惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

V2EX - 技术
V2EX - 技术
P
Privacy International News Feed
Security Latest
Security Latest
H
Hacker News: Front Page
T
Tenable Blog
The Hacker News
The Hacker News
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
S
Security @ Cisco Blogs
Project Zero
Project Zero
O
OpenAI News
AI
AI
Spread Privacy
Spread Privacy
C
CERT Recently Published Vulnerability Notes
The Last Watchdog
The Last Watchdog
G
GRAHAM CLULEY
cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
Scott Helme
Scott Helme
Application and Cybersecurity Blog
Application and Cybersecurity Blog
cs.CV updates on arXiv.org
cs.CV updates on arXiv.org
C
CXSECURITY Database RSS Feed - CXSecurity.com
NISL@THU
NISL@THU
A
Arctic Wolf
T
Threat Research - Cisco Blogs
PCI Perspectives
PCI Perspectives
N
News and Events Feed by Topic
C
Cyber Attacks, Cyber Crime and Cyber Security
C
Cybersecurity and Infrastructure Security Agency CISA
Simon Willison's Weblog
Simon Willison's Weblog
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
Know Your Adversary
Know Your Adversary
Google Online Security Blog
Google Online Security Blog
罗磊的独立博客
L
LINUX DO - 最新话题
U
Unit 42
S
Security Affairs
有赞技术团队
有赞技术团队
WordPress大学
WordPress大学
博客园 - 【当耐特】
T
The Exploit Database - CXSecurity.com
S
Schneier on Security
月光博客
月光博客
Engineering at Meta
Engineering at Meta
腾讯CDC
F
Full Disclosure
Cyberwarzone
Cyberwarzone
S
SegmentFault 最新的问题
Recorded Future
Recorded Future
K
KPMG report finds enterprise disconnect between AI and its ROI | CIO
博客园 - 司徒正美
The Cloudflare Blog

