The Agentic Shift

The first generation of LLM deployments was largely passive β€” a model would generate text and a human would decide what to do with it. The current generation is fundamentally different. Agentic AI systems have tools: they can execute code, query databases, call APIs, read and write files, and spawn other agents. The attack surface has expanded from "what text does this generate" to "what actions can this trigger".

This shift has outpaced security modelling. Most organizations that deployed an AI coding assistant or an automated support agent in 2024-2025 did so under the same identity and permission model they would use for a background job. The agent inherits service account credentials, environment variables with API keys, and in Kubernetes deployments, a mounted service account token that can query the cluster API.

The fundamental problem: A traditional application has a fixed, auditable set of actions it will take. An agentic system's actions are determined at runtime by the LLM's interpretation of instructions β€” instructions that can come from untrusted sources.

The Inherited Privilege Problem

When you deploy an AI agent to read your Jira tickets and update your GitHub PRs, you need to give it credentials for both services. In practice this means one of: a service account with broad OAuth scopes, environment variables containing API tokens, or a Kubernetes service account with RBAC permissions attached. All three create the same fundamental problem: the agent's blast radius is the union of all its credentials.

The OWASP Top 10 for Agentic Applications (2026) places excessive agency and overprivileged identities in its top three concerns. In cloud environments, this compounds: agents often run on EC2 or GKE nodes that have instance metadata endpoints, meaning the agent can trivially acquire the host's IAM role β€” without any prompt injection at all, simply by making an HTTP request to the metadata endpoint.

The Kubernetes Surface

In Kubernetes, every pod gets a service account token mounted at /var/run/secrets/kubernetes.io/serviceaccount/token by default. An agent running in a pod with a permissive RBAC binding can use this token to list secrets across namespaces, create privileged pods, or modify RBAC bindings. If the agent can execute arbitrary shell commands (which coding assistants frequently can), the path from "untrusted user input" to "cluster admin" can be a single tool call.

# What an over-permissioned agent can do with its mounted token TOKEN=$(cat /var/run/secrets/kubernetes.io/serviceaccount/token) APISERVER=https://kubernetes.default.svc # List all secrets in all namespaces curl -sSk -H "Authorization: Bearer $TOKEN" \ $APISERVER/api/v1/secrets # Create a privileged pod for container escape curl -sSk -H "Authorization: Bearer $TOKEN" \ -H "Content-Type: application/json" \ -X POST $APISERVER/api/v1/namespaces/default/pods \ -d '{"spec":{"containers":[{"name":"esc","image":"alpine","securityContext":{"privileged":true}}]}}'

Attack Chain Mechanics

The practical attack chain against an agentic system starts with prompt injection β€” either direct (a user crafts a malicious instruction) or indirect (a web page, document, or tool response the agent reads contains embedded instructions). From there, the attack depends entirely on what tools the agent has access to.

InjectionMalicious instruction in user input or retrieved document
Tool AbuseAgent uses legitimate tools (shell, k8s API, file system) to escalate
Credential AccessReads mounted tokens, environment secrets, metadata endpoint
Lateral MoveUses acquired credentials to pivot to other systems

The most dangerous tool combination is a code execution tool plus a network access tool. An agent with exec_python and http_request capabilities can exfiltrate any secret it can read and communicate it to an attacker-controlled server β€” all within what looks like a legitimate reasoning chain.

Multi-Agent Escalation

In multi-agent architectures, an attacker who compromises a low-privilege worker agent can often instruct it to send crafted messages to a higher-privilege orchestrator agent. The orchestrator trusts messages from worker agents β€” they are, after all, part of the same system. This is a trust boundary violation that most frameworks have not adequately addressed. The OWASP Agentic Top 10 refers to this as "agent injection through communication channels".

Memory and Context Poisoning

Long-running agents with persistent memory introduce an additional attack vector: context poisoning. If an agent stores summaries of its interactions in a vector database and later retrieves them to inform future decisions, an attacker can inject persistent malicious instructions into that memory store. The injected instruction survives the original conversation and influences all future agent sessions that retrieve similar context.

This attack is particularly effective because it is asynchronous β€” the payload is injected in one session and activates in a future session, making attribution difficult. The injected content looks like legitimate agent memory. Standard security logging that captures input/output pairs will record the retrieval of the poisoned memory as normal RAG behaviour.

Persistence without persistence: Memory-poisoned agents maintain attacker influence across sessions without any persistent foothold in the traditional sense. No malware on disk, no modified config β€” just a record in a vector database that looks like normal conversation history.

Detection Signals

Agentic behaviour is harder to monitor than traditional application behaviour because the decision logic is opaque. However, the actions agents take are observable. Key detection signals include:

  • Credential access outside normal patterns: An agent that reads environment variables or mounted secrets it has never accessed before is a strong signal. Instrument your agent's runtime environment to log every credential access.
  • Unexpected outbound connections: Agents have known tool sets. A connection to an IP address outside the expected tool endpoints β€” especially one that does not resolve to a known service β€” is highly suspicious.
  • Kubernetes API calls from agent pods: Most agent pods have no legitimate need to query the cluster API. Any audit log entry showing API calls originating from an agent pod's service account should trigger review.
  • Anomalous tool call sequences: Log every tool call with its arguments. A sequence of read_file(/etc/passwd) β†’ http_post(external_url) is an exfiltration chain regardless of how it was framed in the reasoning trace.
  • Memory store writes with instruction-like content: If your agent's memory store contains entries that read like instructions ("from now on, always..."), this indicates a prior poisoning attempt.

Least-Privilege Mitigations

  1. Scope credentials to the minimum required toolset: An agent that needs to read GitHub PRs does not need write access. An agent that needs to query a database does not need schema modification rights. Model your agent's credential requirements the same way you model a microservice's β€” start with nothing, add only what's needed.
  2. Disable service account token auto-mounting: In Kubernetes, set automountServiceAccountToken: false on agent pods unless they genuinely need cluster API access. Most agents do not.
  3. Block IMDS access from agent workloads: Use network policies or instance metadata service v2 (IMDSv2) enforcement to prevent agents from querying the cloud metadata endpoint. Add a network policy that denies egress to 169.254.169.254 from agent namespaces.
  4. Enforce tool call allow-lists: Define an explicit list of tools each agent is permitted to call and reject calls to unlisted tools at the framework level, not the prompt level. Prompt-level restrictions can be overridden by injection.
  5. Treat agent tool calls as untrusted input: Log every tool invocation with its full argument payload. Alert on tool calls that deviate from the agent's established baseline in terms of targets, volumes, or sequencing.
  6. Sanitize memory inputs: Before writing to an agent's long-term memory store, apply the same input validation you would apply to a user-facing form. Entries that contain imperative instructions should be flagged or rejected.
  7. Establish inter-agent trust boundaries: In multi-agent systems, higher-privilege orchestrators should not blindly trust messages from worker agents. Implement message authentication and validate that requests from sub-agents are within the scope of the original task.

The key framing: An agentic AI is a software principal, not a user. Apply the same least-privilege discipline you would apply to any other automated system: minimal credentials, explicit allow-lists, comprehensive audit logging, and no assumed trust across agent boundaries.