Securing Agentic AI Systems

In the past year, we have not heard about generative AI, without hearing terms such as agentic AI, AI agents, MCP, and recently A2A protocol.

When building agentic AI systems (whether using a single AI agent or multiple agents communicating with each other autonomously), as technology is still evolving, we should be aware of security threats, design accordingly, and embed security controls to mitigate against potential risks.

Agentic AI differs from generative AI in that it acts autonomously to carry out complex, multi-step tasks toward a goal with minimal human direction, whereas generative AI responds to specific prompts by creating content like text or images but stops there; however, this autonomy introduces new security risks such as agents being manipulated through prompt injections to act against intentions, tool misuse where integrated systems are exploited, overprivileged agents performing unauthorized actions, memory poisoning that corrupts long-term decision-making, identity spoofing allowing attackers to impersonate agents, and communication poisoning disrupting multi-agent collaboration.

This blog post explains agentic AI and provides recommendations for securing it.

Terminology

Before we deep dive into this blog post, let’s review common terms:

• Agentic AI - Agentic AI is a smart system that can work on its own, making decisions and solving problems step-by-step without needing constant instructions from people.
• AI agent - An AI agent is like a smart digital helper that can understand its surroundings, make decisions, and take actions on its own to complete tasks or reach goals without needing someone to constantly tell it what to do.
• Agentic AI vs. AI Agent - Agentic AI is the whole self-managing system built from one or more AI agents working toward specific objectives.
• MCP (Model Context Protocol) - A common language that helps AI programs connect easily and safely with other tools and data sources, so they can understand the context better and do helpful tasks without needing special custom setups for each connection.
• A2A (Agent to Agent) Protocol - A simple set of rules that lets AI agents talk and work together smoothly and securely, helping them share tasks and information without confusion.

Threat landscape

Agentic AI systems suffer from various security threats.

Here is a common list of security threats that we should be aware of when building agentic AI systems:

• Prompt injection and goal manipulation: Attackers insert malicious instructions that alter AI behavior or steer agents towards harmful actions.
• Privilege escalation and overprivileged agents: Agents inherit or gain excessive permissions, allowing unauthorized or destructive activities.
• Tool misuse and API exploitation: Malicious use of integrated tools or APIs to trigger unintended or harmful operations.
• Authentication and identity spoofing: Weak or stolen credentials allow attackers to impersonate agents or users, gaining unauthorized access.
• Data exposure and unauthorized data access: Sensitive information leakage due to improper access controls or retrieval mechanisms.
• Agent communication poisoning: Attackers manipulate the messaging between agents, disrupting workflows or spreading false information.
• Resource exhaustion and denial of service: Overloading agent compute or memory resources to degrade performance or disrupt services.
• Insufficient security controls in protocols (MCP, A2A): Lack of strong authentication, authorization, token management, and auditability increases risk of compromise and data leaks.
• Memory poisoning and persistence attacks: Long-term manipulation of agent memory or state to cause subtle, ongoing misbehavior.
• Repudiation and lack of traceability: Inadequate logging and monitoring hinder investigations and accountability for agent actions.

Security Recommendations

Below are some recommendations for securing agentic AI systems, broken down by domains:

Authentication and Authorization – AI Agents

This section provides recommendations for configuring AI agents as they connect to other resources:

• Implement strong agent authentication and authorization using unique identities with cryptographic credentials and fine-grained role-based access control to prevent unauthorized actions and spoofing.
• Assign unique, cryptographically verifiable identities to each AI agent to ensure accountability and prevent impersonation.
• Implement fine-grained, least-privilege Role-Based Access Control (RBAC) policies that restrict agents’ permissions strictly according to their roles and tasks.
• Implement Attribute-Based Access Control (ABAC): Use contextual attributes (time, location, system status) for dynamic authorization decisions to adapt security posture in real time.
• Use Short-Lived Credentials and Token Rotation: Use ephemeral, time-limited tokens for agent access to resources, rotating credentials frequently to minimize attack windows.
• Apply mutual TLS (mTLS) Authentication: Enforce mTLS for all agent-to-agent (A2A) and agent-to-service communication to verify identity at the transport layer and encrypt data in transit.
• Provide secure emergency mechanisms to revoke or modify agent permissions instantly if malicious or unauthorized activities are detected.