Cloud Security Alliance

SearchLeak: Copilot Data Exfiltration Exploited | CSA Zero-Trust AI Governance for Multi-Agent Systems | CSA Dangling CNAMEs: Hidden Cloud Risk | CSA Agentic Payments in Financial Services | CSA Mythos and the Future of Cybersecurity | CSA AI-Driven Cloud Risk: Defenders Lose Ground | CSA Financial Services Industry Shifts from AI Adoption to | CSA CSAI Foundation Announces RiskRubric V2 as the Next Key | CSA RiskRubric Updates: AI Risk Assessment | CSA Over 80% of Organizations that Miss 24-Hour Patch Window Report | CSA ORCHIDEAS & MAESTRO: Secure AI Design | CSA Top 6 Claude Security Risks to Watch | CSA Cloud Cost Optimization in 2026 | CSA HIPAA Rule Overhaul in 2026 | CSA AI-Driven Exploits Outsmart Detection | CSA MCP Risks CISOs Should Prepare For | CSA AI Governance for Trust and Compliance | CSA MTTP: Patch Cycles Too Slow | CSA Cloud Security Evolution: Security Teams Lead | CSA Misconfigurations Break Customer Trust in Apps | CSA Taming Shadow AI: C-Suite Strategies | CSA Agentic AI Threats: Five Powers | CSA AIUC-1: Agentic AI Governance | CSA 2026 Threat Report for CISOs | CSA Securing AI in AWS: Runtime Detection & Response | CSA SLMs, LLMs, and the DSPM Difference | CSA OT Security Timeline: Mythos and Patch Pace | CSA Blast Radius and Cloud Threat Detection | CSA State of AI Cybersecurity 2026: 92% Concerned | CSA AI in MDR for Franchise & Multi-Location Ops | CSA AI Regulation: Identity and Authorization Gap | CSA MITRE ATT&CK for Cloud: Detection Coverage Guide | CSA Shadow AI Agents: The Insider Threat | CSA Medical Device Breaches Reveal Cloud Security Gaps | CSA AISMM: AI Security Maturity Model for Cloud | CSA Globee® Awards for Artificial Intelligence (AI) Honors Cloud | CSA Patching Smarter for Mythos Security | CSA SDP v3: Identity-First Zero Trust for AI | CSA AI-Ready Security Documents Beyond STIX, OSCAL, and SARIF | CSA Penetration Testing for ISO 42001 & Trust | CSA AI Agent Posture: Data-First Security Guardrails | CSA AI Agents Go Beyond Output: Enterprise Security | CSA AI Agent Security Starts with Scope Control | CSA Identity Spoofing vs. Identity Abuse | CSA AARM: Securing the Agentic Runtime | CSA Securing the Agentic Control Plane | CSA CSAI Foundation Announces Key Milestones to Secure the Agentic | CSA Catastrophic AI Risk Controls | CSA Cloud to AI: Building Secure Programs | CSA Identity in AI Era: Zero Trust's First Pillar | CSA SDLC Visibility: Securing Multi-Cloud Development Lifecycles | CSA Cloud Risk: Top 3 Threats & AI Tools | CSA AI Agent Identity Is Solved Backwards | CSA 8 Truths About Cloud Privilege Risk | CSA AI Governance: Mature Programs | CSA Agent Access Management: Data-First Security | CSA Glasswing: AI-Driven Security for Safer Software | CSA Runtime Security: Detection & Real-Time Cloud | CSA Identity as the OS for AI Security | CSA Cloud Misconfigurations Drive Attacks at Scale | CSA Sensing AI Behavior with the WBSC Probe Library | CSA An Actionable Guide to GDPR Compliance for Startups | CSA Cloud Security LIVE 2026: AI Risk & Trust | CSA Shadow AI Agents: Enterprise Governance | CSA Rethinking Non-Human Identity Security | CSA New Cloud Security Alliance Survey Reveals 82% of Enterprises Have Unknown AI Agents in Their Environments More Than Half of Organizations Experience AI Agent Scope | CSA SANS Institute, Cloud Security Alliance, [un]prompted, and OWASP | CSA Software Supply Chain Security Needs an Upgrade Choosing the Right AI Standard: 7-Point Guide | CSA Audience-Driven Authorization for AI Agents | CSA A CISO's Guide to Cloud Security Architecture | CSA Who’s Behind That Action? The AI Agent Identity Crisis SSCF Adoption for SaaS Security | CSA Mythos and the Vulnpocalypse: Cloud Defenses | CSA AI Security Risks and Data Visibility | CSA From Compliance to Credibility with CAIQ/CCM | CSA The State of Cybersecurity in the Finance Sector: Six Trends to Watch EU AI Act Compliance with prEN 18286 & ISO 42001 | CSA AI Security in the Cloud: Exposure Management | CSA Rethinking Incident Response as Engineering System | CSA Defense Depends on the Creator: AI Security | CSA ATF: Zero Trust for AI Agents | CSA Cybersecurity Needs a New Data Architecture | CSA CSA STAR v4.1 Updates for Cloud Security | CSA Unstructured Data Surges as Enterprises Struggle to Maintain | CSA SC Media Names Cloud Security Alliance’s Trusted AI Safety | CSA Exposed AWS Key Leads to Full Account Takeover | CSA Post-Quantum Cloud Migration for CSA Members | CSA AI Identity Security Compliance Checklist | CSA The Agentic Trust Deficit: MCP's Authentication Vacuum | CSA More Than Two-Thirds of Organizations Cannot Clearly Distinguish | CSA AI Cybersecurity 2026: Insights from 1,500 Leaders | CSA Three-Body Security: Data, AI & Identity | CSA IAM as Safety for AI-Controlled Systems | CSA Kubernetes Cost Savings and Security Debt | CSA Code to Cloud Security: Unified Exposure Management | CSA Retail Misconfigurations Attackers Exploit | CSA Rethinking Authorization for the Age of Agentic AI | CSA Enterprise AI: Guardrails to Governance | CSA
AI Agents Are Talking: Are You Listening? | CSA
2026-04-09 · via Cloud Security Alliance

Written by Dr. Tal Shapira, Ph.D, Cofounder & CTO of Reco.

If you ask most security teams who has access to their customer data, they can usually give you a clear answer. They can point to OAuth scopes, user permissions, API keys, and audit logs to back it up. However, if you ask which AI agents are exchanging that same data across tools like Salesforce, Slack, Google Drive, and Microsoft Teams, the answer is far less clear.

These agent-to-agent trust relationships form when a chain executes and disappear when it completes. Individual API calls may leave traces in platform logs, but those traces are fragmented across systems and don’t capture the composite trust chain or the full scope of what was shared between agents.

With Gartner predicting that 40% of enterprise applications will include task-specific AI agents by the end of 2026, up from less than 5% in 2025, these implicit trust chains are growing faster than security teams can map them. The agents are already talking to each other, and most organizations have no way to see what data is being shared or what permissions are being used to share it.

