An expanded version of this post has been published at https://martinfowler.com/articles/agentic-ai-security.html - with more mitigations and updated content - I’d suggest reading that article instead, I’m leaving this one up for posterity. Also I’ve given up on Discus for comments - if you want to discuss this post, please reply to My post on Mastodon or My post on Bluesky (I’m doing both as one is more free, one is more convenient for many people) This is an edited version of a post I wrote for the Liberis internal engineering blog - it is not particularly original, most of the ideas come directly from Simon Willison’s article “Lethal Trifecta for AI agents” - but I thought it was worth writing a summary for our engineers, and sharing it more widely. Bruce Schneier summarised the current Agentic AI situation in his blog: We simply don’t know how to defend against these attacks. We have zero agentic AI systems that are secure against these attacks. Any AI that is working in an adversarial environment—and by this I mean that it may encounter untrusted training data or input—is vulnerable to prompt injection. It’s an existential problem that, near as I can tell, most people developing these technologies are just pretending isn’t there. There are many risks in this area, and it is in a state of rapid change - we need to understand the risks, keep an eye on them, and work out how to mitigate them where we can. (I’m going to shamelessly plagiarise Simon Willison’s excellent “Lethal Trifecta for AI agents” article as it is an excellent overview of the risks.) What do we mean by Agentic AI The terminology is in flux so terms are hard to pin down. I’m using “Agentic AI” with the specific meaning “LLM-based tools that can act autonomously” - tools that extend the basic LLM model with tools and agents and background processes. Increasingly this means “almost all AI based tools” - especially coding tools like Cursor, Copilot or Claude Code. (Note I’m using ‘agent’ here for an
No pages have linked to this URL yet.