Threats forty-nine

Intent Breaking and Goal Manipulation is the class of attacks that exploit the lack of separation between data and instructions in an agent. By injecting prompts, tampered data sources, or malicious tool outputs, attackers alter the agent's planning, reasoning, or self-evaluation so that subsequent actions pursue an objective the user never gave. The risk is most pronounced in systems with adaptive planning (e.g. <abbr class="hw-term" data-tip="A common agent loop that interleaves reasoning steps with tool actions." aria-label="A common agent loop that interleaves reasoning steps with tool actions." tabindex="0">ReAct</abbr>-style loops).

Memory Poisoning corrupts an agent's short-term context or persistent memory so future decisions are made against tainted state. The corruption can arrive through direct <abbr class="hw-term" data-tip="An attack that hides instructions inside the data an LLM reads, so the model follows the attacker’s text instead of its operator’s." aria-label="An attack that hides instructions inside the data an LLM reads, so the model follows the attacker’s text instead of its operator’s." tabindex="0">prompt injection</abbr>, <abbr class="hw-term" data-tip="Prompt injection delivered through content the agent retrieves (documents, tool results, web pages) rather than typed by the user." aria-label="Prompt injection delivered through content the agent retrieves (documents, tool results, web pages) rather than typed by the user." tabindex="0">indirect prompt injection</abbr> (e.g. an attacker-controlled document that ends up in the agent's context), shared-memory abuse where one user's writes affect another's reads, or vector-store poisoning of long-term retrieval.

Privilege Compromise is the exploitation of mismanaged roles, dynamic permission inheritance, or overly broad scopes to escalate what an agent can do. Unlike conventional privilege escalation, the attack often does not require breaking access control. It only requires the agent to *use* permissions it already has, in combinations the system never anticipated. *Implicit privilege escalation* and *<abbr class="hw-term" data-tip="When a privileged component is tricked into misusing its authority on behalf of a less-privileged attacker." aria-label="When a privileged component is tricked into misusing its authority on behalf of a less-privileged attacker." tabindex="0">Confused Deputy</abbr>* failures are the canonical patterns.

Unexpected <abbr class="hw-term" data-tip="Remote Code Execution: an attacker running arbitrary code on the target system." aria-label="Remote Code Execution: an attacker running arbitrary code on the target system." tabindex="0">RCE</abbr> and Code Attacks exploit the fact that agents with code-execution or function-calling capabilities can be steered into running attacker-influenced code. Unlike classical RCE, the attacker may not need a memory-corruption bug. Natural language is the injection vector, and the agent itself produces the code that runs.

Insecure Inter-Agent Protocol Abuse is the attack surface that opens once agents talk to each other (Agent-to-Agent / <abbr class="hw-term" data-tip="Agent-to-agent communication: messages passed directly between autonomous agents." aria-label="Agent-to-agent communication: messages passed directly between autonomous agents." tabindex="0">A2A</abbr>) or to tools (Model Context Protocol / <abbr class="hw-term" data-tip="Model Context Protocol: an open standard for connecting agents to tools and data sources." aria-label="Model Context Protocol: an open standard for connecting agents to tools and data sources." tabindex="0">MCP</abbr>) using protocols designed for collaboration rather than for adversarial trust. The attacker targets the trust embedded in these protocols by manipulating server responses, injecting context into tool descriptions, or exploiting ambiguous consent flows to mislead agent reasoning. When protocol specifications are loosely enforced, or implementations lack input validation and strong identity binding, attackers can hijack agent behaviour, escalate privileges, or bypass guardrails entirely.

Supply Chain Compromise covers vulnerable, malicious, outdated, or otherwise harmful upstream components that end up inside the agent: models, libraries, plugins, prompt templates, build pipelines, or framework updates. The compromise can manipulate agent behaviour, exfiltrate data, or run arbitrary code, and is amplified in agentic systems because the agent will autonomously *use* the compromised component across many runs.

Identity Spoofing and Impersonation, also called Agent Identity Compromise, is the exploitation of authentication mechanisms to impersonate AI agents, human users, or external services. The attacker gains unauthorised access while remaining undetected. The particular concern in agentic systems is the misuse of *formal, persistent agent identities* (for example, Microsoft Entra Agent ID), which grant privileged long-term API access that bypasses the agent's conversational interface and its guardrails.

Agent Communication Poisoning is the manipulation of inter-agent communication channels to inject false information, misdirect decisions, or corrupt shared knowledge in multi-agent systems. The threat is distinct from classical message tampering because the recipient agents *reason* over the message. Small, plausible-looking distortions can drive substantial behavioural change.

Rogue Agents are malicious or compromised agents operating inside a multi-agent system, exploiting trust mechanisms or workflow dependencies to manipulate decisions, exfiltrate data, or execute denial-of-service. The OWASP catalog includes the *infectious backdoor* concept: a single compromised agent's reasoning chain spreads through outputs that other agents consume, propagating malicious logic across the network.