The Trust Model Nobody Designed or Approved

In traditional SaaS integrations, trust is explicit. An OAuth consent screen tells you which application is requesting access, what scopes it needs, and which user authorized it. If something goes wrong, security teams can inspect the token and revoke it.

Agent-to-agent interactions work differently. When one AI agent calls another through a tool-use pattern or an MCP server connection, the trust relationship exists only at runtime, forming when the chain executes and disappearing when it completes. There’s no consent screen, no persistent token, and no log entry that captures what was shared between agents. Your CASB monitors traffic between users and cloud services, your IdP manages authentication for human identities, your SIEM correlates events with well-defined log schemas.

None of these were built to observe runtime interactions between autonomous AI agents operating across multiple SaaS platforms, which means the fastest-growing category of trust relationships in your environment is also the one with the least visibility.

What Happens When One Agent Is Compromised

That lack of visibility becomes a compound problem when one agent in a chain is compromised. Whether through prompt injection, a poisoned tool-use response, or a compromised MCP server, the blast radius extends to every agent the compromised one interacts with. The attacker doesn’t need to escalate privileges to move laterally. The compromised agent simply continues passing context, calling tools, and handing off to the next agent in the chain, except the context it passes is now attacker-controlled.

What makes this different from traditional lateral movement is that it generates no detectable anomaly. A human attacker triggers signals like unusual login times, abnormal access volumes, and geographic impossibilities. An AI agent operating within its normal behavioral parameters produces none of these, because agents access data at scale and interact with multiple systems in quick succession as part of their normal function.

The Questions That Matter Right Now

Addressing this requires a layer of visibility that most organizations haven’t built yet: agent interaction graphs that map which agents communicate with each other, what data flows between them, and what the composite scope of each chain looks like. These questions can help security teams assess where the gaps are.

Do We Know What Agents We Have?

Static inventories and periodic audits fall short because agent deployments change continuously. Business teams are deploying agents without waiting for security review, just as they did with shadow SaaS before it, and discovery must be continuous, covering sanctioned and unsanctioned agents alike.

Can We See What They Connect To?

Knowing that an agent exists isn’t the same as knowing what it connects to at runtime. Security teams need to see the full interaction graph: the relationships between agents, the data flowing between them, and the tools each one invokes. Without this map, you can’t scope the blast radius of a compromised agent or identify chains that create unintended data exposure paths.

Are We Evaluating Chain-Level Permissions?

Reviewing permissions per-application or per-user doesn’t work when the effective scope is determined by the composition of an agent chain, also known as toxic combinations. An agent with read-only access to customer data looks low-risk on its own, but connected to a chain that ends in a public-facing channel, it becomes a data exposure vector.

Can We See What Tools Agents Are Calling?

Security teams need to see not just which agents are active, but what tools they are calling, what data they are passing, and whether any chain exceeds a defined scope boundary. This requires instrumentation at the agent orchestration layer, something most organizations haven’t yet implemented.

Can We Kill an Agent Chain in Real Time?

If a chain begins accessing data or invoking tools outside its approved parameters, security teams need the ability to kill it immediately. This is analogous to session revocation for human users, but applied to multi-agent workflows that span multiple autonomous systems.

Getting Ahead of This Problem as an Industry

If your organization answered “no” to most of these questions, you’re not alone. Most security programs were built for human identities and explicit trust relationships, not for implicit trust chains between autonomous agents, and closing the gap means treating agent interaction security as its own discipline.

The MAESTRO framework provides a structured starting point for threat modeling in multi-agent environments, offering a layered approach to identifying risks across the agentic architecture. The foundational requirement it points to is the same one this entire blog post comes back to: you can’t secure agent chains you can’t see.

AI agents are already talking to each other across SaaS environments, and the organizations that build visibility into those interactions now, enforcing controls at the chain level, will be the ones best positioned to adopt agentic AI at scale.

Tal is the Cofounder & CTO of Reco. Tal has a Ph.D. from the school of Electrical Engineering at Tel Aviv University, where his research focused on deep learning, computer networks, and cybersecurity. Tal is a graduate of the Talpiot Excellence Program, and a former head of a cybersecurity R&D group within the Israeli Prime Minister's Office. In addition to serving as the CTO, Tal is a member of the AI Controls Security Working Group with the Cloud Security Alliance.