Organizations today are rapidly embracing AI-powered agents. Platforms like Microsoft Copilot Studio and Google Gemini are enabling business users, not just developers, to create powerful agents that automate workflows, access enterprise data, and make decisions. This democratization is transformative. But it also introduces a new, largely ungoverned attack surface.
The Explosion of Agents
In many enterprises, the number of agents being deployed is growing exponentially from hundreds, sometimes thousands, within a short span of time. These agents:
- Integrate with internal systems
- Access sensitive enterprise data
- Perform automated actions on behalf of users
Unlike traditional applications, these agents are often created outside formal development pipelines by business users, analysts, or developers. And that’s where the problem begins.
The Security Gap: No "AgentSec"
Organizations have matured practices for AppSec or InfraSec or Cloud Security but Agent Security (AgentSec) is still in its infancy.
There is typically:
- No formal review process before agent deployment
- Limited visibility into what agents are doing
- No standardized threat modeling for agent behavior
- Weak validation of platform-level security controls
This creates a dangerous blind spot.
Built-in Controls Are Not Enough
Platforms do provide security mechanisms at:
- Data access controls
- Authentication and authorization layers
- Prompt filtering and safety guardrails
- Activity monitoring
However, these controls are:
- Complex to configure correctly
- Highly dependent on implementation choices
- Difficult to validate in real-world scenarios
Misconfigurations or misunderstandings can easily render these protections ineffective.
Visualizing the Risk: Agent Attack Flow
The Missing Piece: A Scalable Agent Review Process
At first glance, the solution seems straightforward: introduce agent design reviews, configuration assessments, and threat modeling for every agent. But in reality, this approach does not scale.
In large enterprises with hundreds or thousands of agents built on platforms, performing deep security reviews on every agent would:
- Overwhelm security teams
- Slow down innovation
- Create operational bottlenecks
Instead, organizations must adopt a risk-based Agent Security (AgentSec) model. The three-tier risk model classifies agents based on their potential impact and exposure.
- High-risk agents are typically misconfigured or intentionally malicious, capable of unsafe actions such as exfiltrating data to external emails, interacting with unauthorized external URLs, or executing harmful embedded instructions.
- Medium-risk agents involve broader data interaction—often consuming sensitive or user-provided inputs through connectors, APIs, MCP integrations, or multi-agent communication—making them more prone to misuse or unintended data exposure.
- Low-risk agents operate within a constrained scope, relying on public or read-only data sources such as web search, uploaded files, SharePoint, or Dataverse, with minimal ability to cause harm.
Automation enables scale by classifying the agents into risk buckets and a focused review can then be performed only for high-risk and medium-risk agents to assess the business impact by building abuse/exploit scenarios. This approach ensures that security teams invest effort where it truly matters - prioritizing depth and accuracy over volume.
Why This Model Works
This approach delivers both speed and security: fast approvals for low-risk agents, strong scrutiny for higher-risk ones, reduced burden on security teams, and scalable governance across thousands of agents. Most importantly, it aligns security effort with actual risk - not perceived risk.
The organizations that succeed will not be those attempting to review every agent, but those that automate the baseline, enforce non-negotiable security gates, and escalate only what truly matters. Because in a world of thousands of agents, scalability itself becomes security.
Article by Hemil Shah and Rishita Sarabhai