Agentic artificial intelligence is transforming how businesses automate processes, make decisions, and manage workflows. However, with every technological advancement, new attack surfaces emerge. Microsoft has stepped forward by identifying seven new failure modes in agent-based AI systems, adding to those already cataloged in its first Taxonomy of Failure Modes in Agentic AI Systems published last year. This update not only reflects the rapid evolution of the ecosystem but also underscores the need for security teams, especially those working in ethical hacking and penetration testing, to integrate these vectors into their assessments.

Factors Driving the Expansion of the Taxonomy

Microsoft points to four key factors that have contributed to this expansion. First, the speed of adoption of agentic AI has been dizzying, multiplying use cases and thus potential failures. Second, the growing maturity of the Model Context Protocol (MCP) ecosystem has opened new avenues for agent interaction but also new vulnerabilities. The rise of Computer Use Agents adds a layer of complexity by operating on graphical interfaces. Finally, the collection of more empirical evidence by researchers has allowed the identification of attack patterns that previously went unnoticed.

The Seven New Failure Modes in Detail

Each of these failure modes represents a specific risk that security teams must understand and mitigate. Below, we break them down with an analytical approach.

1. Agentic Supply Chain Compromise

An agent's behavior can be affected by natural language instructions without the need for malicious code. This opens the door to attacks that manipulate the agent's prompts throughout its lifecycle, from development to deployment. In the context of business process automation with n8n and AI, a compromised agent could execute unwanted actions if supply chains are not adequately protected.

2. Goal Hijacking

Adversarial instructions that appear aligned with the legitimate task but silently redirect the agent's ultimate goal. This attack is particularly dangerous because it does not trigger traditional alarms: the agent continues working, but toward a malicious end. Companies deploying agents for critical tasks should establish continuous goal verification mechanisms.

3. Inter-Agent Trust Escalation

A compromised agent can claim a false identity or inflate the permissions it declares to an orchestrator. This can lead to unauthorized agents accessing sensitive resources. Microsoft recommends verifying the agent's identity cryptographically, not based on its network position, which resonates with best practices for configuring secure VPNs and firewalls.

4. Computer Use Agent (CUA) Visual Attack

Agents that operate via graphical interfaces can be manipulated through visual content containing adversarial instructions. For example, an agent reading emails or browsing the web could be deceived by a malicious image. This attack vector is novel and requires specific controls in visual input processing.

5. Session Context Contamination

An adversary introduces data that biases the agent's reasoning in later steps without triggering security controls at any individual step. This is similar to a context injection attack, where contaminated information propagates throughout the session. Companies should audit input data at every stage of the agent's workflow.

6. MCP / Plugin Abuse

This update covers the compromise of functions around MCP protocols and plugins, specifically the attack surfaces inherent to these protocols. As more agents connect via MCP, attackers can exploit weaknesses in the implementation of these protocols to take control.

7. Capability / Architecture Disclosure

An agent reveals internal implementation details such as tool names, schemas, system prompt structure, memory interfaces, or human-in-the-loop activation logic. This information leakage can be used by attackers to design more precise attacks. It is crucial that agents do not expose more information than necessary.

Microsoft's Recommendations for Security Teams

Microsoft advises security teams to use these definitions to influence their planning. Specifically, they recommend:

• Inventory the supply chain by generating a Software Bill of Materials (SBOM) for each deployed agent, similar to what is done in the MSP market growth where transparency is key.
• Verify the agent's identity cryptographically by issuing verifiable credentials during provisioning.
• Add the seven new failure modes to the red team coverage matrix, thus integrating these threats into regular penetration testing.
• Audit the user experience in human-in-the-loop scenarios as a security control, ensuring humans can detect anomalous behavior.

These measures are particularly relevant for companies seeking to optimize inference costs, as discussed in From Anthropic to DeepSeek, where efficiency should not compromise security.

Implications for the Future of Agentic AI

Microsoft's expansion of the taxonomy is not just a warning but a guide for developers and system administrators to build more robust agents. As agentic AI becomes integrated into more business processes, from automation to decision-making, security must be a foundational pillar. Security teams must stay abreast of these new threats and adapt their strategies accordingly. Collaboration among researchers, companies, and technology providers will be essential to maintain trust in these systems.

Original source: ComputerWorld. Analysis and adaptation by ForgeNEX.