,000 Repositories ,” March 17, 2025, https://thehackernews.com/2025/03/github-action-compromise-puts-cicd.html.  

NIST, ”Technical Blog: Strengthening AI Agent Hijacking Evaluations,” January 17, 2025, https://www.nist.gov/news-events/news/2025/01/technical-blog-strengthening-ai-agent-hijacking-evaluations.  

OpenReview.net, “Secret Collusion among AI Agents: Multi-Agent Deception via Steganography,” updated November 6, 2024, https://openreview.net/forum?id=bnNSQhZJ88.  

OWASP, “OWASP Top 10 for Large Language Model Applications,” accessed August 19, 2025,  https://owasp.org/www-project-top-10-for-large-language-model-applications/.  

OWASP, “Securing Agentic Applications Guide 1.0,” July 27, 2025, https://genai.owasp.org/resource/securing-agentic-applications-guide-1-0/.  

SC Media, “ChatGPT 0-click plugin exploit risked leak of private GitHub repos,” March 13, 2024, https://www.scworld.com/news/chatgpt-0-click-plugin-exploit-risked-leak-of-private-github-repos.  

TrendMicro, “Unveiling AI Agent Vulnerabilities Part III: Data Exfiltration,” May 13, 2025, https://www.trendmicro.com/vinfo/us/security/news/threat-landscape/unveiling-ai-agent-vulnerabilities-part-iii-data-exfiltration.