AWS

• Use Amazon Bedrock AgentCore Identity, a purpose-built service for managing AI agent identities and secure credential handling at scale, which supports assigning unique, cryptographically verified identities to each agent.
• Use OAuth 2.0 and OpenID Connect protocols for standardized, secure authorization and token handling, supported by AgentCore Identity’s token vault.
• Securely store and manage agent credentials, API keys, and OAuth tokens using AWS Secrets Manager and the token vault in AgentCore Identity with encryption at rest and in transit.
• Integrate with AWS Identity and Access Management (IAM) to enforce least-privilege access, allowing agents only the minimum permissions required for their tasks.
• Use fine-grained access policies for agent actions and resource access, and leverage AgentCore Identity features like agent authorizers to validate and authorize agent invocations dynamically.

Authentication and Authorization – Agents Administration

This section provides recommendations for configuring administrative access to manage AI agents’ settings:

• Centralize Identity Management: Use a unified identity provider for user authentication and policy enforcement.
• Enforce Role-Based Access Control (RBAC): Assign users and admins the minimum roles and permissions necessary for their tasks to limit risk from overprivileged accounts.
• Segregate Duties: Separate roles for agent creation, configuration, deployment, and monitoring to reduce insider risk and improve accountability.
• Implement Just-In-Time (JIT) Access: Grant elevated privileges only for limited time windows when needed.
• Multi-Factor Authentication (MFA): Use MFA for accessing agent management consoles and administrative functions to reduce risks from compromised credentials.

AWS

• Use AWS IAM Identity Center or Amazon Cognito to enable secure user authentication and federated identity for users invoking agents.
• Use AWS IAM Roles with Temporary Credentials: Assign users or AI agents IAM roles that issue temporary security credentials, limiting the window of elevated privileges automatically.

Secrets Management

This section provides recommendations for configuring secrets management for AI agents as they connect to other resources:

• Assign unique identities to each AI agent and avoid using shared or human credentials as service accounts to reduce attack surfaces and improve traceability.
• Avoid hardcoding secrets in source code, configuration files, or container images; ensure secrets are injected dynamically at runtime with least privilege access.
• Enforce strict access control policies with fine-grained roles restricting who or what can retrieve or manage secrets.
• Regularly rotate credentials and revoke unused or compromised secrets as part of routine security hygiene.

AWS

• Use AWS Secrets Manager and apply just-in-time access with short-lived credentials.

Network Access

Before discussing network access control recommendations for implementing AI agents, it is important to note that not all AI agents are deployed or behave the same.

In some implementations, such as Microsoft Copilot and the Salesforce Copilot integration, governance is at both the data access and application control levels rather than direct network-layer firewall controls. For such implementation, review the recommendation in this blog, which relates to authentication and authorization access of the AI agent.

For other implementations, such as Amazon Bedrock AgentCore, Azure AI Foundry, or Vertex AI Agent Builder, it is possible to build an AI agent as part of the cloud environment and be able to configure network access controls.

This section provides recommendations for configuring network access for AI agents, based on the second implementation mentioned above, as they connect to other resources:

• Network Segmentation and Micro-Segmentation: Confine each AI agent to only the specific resources and systems necessary for its role, segmenting the network into tightly controlled zones to limit lateral movement in case of compromise.
• Zero Trust Network Access (ZTNA): Implement a zero-trust model where every request to access AI services and data is authenticated, authorized, and encrypted regardless of source.
• IP Allowlisting and Egress Controls: Control inbound and outbound traffic by allowing only known IP ranges or internal network ranges for agent communications to prevent unauthorized external access or data exfiltration.
• Network Encryption and Data-in-Transit Protection: Ensure all data exchanges between AI agents, tools, and data sources use strong encryption standards (TLS 1.2/1.3) enforced via network policies.
• Use of API Gateways and Service Meshes: Route agent requests through managed API gateways and service meshes to centrally manage security policies, rate limiting, authentication, and credential injection.
• Vendor and Third-Party Risk Controls: Apply strict network access policies and continuous monitoring for third-party API integrations that agents rely on to avoid introducing external threats.

