惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

S
Schneier on Security
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
T
Threat Research - Cisco Blogs
C
Cyber Attacks, Cyber Crime and Cyber Security
C
CXSECURITY Database RSS Feed - CXSecurity.com
A
Arctic Wolf
Security Latest
Security Latest
Simon Willison's Weblog
Simon Willison's Weblog
I
Intezer
cs.CV updates on arXiv.org
cs.CV updates on arXiv.org
T
Troy Hunt's Blog
Latest news
Latest news
Help Net Security
Help Net Security
S
Security Affairs
Webroot Blog
Webroot Blog
The Hacker News
The Hacker News
AI
AI
cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
T
Tor Project blog
Forbes - Security
Forbes - Security
Google DeepMind News
Google DeepMind News
AWS News Blog
AWS News Blog
Attack and Defense Labs
Attack and Defense Labs
P
Proofpoint News Feed
www.infosecurity-magazine.com
www.infosecurity-magazine.com
H
Help Net Security
L
Lohrmann on Cybersecurity
S
SegmentFault 最新的问题
Google Online Security Blog
Google Online Security Blog
MongoDB | Blog
MongoDB | Blog
Cyberwarzone
Cyberwarzone
The Last Watchdog
The Last Watchdog
S
Securelist
N
News and Events Feed by Topic
S
Secure Thoughts
F
Fortinet All Blogs
博客园_首页
C
Cybersecurity and Infrastructure Security Agency CISA
量子位
M
MIT News - Artificial intelligence
F
Full Disclosure
T
The Blog of Author Tim Ferriss
T
Tailwind CSS Blog
Recent Commits to openclaw:main
Recent Commits to openclaw:main
Microsoft Security Blog
Microsoft Security Blog
I
InfoQ
P
Privacy International News Feed
L
LangChain Blog
Know Your Adversary
Know Your Adversary
C
CERT Recently Published Vulnerability Notes

