Originally published in Minoan Security’s Blog

Agentic AI security is systems security. Beyond the headlines and the buzzwords, the security fundamentals of AI security are exactly the same ones we’ve built for decades for systems.

What’s new about agents is that they are both the front and back-end, simultaneously. And as such, the trust-boundary that we had between the two collapses. The same system that ingests untrusted input (and more importantly, unstructured input) now also holds the privileges on the system.

Agents can’t be trusted, like a “traditional” backend would. And because they can’t be trusted, they should be treated accordingly.

Prompt injection is a confused deputy attack

A prompt injection, for instance, is the textbook example of a confused deputy: where an agent on the front-end gets manipulated to do actions on the back-end on behalf of a false authority… Several real-world incidents show this (e.g. AWS Bedrock AgentCore’s “Agent God Mode”, Microsoft’s EchoLeak).

Deploying agents securely

So to deploy agents securely, you need to control:

1. The infrastructure they run on

2. Their access

And at last but not least, strip all the assumptions of trust that a big part of the industry today has blindly accepted as normal.

Agents are a matter of systems security (access control is systems security too). And securing the agents is a matter of security architecture.

By the way: at Minoan Security we’re building a secure-deployment package for start-ups and SMBs, with FADP/GDPR in mind.

More soon but in the meantime, if you need to deploy AI agents and aren’t sure how to do it with reasonable guardrails, book an introductory meeting with us. Don’t let them loose in your data and infrastructure!