What is agentic AI security?
Agentic AI security protects AI systems that autonomously make decisions, use tools, and take action in live environments. Agentic AI doesn't just answer questions—it acts on them.
Agents create, modify, or destroy infrastructure without human approval. They interact with critical systems through powerful APIs, retain context across sessions using external memory stores like vector databases, and collaborate to perform complex actions across distributed environments—introducing new risks that demand purpose-built security controls.
While traditional AI security risks still apply, agentic systems need more than static defenses. They require intelligent, real-time guardrails guided by a unified, agentless view of identities, services, pipelines, and runtime linked to data sensitivity and exposure.
The State of AI in the Cloud 2025
As DeepSeek adoption surges, security and governance challenges persist.
How does agentic AI break traditional cloud security?
Traditional cloud security assumes predictability. In other words, users authenticate, services stay within known boundaries—and the primary goal is to block unauthorized access.
Agentic AI in cybersecurity breaks this model by learning, adapting, and making decisions that can’t be fully anticipated.
AI security in the cloud is a good start, but it falls short in four key areas:
Static perimeters are bypassed: Valid API credentials let agents perform actions, whether safe or unsafe, within traditional network segmentation and firewall rules.
Compliance frameworks lag: Audit models expect human decision-makers, not autonomous agents that reconfigure settings across accounts in seconds.
Attack vectors shift: Exploitation expands beyond CVEs to target the agentic behavior itself through prompt injection, memory poisoning, and tool abuse.
Cloud-native risks multiply: Autoscaling spreads compromise, orchestration enables lateral movement, and infrastructure-as-code can amplify and propagate misconfigurations.
A DevOps agent with cluster-admin privileges gets tricked via poisoned Git commits into creating privileged pods that expose secrets. Valid credentials mask the attack in logs." Remove the second paragraph entirely—the point is already made, and the guardrails are covered in detail later in the article.
Security needs to extend beyond preventing unauthorized access to preventing authorized systems from making damaging choices. And for this, you need guardrails like transactional checks, scoped privileges, and human approvals.
GenAI Security Best Practices Bundle
AI and GenAI have become essential pillars for organizations aiming to enhance productivity and innovation. This bundle has 3 assets to provide best practices you can adopt to start fortifying your organization’s GenAI security posture.
Must-know agentic AI threats for cloud security teams
Agentic AI threats emerge when autonomous systems are manipulated, misconfigured, or compromised in the supply chain.
The following five threat categories, along with common attack vectors and relevant standards, capture the greatest cybersecurity risk agentic AI presents to cloud security teams.
Tool misuse and cloud API exploitation
Agents with valid permissions can be tricked into harmful actions across your environment via adversarial AI attacks on their decision-making process.
Attack vectors here include:
Prompt injection via IaC comments, Git messages, or monitoring alerts
Memory poisoning by contaminating a vector database or RAG store, causing the agent's context to drift over time
Server-side request forgery (SSRF) to a cloud instance metadata service (IMDSv1 or misconfigured metadata proxies) to harvest temporary credentials—mitigate by enforcing IMDSv2 and setting hop-limit controls to 1
Misuse of cloud CLIs (AWS, Azure, Google Cloud, kubectl) to bypass established change controls
Once compromised, an agent with admin rights and API access can create backdoors, turn off controls, or exfiltrate data across multiple clouds within seconds.
Relevant standards: NIST SP 800-53 (access control, system and information integrity), ISO/IEC 42001 (AI management systems controls)
Supply chain and model integrity risks
Agents can inherit compromise when their containers, models, or dependencies are poisoned at any point in the supply chain.
This category of agentic AI threats involves cyberattackers using a few key methods:
Tampered base images pulled from private container registries or public hubs like Hugging Face
Malicious code injected into open-source dependencies used by the agent
Compromised model weights downloaded from cloud storage or registries
Unsigned or unauthenticated artifacts that lack attestations (e.g., SLSA compliance)
A single infected image or model automatically pulled and deployed from EKS, GKE, or AKS through normal CI/CD processes can automatically scale across clusters, affecting multiple environments and customers simultaneously.