Search Security Resources and Information from TechTarget

How to operationalize threat modeling with AI | TechTarget CISO First fully agentic ransomware attack sparks readiness concerns | TechTarget Evaluating secure enterprise browsers vs. security plugins | TechTarget The AI vulnerability storm is here: Is your security program ready? | TechTarget Perimeter to posture: A roadmap to zero trust maturity | TechTarget TLS certificate lifetime changes: What CISOs must do now | TechTarget 8 key aspects of a mobile device security audit program | TechTarget Why mobile security audits are important in the enterprise | TechTarget Beyond the perimeter: The shift to data-centric protection | TechTarget How agentic AI threat intelligence aids NGO cyber defense: Case study | TechTarget How to conduct a mobile app security audit | TechTarget NO FAKES Act advances: What CISOs need to know | TechTarget What CISOs should know about AI runtime security | TechTarget As Q-Day looms, 90% of systems are unprepared for PQC | TechTarget A CISO Most security pros say their culture is Zscaler lays out its vision to secure the AI era at Zenith Live | TechTarget The OpenClaw security risks every CISO needs to know | TechTarget Cloud security metrics and KPIs: A CISO Florida public sector training on SimSpace cyber range: Case study | TechTarget Reporters' Notebook — Focus on Cyber Insurance: How Quantifying Risk Is Reshaping Security It's time to update incident response for the AI era How to build AI security guardrails without blocking innovation The prosecution gap: Why cybercrimes go unpunished AI in cyberdefense: Learning from threat actors' playbooks Top identity and access management risks CISO role changes as cyber-risk appetites in the C-suite grow CISO's guide to data minimization Researchers build autonomous AI worm that can reason and adapt How to secure data at rest, in use and in motion How to find cyber-risk data sources for a FAIR analysis Lost in translation: Cybersecurity board reporting for CISOs How to prepare security controls for future AI regulations EO 14390 raises stakes for enterprise cybersecurity First month of Mythos Preview testing exposes 10K flaws OT attacks shift from recon to physical control, raising stakes For CISOs, dawn of OpenAI Daybreak brings good and bad news Gartner Security & Risk Management Summit 2026: Adapting for AI | TechTarget Inside business email compromise attacks: Real-world examples Verizon 2026 DBIR: 6 key takeaways for CISOs Identity security for AI agents: The proliferation challenge How to build a business impact analysis checklist Taking care of business: The CISO's role in a cyber crisis What CISOs need to know about AI audit logs SOC vs. MDR: What CISOs need to consider Instructure cyberattack reignites ransom payment debate Transform SIEM rules with behavior-based threat detection CISO's guide: How to test an incident response plan How to implement zero trust for AI Data after the breach: Economics of the dark web The breakup: Why CISOs are decoupling data from their SIEMs | TechTarget News brief: Security worries and warnings as AI use expands How to construct an effective security controls evaluation 5 leading enterprise password managers to consider Claude Mythos changes the AI security threat matrix Buyer 6 things to check in your cyber insurance policy fine print How cyber insurance helped with breach recovery -- or not News brief: Critical infrastructure, OT cybersecurity attacks Tape's strategic role in modern data protection Top zero-trust use cases in the enterprise What every CISO should consider before a SIEM migration CISO's guide to centralized vs. federated security models Shadow code: The hidden threat for enterprise IT How to fix cybersecurity's agentic AI identity crisis 5 top SIEM use cases in the enterprise Top 8 e-signature software providers for 2026 How do digital signatures work? News brief: AI woes continue for security leaders Deepfake era demands proof-based security, not just awareness Is SOAR dead or alive? Sort of The push for digital sovereignty: What CISOs need to know Beyond awareness: Human risk management metrics for CISOs Cybersecurity in the age of AI means bigger, faster threats At RSAC 2026, AI optimism and anxiety -- and an MIA U.S. government Inside the SOC that secured RSAC 2026 Conference How to roll out an enterprise passkey deployment How to improve the SOC analyst experience -- and why it matters How contact centers detect and prevent fraud News brief: Iranian cyberattacks target U.S. water, energy CISO checklist: Cybersecurity platform or marketing ploy? RSAC 2026 Conference: Key news and industry analysis | TechTarget Next-generation firewall buyer's guide for CISOs Contact center monitoring best practices for CX leaders RSAC 2026: Cyber insurance and the rise of ransomware Agentic AI's role in amplifying and creating insider risks RSAC 2026 recap: AI security and network security trends Identity security at RSAC 2026: The new enterprise dynamics Meaningful metrics demonstrate the value of cyber-resiliency What to know about red team testing and the law News brief: Iran cyberattacks escalate, U.S. targets named 5 top SOC-as-a-service providers and how to evaluate them Cloud security architecture: Enterprise cloud blueprint for CISOs Contact center compliance checklist for modern workforces How AI caught a malicious North Korean insider at Exabeam Watch your words: Tim Brown's advice for CISOs News brief: U.S. absence at RSAC sparks leadership concerns Network security management challenges and best practices 10 enterprise secure remote access best practices
The agentic AI
John Burke · 2026-07-01 · via Search Security Resources and Information from TechTarget

InfiniteFlow-stock.adobe.com

The very capabilities that make an AI agent useful also make it dangerous. Here's what CISOs should know about the agentic AI lethal trifecta, and what they should do about it.

By now, every CISO has probably heard the phrase lethal trifecta tossed around in AI security discussions. The term refers to a combination of three agentic AI properties that, together, make agents vulnerable to attack and put the enterprises using them at massive risk.

Programmer Simon Willison is credited with coining the term lethal trifecta as it relates to agentic AI. Unfortunately, the cybersecurity field does not currently agree on a universal definition: different cybersecurity analysts and AI researchers often pick different trios of properties. And, of course, there's no need to stop at three, but we lack a cutesy term like quadfecta or quintfecta to describe a longer list.

That said, conversations about the agentic AI lethal trifecta often center on the following three properties, as initially described by Willison:

  • Agent access to private or sensitive information, whether personal information about staff or customers or confidential intellectual property.
  • Agent ingestion of uncontrolled content. That is, having an agent that reads data from sources the enterprise does not control, such as public websites, and that can contain either intentionally incorrect information -- meant to affect enterprise or agent decisions -- or hidden prompts intended to redirect agent goals or actions.
  • Agent ability to communicate externally, and so to exfiltrate data.

