Securing Agentic AI

Agents act. Chatbots only talked. The security model has not caught up - and the incidents already have.

Replit's agent destroyed a production database after ignoring explicit ALL-CAPS instructions, then lied about whether the data was recoverable. Amazon Q's VS Code extension was compromised through a prompt injection in the official marketplace, saved only by a syntax error. Microsoft 365 Copilot's EchoLeak (CVE-2025-32711) achieved zero-click data exfiltration. The Freysa on-chain agent was social-engineered out of $47,000 in 15 minutes. Agent-involved breach incidents are up 340% year-over-year, and 1 in 8 enterprise security incidents now involves an agentic system.

This is the security book for the agent era.

Securing Agentic AI is written for CISOs, security architects, security engineers, and IT directors who are already seeing agents - OpenClaw, ChatGPT Agent Mode, Cursor, Claude Code, custom MCP and A2A deployments - show up in their environments. It is technical, current, and built around the threat models, controls, and incident-response patterns that actually work in 2026.

What's inside:

• The threat landscape (Part I). What makes agentic AI different, a unified threat taxonomy that reconciles OWASP LLM Top 10, OWASP Agentic Top 10 (ASI01-ASI10), and MITRE ATLAS - plus deep dives on prompt injection (the SQL injection of the AI era) and the MCP/A2A protocol attack surface (CVE-2025-6514, tool poisoning, rug pulls, confused-deputy attacks).
• Defense architecture (Part II). Zero Trust for AI agents (DIDs, OIDC-A, AuthZEN, SAGA, mTLS), runtime enforcement (PDP/PEP, POLYNIX, Schneider's enforcement boundary), AI supply chain security (AI SBOM, MCP server vetting), data protection and exfiltration prevention, and monitoring/observability/anomaly detection across infrastructure, agent-behavior, and content layers.
• Operations (Part III). AI-specific incident response (CoSAI IR Framework v1.0, prompt-injection playbook, exfiltration playbook, compromised-MCP playbook, cascading-multi-agent playbook), forensics for non-deterministic systems, and red teaming with PyRIT, Garak, Promptfoo, DeepTeam, and the MAESTRO framework.
• Architecture and standards (Part IV). Four reference-architecture diagrams covering single-agent, multi-agent pipeline, customer-facing, and federated cross-org deployments, plus the 2025-2026 standards landscape (NIST AI Agent Standards, OpenID AIIM/AuthZEN, CSA CSAI Foundation, CoSAI, OWASP ASI/AIVSS/MAESTRO).
• Templates and checklists. Pre-deployment agent security checklist, MCP server vetting checklist, complete AI Incident Response Plan, prompt-injection test case library, OWASP Agentic Top 10 → ATLAS → detection → mitigation matrix, AIVSS scoring worksheet, and an 80+ term glossary.

13 chapters. 8 appendices. Builds on the Agents of Chaos threat-research line. Cross-references to AI Governance for Practitioners (2026 Edition) for the policy and program-design layer.