AI Security

Mapping the Attack Surface of Agentic AI

Demo article: where autonomous agents actually go wrong, from tool-call injection to scope creep, and the boundaries worth enforcing.

June 18, 2026
2 min read
Talat Mahmud
Talat Mahmud
@falconizzare
Mapping the Attack Surface of Agentic AI

Give a language model tools and it stops being a chatbot. It becomes a process with credentials, and every capability you hand it is a door that something other than you can try to open. Most teams inventory what their agent can do; very few inventory what it can be convinced to do.

The Surface Is the Tool Layer

Prompt injection gets the headlines, but injection is only the delivery mechanism. The damage happens at the tool boundary: the moment a poisoned instruction turns into a real API call, a database write, or an outbound email. That is where an attack stops being text and starts being an action.

  • Tool-call injection: untrusted content steering the agent into calls it was never asked to make.
  • Scope creep: a task that legitimately needs read access quietly escalating into writes.
  • Context poisoning: planted data that changes future decisions long after the session that ingested it.
  • Confused deputy: the agent's credentials doing work on behalf of whoever can reach its inputs.

An agent's permissions describe what it can do on its best day. Its attack surface is what it can do on its worst.

Field note from a gateway audit

Boundaries Worth Enforcing

The fix is not a smarter prompt. Prompts are advice; boundaries are architecture. The controls that hold up in practice all live outside the model, where the model cannot negotiate with them.

  1. 01
    Scope credentials per task

    Mint short-lived, narrowly scoped credentials for each agent session instead of loaning it a service account.

  2. 02
    Evaluate every call against policy

    A policy engine sits between intent and execution, approving or blocking each tool call before it runs.

  3. 03
    Treat retrieved content as untrusted

    Anything the agent reads from the outside world is input, not instruction. Strip its authority before it reaches the planner.

  4. 04
    Record everything

    A full decision-and-action audit trail turns incidents from forensics into replay.

None of this makes an agent safe in the abstract. It makes an agent bounded, which is the property you can actually engineer for. Safety is a claim about behavior; boundaries are a claim about possibility, and possibility is the thing you can prove.

Keep the Conversation Going

Thoughts on this one?

If this sparked an idea, a disagreement, or a project, I would like to hear it.