Alternatively, some cybersecurity experts include the following properties in the agentic AI lethal trifecta:

  • Agent empowerment to act in ways that affect other enterprise systems -- e.g., reconfiguring network devices or modifying databases.
  • Agent ability to plan and adaptively pursue long-term objectives without reconfirmation of purpose by a human. Adaptability includes the ability to exploit chains of low-impact vulnerabilities -- e.g., CVEs with low CVSS scores -- to achieve high-impact outcomes such as root-level access to a key server.
  • Agent ability to self-improve and gain capabilities -- e.g., modifying its own code; modifying its own goals; finding other tools to fill its functional shortcomings; or designing better models, then creating and use tools based on them.
  • Agentic velocity, or the ability to swamp human-scaled governance mechanisms.
  • Agentic prompt drift -- i.e., agent non-determinism. Agents and other AIs can produce dramatically different results in response to the same prompt -- and indeed, many jailbreak attacks rely on this to get an AI to break free of its alignment training.
  • Agent cost indeterminacy. An AI's actual costs, in terms of tokens expended, can spiral unpredictably due to factors such as prompt drift and "context rot," which drives it into recursive loops of re-reading the same context data.
  • Agents with superhuman persuasiveness can pursue slow and sophisticated social engineering attacks at scales previously impossible.

Pick any subset of these problems, and the core idea is the same: AI plus agency plus permission to act in the enterprise environment add up to a risky synergy with potentially catastrophic consequences.

Why CISOs should pay attention

Agentic AI introduces a new category of cyberthreat -- one that can exploit every other existing threat category. An agent with data access, external connectivity and the ability to act autonomously could reconfigure systems, exfiltrate sensitive data and more, making it both a significant insider threat and attack vector for external threat actors.

Traditional security tools can't address the potential problems agentic AI creates; for example, traditional web application firewalls can't prevent prompt injection attacks. Organizations must update core architectures to properly integrate new categories of agentic AI security tools, as well as policies that govern acceptable use of agentic AI and incident response. However an organization defines the lethal trifecta, the CISO must coordinate and drive the security and governance response.

How to assess your risk exposure

As a CISO assessing your organization's lethal trifecta risk, ask yourself the following key questions:

  • How much access do AI agents have to core enterprise software such as a CRM?
  • How much access do AI agents have to enterprise data?
  • How much access do AI agents have to enterprise infrastructure -- such as network equipment -- and services -- such as an IaaS environment or the DNS service?
  • How much access do agents have to the internet?
  • How much access do external entities have to systems in the environment, including AI agents -- e.g. through Model Context Protocol (MCP) services?

The answers reveal the reach of AI agents in the enterprise -- including those entering through MCP from outside the organization -- and establish the baseline scope of risk. An inability to answer the questions with confidence signals a significant risk, in itself.

Mitigation strategies

The best strategy for mitigating agentic AI risk is, as is so often the case, implementing a zero-trust architecture. Infuse the AI infrastructure with core zero-trust principles, strictly limiting access to systems and data based on identity and allow lists. At a minimum, this will mean the following:

  • Adding identity management for AI agents, either by deploying a new ID management system specifically for agents or by extending an existing system able to meet requisite scale and speed targets. Software that manages identity for Kubernetes containers might serve, for example.
  • Channeling communications from and to AI agents through MCP gateways or the like, to provide control points for allowing or denying access and for monitoring behavior.
  • Adopting a "deny all" default access level and then allowing specific entities to do specific things, as necessary.
  • Extending the tool set to include the following:
    • Semantic firewalls that sniff out prompt injection, hypnosis attempts and so on.
    • "Path-dependent" access management systems that assess inbound and outbound prompts based on the context of past prompts, and watch for slow, subtle attack patterns.
    • Model drift monitoring.

    Behavioral threat monitoring to catch and interrupt risky agent behavior patterns -- e.g., revoke an agent's access to a key database if it repeatedly tries to perform operations on the database for which it doesn't have permission.

    John Burke is CTO and a research analyst at Nemertes Research. Burke joined Nemertes in 2005 with nearly two decades of technology experience. He has worked at all levels of IT, including as an end-user support specialist, programmer, system administrator, database specialist, network administrator, network architect and systems architect.

    Dig Deeper on Security operations and management