Enterprises are racing to secure agentic AI deployments

AI assistants are tied into ticketing systems, source code repositories, chat platforms, and cloud dashboards across many enterprises. In some environments, these systems can open pull requests, query internal databases, book services, and trigger automated workflows with limited human involvement. The State of AI Security 2026 from Cisco places this level of access inside a growing pattern of AI-driven operations that connect directly to core business systems.

Organizations granted agentic systems authority to execute tasks, access databases, and modify code. Many deployments moved forward with limited readiness. Most organizations planned to deploy agentic AI into business functions, and twenty nine percent reported that they were prepared to secure those deployments. That gap created exposure across model interfaces, tool integrations, and supply chains.

Measuring model resilience

Prompt injection and jailbreak techniques matured during 2025. Multi turn attacks that unfold across extended conversations achieved success rates as high as 92 percent in testing across eight open weight models. These attacks steered models toward disallowed content and unsafe actions over successive prompts. Single turn protections provided less assurance during longer sessions that involved memory and tool access.

Jailbreak success rates remain one indicator of model resilience. Amy Chang, Leader of AI Threat Intelligence and Security Research at Cisco, told Help Net Security multi turn resilience should be tracked as a separate metric, especially for agents that operate over longer sessions. “Jailbreak success rates are still valid indicators of a model’s robustness against adversarial prompts, but as we’ve demonstrated, multiturn resilience remains a concern and can be a metric that enterprises use to assess models,” Chang said.

Chang said security readiness metrics should align with an organization’s level of AI maturity. “Beyond that, there are numerous other considerations for how an organization can measure its security posture and any compensating controls that need to be implemented, but they must be catered to the relative maturity level of an organization,” she said. “For instance, there’s no need to implement agent tracing and telemetry if an organization is still in the initial stages of integrating large language models into its tech stack.”

Agent autonomy and protocol risk

AI agents introduced additional risk through autonomy. Agentic systems operate in observe, orient, decide, act loops and interact with other agents through standardized protocols. Compromised agents can execute unauthorized commands, exfiltrate data, and move laterally across systems. In one documented case, a GitHub Model Context Protocol server allowed a malicious issue to inject hidden instructions that hijacked an agent and triggered data exfiltration from private repositories.

Model Context Protocol, known as MCP, became a common method for connecting language models to external tools and data. Rapid adoption expanded the attack surface. Researchers identified tool poisoning, remote code execution flaws, overprivileged access, and supply chain tampering within MCP ecosystems. A fake npm package that mimicked an email integration silently copied outbound messages to an attacker controlled address.

Agent to agent communication introduced identity risks. Impersonation, session smuggling, and unauthorized capability escalation allowed attackers to exploit implicit trust between agents. A compromised research agent could insert hidden instructions into output consumed by a financial agent, which then executed unintended trades. These patterns extend identity threats beyond human accounts and service credentials.

Supply chain exposure

The AI supply chain emerged as another point of exposure. Open source repositories host millions of models and datasets. Model files can contain executable code that runs during loading. Malicious code embedded in model objects can trigger automatically when a model initializes.

Data poisoning also presented measurable risk. Research demonstrated that injecting 250 poisoned documents into training data can implant backdoors that activate under specific trigger phrases, leaving general performance unchanged.

Provenance gaps compound supply chain risk. Many repositories provide limited cryptographic assurance regarding model origin, training data, or modification history. Models frequently undergo conversion, quantization, merging, and fine tuning across automated pipelines. Subtle tampering can persist across these transformations.

Nation state activity and AI enabled operations

State sponsored actors increased use of AI for offensive operations. A China linked group reportedly automated eighty to ninety percent of a cyberattack chain by jailbreaking an AI coding assistant and directing it to scan ports, identify vulnerabilities, and develop exploit scripts. Russian operators integrated language models into malware workflows to generate obfuscated commands. North Korean actors used generative AI to create deepfake job applicants and generate revenue through remote employment schemes. Iranian groups applied AI to phishing and to process maritime data during regional conflict.

AI adoption continues to move deeper into enterprise workflows. Agent autonomy, protocol integration, and open model ecosystems expand operational capability and enlarge the attack surface. Security teams are adapting zero trust controls, least privilege access, continuous authentication, and behavioral monitoring to AI systems that interact directly with business processes.

Download: Tines Voice of Security 2026 report