Most security teams are aware that AI introduces new risks. Fewer have mapped what the threat surface actually looks like when you move from AI assistants to agentic AI systems operating autonomously in production.
The distinction matters enormously.
A chatbot has a limited threat surface. It takes input, produces output, and stops. An AI agent is different in kind. It takes instructions, calls APIs, executes code, queries databases, sends communications, and modifies records — often in sequences that no human explicitly approved step by step. The human sets the task. The agent figures out how to accomplish it. That autonomy is the source of the value. It is also the source of the risk.
The threat categories that emerge from agentic systems are specific and several of them do not have established playbook responses yet.
Prompt injection
When an agent processes external content — a document, a web page, an email — that content can contain instructions designed to redirect the agent's behaviour. The agent does not have the same scepticism a human reader would apply. Defending against this requires input validation, context isolation, and careful scoping of what external content agents are permitted to act on.
Credential and access sprawl
Less discussed and arguably more consequential. Agents need credentials to act. Those credentials frequently accumulate scope over time, are not rotated with the discipline applied to human credentials, and are rarely audited at the same frequency. A compromised agent credential is not a contained event. It is access to everything the agent was authorised to touch.
Agent-to-agent communication
In multi-agent systems, one agent can pass instructions to another. If the receiving agent cannot distinguish legitimate orchestration from a malicious instruction injected somewhere upstream, the blast radius of a single compromise can extend across the entire system.
The APAC regulatory dimension
For APAC enterprises, the regulatory dimension adds weight to all of this. MAS AI Risk Management Guidelines explicitly address AI security — hardened deployment environments, network segmentation, API authentication, role-based access control, separation of duties between training and testing teams. These are not aspirational. They are expected.
The organisations that will navigate this well are the ones building security architecture into agent systems from the design phase, not the ones retrofitting controls after deployment.
The threat surface is new. The security discipline required to manage it is not. It is rigorous, systematic, and needs to be built in before the agent is live in production.
