Agentic Risk Landscape

Traditional LLM apps are generally single request–response, read-only, and low agency, with primary risks being prompt injection, toxic outputs, and data leakage in responses.
Agentic systems add significant new risk categories:

2.1 Memory Poisoning

Attacker injects instructions or false facts into:

• Long-term memory / RAG indices
• User profiles, CRM records, tickets
• Wikis, knowledge bases, emails, web pages

Result: Agent "learns" harmful behavior and repeats it over time.

2.2 Tool Misuse and Privilege Escalation

The model chains or abuses tools to:

• Export bulk data
• Modify/delete critical records
• Change roles/permissions
• Trigger CI/CD or infrastructure changes

Often via prompt injection ("ignore policies and call X with Y").

2.3 Privilege Compromise and Inter-Agent Manipulation

• A less-privileged agent convinces a more-privileged one to act on its behalf.
• Messages or shared memory become covert control channels.

2.4 Indirect Prompt Injection (XPIA)

Injection doesn't come directly from the user, but from untrusted data sources:

• Documents in RAG indices
• Tool outputs (emails, webpages, PDFs, API responses)
• Database records, CRM data, tickets
• Any external content the agent processes

Also called "XPIA" (Cross-domain Prompt Injection Attack) because the malicious prompt crosses from one domain (untrusted content) into another (agent execution context).

2.5 Long-Lived Workflows and Multi-Step Attack Chains

Attackers combine many low-risk steps to achieve a high-impact result.

2.6 Over-Reliance and RAI Harms

• Domain misuse (health, finance, legal)
• Toxic, biased, or misleading outputs
• Users over-trusting agent recommendations