Agentic AI refers to systems that autonomously pursue goals and, in doing so, are capable not only of answering individual queries but also of independently planning, prioritising and executing actions. Unlike traditional AI models, which react to inputs, agent-based systems are designed to be capable of taking action.

However, this autonomy significantly increases the attack surface. Traditional AI risks include disinformation, distorted or malicious outputs, and data leaks. Agentic AI adds a crucial dimension: the ability to execute actions. If such systems are embedded, for example, in financial systems, code repositories, cloud platforms, critical infrastructure, military environments or messaging applications, a compromised agent can cause serious damage, including physical consequences. An agent can deploy code, alter configurations, disrupt services, exfiltrate data or initiate transactions – discreetly and on a large scale.

In traditional AI systems, manipulation typically affects the current data processing: a compromised facial recognition system produces incorrect results, whilst a manipulated intrusion detection model fails to detect attacks. An agentic system, on the other hand, is itself an actor in the digital space. If such an agent is compromised, it can act independently, for example by a compromised calendar agent being misused for coordinated phishing campaigns or automatically attacking third-party websites. The compromise thus not only affects the integrity of a model, but creates a new, autonomous attack node within the network.

Manipulating an agent’s context or long-term memory can cause it to pursue adversarial objectives whilst appearing to be compliant with the rules on the surface. Every connected tool or API increases the risk. Persistent memory further exacerbates the problem: Hallucinated content can be stored as ‘facts’ and distort future decisions, whilst covert attack instructions remain in the system and can be activated later.

Autonomous code generation and execution exacerbate traditional software vulnerabilities. When carrying out their tasks, agents may prioritise their predefined objectives over stability and security. Code generated at runtime may contain serious security vulnerabilities that spread rapidly due to the speed of the machines. In multi-agent environments, complex interactions can trigger emerging behavioural patterns, cascade effects or adversarial feedback loops that are difficult to predict or control.

At the same time, if developed responsibly, Agentic AI can significantly strengthen defences. A frequently cited scenario from industrial IoT security is: what happens if an alarm is triggered whilst the administrator is asleep? Agentic AI not only enables attacks to be detected in real time, but also allows immediate countermeasures to be initiated. A security agent can automatically close ports, isolate or shut down vulnerable services, and quarantine compromised systems. This creates an active, adaptive defence layer that operates at machine speed and drastically reduces the time between detection and response.

This dual-use dynamic makes security-by-design absolutely essential. Strict privilege management, strong isolation and clearly defined operational boundaries are essential, particularly in security-critical areas.

The future of agentic AI therefore depends on resilient architectures. Authentication, authorisation, logging and isolation must be fundamental components. The enforcement of the principle of least privilege, sandboxing, transparent logging mechanisms and runtime monitoring are indispensable. Hardware-based trust anchors and cryptographic attestation can further safeguard the integrity of execution.

However, the current market landscape often favours tools that prioritise high autonomy, frequently at the expense of security. In some frameworks, agents are granted far-reaching privileges, including root access to workstations, email accounts or even crypto wallets, to enable maximum functionality with minimal user interaction.

Agentic AI embodies the transition from reactive tools to proactive actors. Its potential is transformative, as are its risks. Trustworthiness must scale with autonomy. The future will belong not to the most powerful agents, but to the safest and most responsible ones. Ultimately, we must prevent agentic AI from mutating into dystopian AI.

March 2026