Relevant standards: NIST SSDF (SP 800‑218), ISO/IEC 23894 (AI risk management guidance)
Infrastructure exposure and lateral movement
Cyberattackers can exploit agents deployed with excessive permissions to move laterally across cloud environments and reach sensitive resources.
The most common attack vectors exploited on this front include:
Overly permissive security groups or firewall rules allowing broad network access
Cross-account role assumption for third-party access without an external ID, enabling confused deputy-style privilege escalation
Agents with cluster-admin bindings granted in Kubernetes by default
Unrestricted egress from agents to third-party endpoints, creating data exfiltration channels
Agents with broad access create opportunities for malicious actors to use dark AI and maliciously traverse VPCs, cloud accounts, and service meshes to reach critical data stores.
Relevant standards: NIST SP 800-53 (least privilege, access control), EU AI Act (accuracy, robustness, and cybersecurity for high‑risk AI)
Securing AI Agents 101
AI agents are changing how work gets done. This one-pager explainer breaks it all down.
Shadow AI agents and ungoverned deployments
Unsanctioned agents launched outside security review create invisible risks that evade traditional monitoring.
There are a few attack vectors and indicators to keep an eye out for here:
Developers deploying agents via serverless functions (Lambda, Cloud Functions) with unmanaged API keys
Anomalous DNS queries or network egress to public AI service endpoints
Sudden spikes in AI service costs, such as SageMaker or Azure AI
Infrastructure drift showing new, undocumented, and/or untagged agent resources
The self-service nature of the cloud makes it easy to deploy “shadow agents,” which often operate with excessive permissions and no oversight, making them ideal hidden backdoors.
Relevant standards: NIST SP 800-53 (configuration management, asset inventory), ISO/IEC 42001 (AI asset governance)
Resource consumption and cost abuse
Agents can be manipulated into consuming massive cloud resources, causing both financial damage and service disruption.
Popular attack vectors for this category include:
Adversarial prompts that trigger runaway autoscaling of expensive servers
Behavioral manipulation that causes the deployment of unauthorized workloads using legitimate provisioning tools
Malicious inputs that lead to initiating large, unnecessary cross-region data transfers
A single autoscaling agent under the control of a threat actor can burn through budgets overnight, exhaust quotas, and even take production workloads offline.
Relevant standards: NIST SP 800-53 (resource availability and protection), ISO/IEC 42001 (operational controls for AI systems)
The three pillars of agentic AI security
Securing agentic AI requires shaping behavior in real time, not just spotting problems after they happen. That requires a single policy engine spanning code, pipelines, and runtime.
While frameworks like OWASP MAESTRO offer comprehensive agentic threat modeling, cloud teams can start with three practical controls to unlock effective agentic AI risk management today—while still enabling autonomy, scale, and efficiency.
Runtime protection and sandboxing
Agentic AI acts continuously and at high speed, which makes runtime containment essential. With strong sandboxing, you can provide built-in guardrails and limit the blast radius if an agent is ever compromised.
Use admission controllers (OPA Gatekeeper, Kyverno) to enforce security policies on Kubernetes deployments automatically.
Enforce network microsegmentation with service mesh policies (Istio, Linkerd) or Kubernetes NetworkPolicies to strictly control agent communications.
Leverage eBPF-based telemetry for deep, real-time anomaly detection of workload behavior at the kernel level (where supported).
Implement human-in-the-loop approvals for high-impact tools and require signed "plans" (e.g., terraform plan) before executing dangerous actions.
Establish circuit breaker mechanisms to automatically shut down an agent if it exhibits suspicious infrastructure modification patterns.
Identity and access management
Identity defines what an agent can and cannot do. Without strict controls, compromised agents can operate with far too much power.
Issue ephemeral credentials with short-lived tokens from services like AWS STS, Azure managed identities, or GCP Workload Identity.
Grant just-in-time (JIT) access so an agent’s permissions scale up and down based on its current task, eliminating persistent broad access.