AWS

• Restrict access from the AI agent to AWS resources within your AWS VPC using security groups.
• Use AWS PrivateLink to restrict access from the AI agent to supported resources within your AWS ecosystem.
• Use AWS API Gateway to secure AI agents by enforcing IAM and OAuth-based authentication, fine-grained authorization, rate limiting, and traffic inspection for all API interactions.
• Use Amazon VPC Lattice to secure AI agents by enforcing centralized authentication and authorization with IAM policies, applying fine-grained access controls.

Input/Output validation

As AI agents are based on input, and may be prone to various attacks (such as prompt injections, malicious payloads, and data exfiltration attempts), it is crucial to sanitize all input/output, as recommended below:

• Validate and sanitize all inputs rigorously: Only accept expected, well-defined input formats (e.g., structured JSON), and filter out dangerous characters, escape sequences, or embedded prompts to prevent malicious command or prompt injections.
• Implement prompt filtering and policy enforcement: Apply rules or guardrails (such as Rebuff, LangChain Guardrails, TruLens) on inputs and generated outputs to detect and block unsafe content, data leakage, or unauthorized command execution before reaching downstream systems or users.
• Separate trusted system prompts from user input: Maintain clear boundaries in the prompt construction pipeline to prevent user inputs from influencing system commands or administrator instructions.

Zero-trust for agent-to-tool interactions

• Implement Zero Trust Network Access (ZTNA) principles for all AI-related communication and API access.
• Never Trust, Always Verify: Every AI agent interaction—including API calls, data access, and inter-agent communication—must be authenticated and authorized continuously, with no implicit trust.
• Dynamic Context-Aware Access Control: Access permissions adapt based on agent role, behavior history, environmental conditions, requested actions, and risk signals.
• Segmentation and Isolation: AI agents should operate within isolated network and compute zones, communicating only over secure, authenticated channels with strict network policies.
• Use sandboxed execution environments: Run AI agents in isolated containers or VMs where risky or injected commands cannot directly compromise the host environment or access sensitive assets.

Memory protection

Memory is essential for AI agents because it enables them to learn, adapt, and maintain context over time, making their behavior coherent, personalized, and intelligent.

Below is a list of common recommendations for memory protection when building AI agents:

• Isolate session memory from long-term memory or persistent stores to prevent manipulation of an agent’s contextual knowledge or state (memory poisoning).
• Apply cryptographic integrity checks on persistent memory regions to detect unauthorized modifications.
• Sanitize and validate all inputs written into memory, filtering malicious or malformed data to prevent injection attacks.
• Restrict memory write access strictly to trusted components with role-based access control and least privilege.

Human-in-the-Loop

Human-in-the-Loop is vital for AI agents because it combines AI efficiency with human judgment to catch errors, reduce risks, and ensure trustworthy, responsible decision-making.

Below is a list of common recommendations for implementing human-in-the-loop when building AI agents:

• Design clear decision points for human oversight: Identify critical actions like access approvals, destructive operations, or sensitive data access where human review and intervention are mandatory.
• Use policy-driven approval logic instead of hardcoded rules to enforce flexible, auditable, and version-controlled governance for human approvals.
• Keep human review prompts contextual, concise, and actionable to reduce reviewer fatigue and improve the accuracy and speed of decisions.
• Enable asynchronous review workflows for non-blocking or lower-risk approvals to optimize operational efficiency without sacrificing oversight.
• Incorporate feedback loops so human reviewers can flag unusual behaviors or false positives, which help improve AI models over time.
• Implement transparency and explainability features to help humans understand AI decisions and potential biases, building trust and accountability.
• Train humans regularly on AI system limitations, potential biases, common pitfalls, and security risks to improve vigilance.
• Balance automation with human creativity and critical thinking by using AI to augment humans rather than replace them.

Observability

Auditing, logging, and observability are crucial in AI agents because they ensure accountability, enable early detection of security issues, and support trust and compliance throughout AI system operations.

