top of page

CYBER & INFOSEC

"blogger, InfoSec specialist, super hero ... and all round good guy" 

DISCUSSIONS, CONCEPTS & TECHNOLOGIES FOR THE WORLD OF

JOIN THE DISCUSSION

Search

From Chatbots to Actors: Why Agentic AI Changes the Security Model

  • Writer: Anthony Giandomenico
    Anthony Giandomenico
  • 1 day ago
  • 4 min read

 

 

For years, security teams learned how to protect systems that respond. Agentic AI introduces systems that decide.


That difference sounds small at first. It isn’t.


Most of today’s AI security conversation still treats models like tools: prompt in, response out, controls around the edges. Agentic systems behave differently. They perceive information, reason over goals, invoke tools, and act — often repeatedly, and often without a human approving every step.


This post is an attempt to reason through what changes when that happens, and why some of our existing security assumptions start to bend.


What Do We Mean by “Agentic AI”?


Agentic AI systems differ from traditional generative AI in a few important ways:

  • They maintain state across interactions

  • They pursue goals, not just prompts

  • They can plan, adapt, and re-plan

  • They can invoke tools and take real actions on behalf of users


This isn’t just automation. It’s delegated authority.

Once a system is allowed to read data, decide what matters, and execute actions, responsibility shifts. The system is no longer just responding — it’s operating.

That’s where things get interesting from a security perspective.


Where Traditional Security Assumptions Start to Break


Most security architectures rely on a few deeply ingrained assumptions:

  • Data is passive

  • Instructions are explicit

  • Identity is stable

  • Actions are attributable

Agentic systems blur all four.


Data vs. Instruction Starts to Collapse


When an agent consumes untrusted content — a document, email, ticket, or web page — the boundary between information and instruction becomes fuzzy. Data can influence reasoning, not just output.

At first glance, this looks like prompt injection. In practice, it’s broader than that.


Identity Gets Messy


Agents act as users but aren’t users. They inherit permissions and context, but without human judgment at every step. It’s a modern version of the confused-deputy problem — except now the deputy can plan.


Memory Changes Persistence


Agent memory means a single bad interaction can persist. What used to be a one-time mistake can influence future decisions. I didn’t fully appreciate this until I started thinking about how agents reuse past context by default.


Decisions Happen Outside the Request/Response Model


Security tools are built around discrete events. Agentic systems operate in loops. Decisions happen between observable events, not just at APIs or endpoints.

That difference matters.


Thinking in Loops, Not Lines


Traditional security models are linear. Agentic systems are cyclical.

A typical agent operates in a loop:

  1. Perceive information

  2. Reason over goals and constraints

  3. Select actions or tools

  4. Execute

  5. Incorporate results back into state


Attacks don’t need to “break in” anymore. They can nudge the loop.

Influence perception. Shift goals. Alter memory. Constrain or redirect actions.

This is where the idea of an agentic kill chain starts to emerge — not as a formal standard yet, but as a useful way to reason about risk.


What We’re Already Seeing in the Wild


Fully autonomous, end-to-end agent-driven breaches aren’t widely documented yet. But many of the underlying techniques already exist today.

We’re already seeing:


  • Prompt manipulation that influences downstream behavior

  • Abuse of automation and service accounts through APIs

  • Identity misuse tied to non-human actors

  • AI-assisted social engineering at scale

  • Chained workflows executing faster than humans can reasonably intervene


Agentic systems don’t introduce new attacker goals. They compress time, reduce friction, and make these techniques easier to chain together.

That’s the shift.


 Detection: The Hard Part


This is where things get uncomfortable.

Today’s SIEMs, XDRs, and detection platforms can see what an agent did:


  • API calls

  • Identity usage

  • Network activity

  • File access

  • Tool execution


What they can’t reliably see is:

  • Why the agent decided to act

  • Whether its goal changed

  • Whether memory influenced the outcome

  • Whether reasoning was externally manipulated


Detection today is indirect, incomplete, and mostly reactive.

From a telemetry standpoint, many agent-driven actions look identical to legitimate automation. That doesn’t make SIEM irrelevant — it just means it wasn’t designed for systems that reason.


This gap is why current work from groups like OWASP, Cloud Security Alliance, and MITRE ATLAS focuses heavily on describing risk rather than prescribing detections. The problem space is still being defined.


 What Is Starting to Form


Even without a clean solution, a few themes are emerging:


  • Agent-aware behavioral baselining What does this agent normally do?

  • Policy enforcement at decision and tool boundaries What can this agent execute, and under what conditions?

  • Memory governance What persists, for how long, and why?

  • Human-in-the-loop controls Not to eliminate autonomy, but to bound blast radius.


These aren’t signature-based fixes. They’re architectural shifts.


A Responsibility Shift, Not a Panic Moment


Agentic AI isn’t inherently unsafe. But it is unforgiving by design.

When systems act:

  • Mistakes propagate faster

  • Attribution becomes harder

  • Trust boundaries blur


And even when agents act, humans remain accountable.

Delegating action doesn’t delegate responsibility.


Why I’m Writing This


I’m still working through a lot of this myself — reading, building, and testing ideas as I go. Writing is part of how I make sense of shifts in security that challenge assumptions I’ve relied on for years.


This post isn’t meant to be definitive. It’s a snapshot of how I’m currently thinking about agentic systems, where the security model starts to bend, and where I think practitioners should be paying closer attention as autonomy becomes more common.


What’s Next


In follow-up posts, I plan to explore:

  • What an agentic kill chain might actually look like

  • Why traditional detections struggle with agent behavior

  • How memory changes persistence models

  • What red teaming autonomous systems could mean

  • Where human oversight still matters most


This space is moving quickly. The frameworks will mature. The tooling will catch up.

But the mindset shift has to come first.

 

 
 
 

Comments

doctorchaos.com and drchaos.com is a blog dedicated to Cyber Counter Intelligence and Cybersecurity technologies. The posts will be a discussion of concepts and technologies that make up emerging threats and techniques related to Cyber Defense. Sometimes we get a little off-topic. Articles are gathered or written by cyber security professionals, leading OEMs, and enthusiasts from all over the world to bring an in-depth, real-world, look at Cyber Security. About this blog doctorchaos.com and drchaos.com and any affiliate website does not represent or endorse the accuracy or reliability of any information’s, content or advertisements contained on, distributed through, or linked, downloaded or accessed from any of the services contained on this website, nor the quality of any products, information’s or any other material displayed, purchased, or obtained by you as a result of an advertisement or any other information’s or offer in or in connection with the services herein. Everything on this blog is based on personal opinion and should be interoperated as such. Contact Info If you would like to contact this blog, you may do so by emailing ALAKHANI(AT)YMAIL(DOT)COM  

SOCIALS 

Facebook

Twitter

Instagram

Linkedin

RSS Feed

SUBSCRIBE 

Keeping you informed | Latest News

© 2018 Dr. Chaos 

bottom of page