survey 2026

SoK: The Attack Surface of Agentic AI -- Tools, and Autonomy

Ali Dehghantanha 1,2, Sajad Homayoun 2

1 University of Guelph

2 Aalborg University

0 citations
α

Published on arXiv

2603.22928

Prompt Injection

OWASP LLM Top 10 — LLM01

Insecure Plugin Design

OWASP LLM Top 10 — LLM07

Excessive Agency

OWASP LLM Top 10 — LLM08

Key Finding

Synthesizes 20+ studies from 2023-2025 revealing agentic systems introduce qualitatively different attack surfaces including indirect prompt injection, RAG index poisoning, and cross-agent manipulation beyond traditional LLM threats

Recent AI systems combine large language models with tools, external knowledge via retrieval-augmented generation (RAG), and even autonomous multi-agent decision loops. This agentic AI paradigm greatly expands capabilities - but also vastly enlarges the attack surface. In this systematization, we map out the trust boundaries and security risks of agentic LLM-based systems. We develop a comprehensive taxonomy of attacks spanning prompt-level injections, knowledge-base poisoning, tool/plug-in exploits, and multi-agent emergent threats. Through a detailed literature review, we synthesize evidence from 2023-2025, including more than 20 peer-reviewed and archival studies, industry reports, and standards. We find that agentic systems introduce new vectors for indirect prompt injection, code execution exploits, RAG index poisoning, and cross-agent manipulation that go beyond traditional AI threats. We define attacker models and threat scenarios, and propose metrics (e.g., Unsafe Action Rate, Privilege Escalation Distance) to evaluate security posture. Our survey examines defenses such as input sanitization, retrieval filters, sandboxes, access control, and "AI guardrails," assessing their effectiveness and pointing out the areas where protection is still lacking. To assist practitioners, we outline defensive controls and provide a phased security checklist for deploying agentic AI (covering design-time hardening, runtime monitoring, and incident response). Finally, we outline open research challenges in secure autonomous AI (robust tool APIs, verifiable agent behavior, supply-chain safeguards) and discuss ethical and responsible disclosure practices. We systematize recent findings to help researchers and engineers understand and mitigate security risks in agentic AI.

Key Contributions

  • Comprehensive taxonomy of agentic AI attacks spanning prompt injection, RAG poisoning, tool exploits, and multi-agent threats mapped to OWASP GenAI and MITRE ATLAS
  • Attacker-aware security metrics (UAR, PED, RRS, etc.) and evaluation framework for measuring agentic system security posture
  • Defense-in-depth framework and practitioner playbook covering design-time hardening, runtime monitoring, and incident response for agentic AI deployment

🛡️ Threat Analysis

Details

Domains
nlpmultimodal
Model Types
llm
Threat Tags
inference_timeblack_box
Applications
agentic ai systemsllm tool useretrieval-augmented generationautonomous agentsmulti-agent systems
Read PDF arXiv

Similar Papers

survey

Agentic AI Security: Threats, Defenses, Evaluation, and Open Challenges

2025 8 cit.
94%
survey

Agentic AI as a Cybersecurity Attack Surface: Threats, Exploits, and Defenses in Runtime Supply Chains

2026 0 cit.
88%
survey

Systems Security Foundations for Agentic Computing

2025 3 cit.
88%
survey

The Attack and Defense Landscape of Agentic AI: A Comprehensive Survey

2026 0 cit.
85%
survey

Uncovering Security Threats and Architecting Defenses in Autonomous Agents: A Case Study of OpenClaw

2026 0 cit.
AI Supply Chain Attacks
85%
benchmark

Your Agent is More Brittle Than You Think: Uncovering Indirect Injection Vulnerabilities in Agentic LLMs

2026 0 cit.
84%
survey

Securing the Model Context Protocol (MCP): Risks, Controls, and Governance

2025 10 cit.
83%
survey

SoK: Trust-Authorization Mismatch in LLM Agent Interactions

2025 2 cit.
82%