AI Agent Vulnerabilities: The 8 Weaknesses Attackers Exploit
AI agent vulnerabilities are weaknesses in how an agent reads input, holds permissions, calls tools, and gets supervised, and they cluster into eight classes: indirect prompt injection, over-privileged tool access, tool and MCP poisoning, exfiltration through legitimate channels, memory poisoning, excessive autonomy, credential sprawl, and missing audit. Almost every published agent incident maps to one of the eight, usually two or three chained together.
That is worth sitting with, because it means the problem is bounded. You do not need to defend against infinite creativity. You need to close eight doors, and most teams have closed zero of them.
What are AI agent vulnerabilities?
An AI agent vulnerability is any weakness that lets an attacker, or the agent's own error, turn the agent's capabilities against you. The definition matters because it is wider than model safety. The model can be perfectly aligned and the agent still dangerous: the vulnerability usually lives in the application around the model, in what the agent is allowed to read, touch, and do without a human looking.
| Vulnerability | Where it enters | Worst case |
|---|---|---|
| 1. Indirect prompt injection | Documents, tickets, pages, tool outputs | Agent executes attacker instructions |
| 2. Over-privileged tool access | Permissions granted at build time | Small compromise becomes total compromise |
| 3. Tool and MCP poisoning | Third-party servers and tool metadata | Instruction channel into every session |
| 4. Exfiltration via legitimate channels | Email, tickets, API calls the agent may use | Data walks out the front door |
| 5. Memory poisoning | Long-term memory, conversation history | One injection persists across sessions |
| 6. Excessive autonomy | No approval gate on high-impact actions | Irreversible action, no human saw it |
| 7. Credential sprawl | Long-lived, broad tokens in agent env | Agent compromise becomes infra compromise |
| 8. Missing audit trail | Nothing records what the agent did | You cannot scope or prove the incident |
The input-side vulnerabilities: injection and poisoning
Indirect prompt injection is the headline weakness, and it deserves the billing. The agent reads text from the outside world, the text contains instructions, and the model follows them because it has no reliable way to distinguish data from command. The attacker never logs in. They plant the payload in a ticket, a shared document, a scraped web page, or a review the agent will summarize, and wait.
Tool and MCP poisoning is the same failure arriving through a side door. Tool descriptions and tool outputs are also text the model reads. A malicious MCP server can hide instructions in its own metadata, or return results that carry a payload. Teams that would never paste an untrusted document into a prompt happily connect third-party tool servers with no inspection at all, and the effect is identical.
Memory poisoning is the persistent version. If your agent writes summaries or preferences to long-term memory, an injected instruction can get itself stored, then reload into context on every future session. The original attack text is long gone; the compromise remains. Memory writes deserve the same inspection as any other untrusted input, and very few stacks give it to them.
The permission-side vulnerabilities: privilege and credentials
Over-privileged tool access is the quiet multiplier behind every bad incident writeup. The demo needed database access, so the agent got the production connection string. It needed to send one kind of email, so it got full mailbox scope. An agent that turns plain-English questions into SQL is enormously useful, and it runs with exactly the database permissions you hand it: scope it to the reporting schema and a compromise reads dashboards, hand it the production write role and a compromise rewrites history. None of this is exotic. It is the same least-privilege discipline security teams have preached for decades, applied to a new kind of employee.
Credential sprawl compounds it. Agents authenticate to tools with keys and tokens, and those credentials tend to be long-lived, broad, and shared across agents because rotation is annoying. When the agent is hijacked, the attacker inherits everything in its environment. Short-lived, narrowly scoped, per-agent credentials turn a hijack from an infrastructure event into a contained one.
The oversight-side vulnerabilities: autonomy and audit
Excessive autonomy is a design decision that becomes a vulnerability at the worst moment. If nothing between the model and the wire transfer requires a human, the agent's judgment is your last line of defense, and its judgment is a probability distribution. Approval gates on irreversible actions (payments, deletes, external sends, deploys) cost seconds and remove entire incident classes.
Missing audit is the vulnerability nobody lists and everybody regrets. When something does go wrong, the first questions are what did it do, when, and on whose instruction. Without an action-level record you cannot scope the breach, satisfy the auditor, or even prove it was contained. Exfiltration through legitimate channels, the fourth class, is often only detectable in exactly this record, because each individual action looked authorized.
How do you find vulnerabilities in AI agents?
Attack your own agent. Feed injection payloads through every input surface: user messages, retrieved documents, tool outputs, MCP metadata. Check what happens when it is told to use tools outside its job. Read the credential scopes actually present in its environment against the ones its tasks require. Then try to reconstruct one day of agent activity from your logs; if you cannot, that is finding number one. An automated red-teaming run covers the injection surfaces systematically, and a scanner audits third-party servers before you connect them, but the permission and autonomy review is a human job and usually the most productive afternoon a team spends on this.
AI agent vulnerability management: closing the eight
The fixes group into three moves. Inspect every untrusted input, including tool outputs and memory writes, before the model acts on it. Enforce least privilege on tools, data, and credentials, per agent, with approval gates on the irreversible. Record everything immutably so detection and response are possible. That is the shape of AI agent hardening as a practice, and it is what Agentshield packages as a runtime control plane: the firewall for classes 1, 3, and 5, permissions and DLP for 2, 4, and 7, approval gates for 6, and the audit trail for 8. Whether you assemble the controls yourself or buy them, the list is the same eight doors, and attackers only need one left open.
See the firewall block an attack live.
Drive the Threat Console and watch a real prompt injection get stopped, then put Agentshield in front of your own agents.