Below is a list of common recommendations for implementing auditing or logging when building AI agents:

• Continuous Authentication and Authorization Monitoring: Continuously monitor agent access patterns and authorization events for anomalies or policy violations to detect compromised agents.
• Logging and Auditing Network Access: Enable detailed audit logging of all inbound/outbound connections, API calls, and network events related to agentic AI systems for forensic and compliance purposes.
• Comprehensively log AI agent activities: Record prompts, inputs, and outputs, API calls, tool usage, decisions, overrides, and user interactions to create an audit trail for forensic analysis and compliance.
• Continuously monitor agent behavior and inputs/outputs: Log and analyze all prompt content, API calls, and responses to identify anomalous patterns or suspicious activity indicative of prompt injection or manipulation.
• Correlate logs across components: Aggregate agent logs with infrastructure, network, and identity logs to build a holistic security posture and enable threat detection.
• Maintain model and agent lifecycle metadata: Track versions, training data sources, evaluation results, safety scores, and red team findings tied to logs for traceability.
• Protect audit data access: Use strict access controls and separation of duties to prevent log tampering or unauthorized access.
• Runtime Monitoring and Anomaly Detection: Monitor network traffic patterns, agent behaviors, and access logs, and integrate with SIEM platforms to detect anomalous or malicious activities.
• Automate alerting and incident response: Configure automated workflows triggered by suspicious log patterns to rapidly respond to threats.

AWS

• Use AWS CloudWatch to collect and analyze metrics, logs, and traces from agentic AI applications for real-time observability and troubleshooting.
• Use AWS CloudTrail to log all API calls and management events from AI services like Amazon Bedrock, providing a comprehensive audit trail.
• Use Amazon GuardDuty to monitor and analyze CloudTrail, VPC Flow Logs, and DNS logs for threat detection and anomalous behavior in AI workloads.

Governance and AI ethics

AI governance and ethics are important because they ensure AI systems operate responsibly, transparently, and fairly, building trust while minimizing risks and societal harms.

Below is a list of common recommendations for implementing governance and AI ethics when building AI agents:

• Establish clear policies and ethical guidelines aligned with organizational values to address fairness, transparency, privacy, and human-centric AI use.
• Include governance frameworks and AI ethics committees overseeing agent development and deployment to maintain accountability and trust.
• Develop a regulatory compliance framework, ensuring adherence to laws such as GDPR, EU AI Act, and industry standards relevant to AI deployments.
• Implement risk management strategies to identify, assess, and mitigate technical, operational, ethical, and reputational risks associated with AI agents.
• Define accountability mechanisms with clear roles, responsibilities, and decision-making processes overseeing AI development, deployment, and outcomes.
• Promote transparency by tracking and explaining AI decision-making processes, data used, and system limitations to build trust with users and stakeholders.
• Foster a culture of responsible AI through staff training on ethics, security, regulatory requirements, and ongoing awareness initiatives.
• Engage multidisciplinary governance boards, including legal, compliance, technical, and domain experts, to oversee AI ethics and governance frameworks.
• Invest in explainability tools that help non-technical stakeholders understand AI outputs and reasoning.
• Regularly update governance policies to adapt to evolving regulations, technological advances, and societal expectations.
• Enable rapid revocation or suspension of user access and agent operations in case of detected compromise.
• Implement kill switches and network access revocations that can immediately halt agent communications when anomalies or breaches are detected.

Summary

In this blog post, I have reviewed the concept of agentic AI, threats related to building agentic AI applications, and many recommendations for securing agentic AI systems and the use of AI agents.

As the technology keeps evolving, I recommend continuing to read, understand the various deployment methods of AI agents, trying to mitigate the risks using them.

The blog contains many recommendations when deploying in cloud environments, but keep in mind that AI agents can be deployed in your cloud environment, in a fully managed SaaS environment, or even on a local desktop, so review the recommendations and adjust them according to the target environment the AI agents are running in or communicating with (on-prem, cloud, or third-party providers).

AI tools were used to research and edit this article. Graphics are created using AI.

References

• What are AI Agents?
• OWASP Securing Agentic Applications Guide
• OWASP Agentic AI Threats and Mitigations
• Securing Agentic AI: A Comprehensive Threat Model and Mitigation Framework for Generative AI Agents

About the author

Eyal Estrin is a seasoned cloud and information security architect, AWS Community Builder, and author of Cloud Security Handbook and Security for Cloud Native Applications. With over 25 years of experience in the IT industry, he brings deep expertise to his work.
Connect with Eyal on social media: https://linktr.ee/eyalestrin.
The opinions expressed here are his own and do not reflect those of his employer.