Federate identity across clouds using standards like OIDC to ensure consistent authentication for agents operating in a multi-cloud environment.
Continuously analyze effective permissions and identify toxic combinations—such as public exposure plus data sensitivity plus privileged token paths—to prioritize least-privilege fixes using a security graph.
Rotate and audit agent service accounts regularly across all cloud providers.
Compliance automation and audit trails
Agents make changes continuously, which means you need compliance checks and forensics that operate at the same speed.
Automate policy validation to continuously check that any resources modified by an agent still meet security baselines like CIS benchmarks or SOC 2 controls.
Aggregate multi-cloud audit logs into a unified view to trace agent actions for compliance reporting and forensics.
Integrate supply chain verification into your CI/CD pipeline to scan container images and check model integrity before deployment.
Monitor infrastructure changes in real-time by detecting configuration drifts.
Maintain tamper‑evident decision logs (for example, WORM storage or cryptographically signed logs) that provide a comprehensive audit trail of the agent’s reasoning and its infrastructure changes.
Important: Also review essential AI security best practices to lay the foundation for your AI security posture!
What is AI-SPM? [AI Security Posture Management]
AI-SPM (AI security posture management) is a new and critical component of enterprise cybersecurity that secures AI models, pipelines, data, and services.
Read more
Your 90-day roadmap to agentic AI security
Successfully implementing agentic AI in cybersecurity requires maturing in phases: Start with visibility, then add prevention, and finally automate controls. Each stage builds on the last while keeping human oversight in place.
First 30 days: Discovery and lockdown
Inventory all AI agents, the APIs they call, and the data they access.
Apply least privilege to every agent identity.
Replace static credentials with ephemeral tokens (AWS STS, Azure managed identities, GCP Workload Identity).
Enable detailed logging and telemetry for every agent action and cloud API calls.
With this, you can unlock visibility into your AI posture while establishing a baseline of “normal” behavior with strong access controls.
First 60 days: Guardrails in action
Apply a single policy framework to enforce admission controls in both CI/CD pipelines and Kubernetes clusters, reducing drift and blocking misconfigurations before they reach runtime.
Add human-in-the-loop approvals for destructive actions, e.g., firewall changes or database deletions.
Apply guardrails that prevent unsafe operations rather than relying only on detection.
Collect forensic evidence from ephemeral workloads before they vanish.
Through these actions, you can stop compromised or misconfigured agents from executing high-impact changes while staying agile.
First 90 days: Automate and prepare
Pilot an AISPM capability that correlates agent identities, data sensitivity, and exposure to surface agentic attack paths for prioritized remediation.
Build incident response playbooks for agentic AI, covering credential revocation, memory resets, and containment of compromised endpoints.
Expand security controls to align with the OWASP Top 10 for LLM Applications and the CSA MAESTRO agentic AI framework.
Invest in organizational readiness and team collaboration.
By the end of this stage, your defenses should be evolving alongside your agents so that security matches their autonomy and scale.
Azure OpenAI Security Best Practices [Cheat Sheet]
Whether you’re a cloud security architect, AI engineer, compliance officer, or technical decision-maker, this cheat sheet will help you secure your Azure OpenAI workloads from end to end.
How Wiz secures agentic AI workloads across the cloud stack
Wiz AI-SPM delivers agentic AI security through two core capabilities:
Agentless visibility captures your entire AI environment without overhead, providing a comprehensive inventory of AI workloads, training data, and model dependencies.
Attack path analysis, powered by Wiz Security Graph, connects permissions, services, and exposures to highlight the toxic combinations that create exploitable risks.
Here's how they work together: Say agentless visibility catalogs an agent with cloud admin privileges and access to sensitive customer data through a publicly exposed API. The Security Graph immediately surfaces this attack path and prioritizes it for remediation.
Wiz continuously tracks your agents as they learn and scale—detecting configuration drift via cloud APIs and, where deployed, detecting anomalous workload behavior using a lightweight eBPF-based runtime sensor.
Ready to secure agentic AI in the real world? See a live attack path from agent to data—and how to break it with graph-based guardrails. Schedule a demo.
