Agentic artificial intelligenceâsystems that perceive, decide and act autonomouslyâhas moved from laboratory theory to operational threat. Attackers and defenders alike now deploy autonomous agents that plan multi-step attacks, invoke tools and adapt in real time. The same capabilities that accelerate detection and response can also scale reconnaissance, social engineering and exploitation.
What adversaries are actually doing
OpenAI and Microsoft have documented multiple state-affiliated groups experimenting with large language models to accelerate reconnaissance, targeting research and social engineering. OpenAI and Microsoft disabled the associated accounts. While these efforts donât amount to fully autonomous cyber weapons, they confirm that adversaries are incorporating AI inâŚ
Agentic artificial intelligenceâsystems that perceive, decide and act autonomouslyâhas moved from laboratory theory to operational threat. Attackers and defenders alike now deploy autonomous agents that plan multi-step attacks, invoke tools and adapt in real time. The same capabilities that accelerate detection and response can also scale reconnaissance, social engineering and exploitation.
What adversaries are actually doing
OpenAI and Microsoft have documented multiple state-affiliated groups experimenting with large language models to accelerate reconnaissance, targeting research and social engineering. OpenAI and Microsoft disabled the associated accounts. While these efforts donât amount to fully autonomous cyber weapons, they confirm that adversaries are incorporating AI into the attack kill chain (the sequence of steps from reconnaissance to exploitation).
Laboratory research shows the outer limits of current capability. A 2024 study by University of Illinois researchers found a GPT-4 agent exploited 87 per cent (13 of 15) real one-day vulnerabilities when given Common Vulnerabilities and Exposures (CVE) descriptions. Without that context, success dropped to seven per cent. The results highlight both potential and constraint.
GenAI supply chains are also creating new propagation risks. âMorris II,â a zero-click, self-replicating prompt-injection worm, spread across retrieval-augmented generation (RAG) ecosystems in controlled research environments. It remains a proof-of-concept, not an observed in-the-wild threat, but it underscores systemic weaknesses.
Meanwhile, AI is reshaping social engineering. In 2024, fraudsters tricked an Arup employee in Hong Kong using a multi-participant deepfake video call, leading to transfers of approximately $25 million US â now a canonical case of enterprise-scale deception.
The evidence: 80 per cent of ransomware now uses AI
A September 2025 analysis by MIT Sloan CAMS and Safe Security, examining ransomware incidents from 2023 and 2024, found that 80 per cent of attacks in the sample used some form of AI, such as phishing content, deepfakes or code generation. The study reflects trend velocity, not a global rate, and underscores how quickly attackers are adapting.
Defensive measures that work today
Start by hardening agent workflows, tools and memory. The Open Web Application Security Project (OWASP) Agentic Security Initiative (2024) maps agent-specific threatsâincluding prompt injection, tool misuse and memory poisoningâto practical mitigations. Core measures include least-privilege tool grants, ephemeral credentials, strict egress controls and pre-tool content safety checks. Retrieved or RAG content should be treated as untrusted code, sanitised and provenance-checked.
Red teaming is evolving too. The Cloud Security Allianceâs Agentic AI Red Teaming Guide (2025) outlines how to evaluate non-deterministic agent behaviour, tool use and inter-agent dependencies through multi-iteration testingâareas where traditional large language model evaluations fall short.
On governance, the National Institute of Standards and Technology (NIST) AI Risk Management Framework 1.0 (RMF) (2023) and its Generative AI Profile (AI 600-1) (2024) provide structure for risk identification, control and measurement. The International Organization for Standardization/International Electrotechnical Commission (ISO/IEC) 42001:2023 offers a formal management system standard to operationalise AI assurance.
For intelligence sharing, the Cybersecurity and Infrastructure Security Agency (CISA) and the Joint Cyber Defense Collaborative (JCDC) released the AI Cybersecurity Collaboration Playbook (2025). It gives enterprises a voluntary way to share AI-related incidents and indicators, helping align legal and operational defences.
Governance gaps create execution risk
Execution risk remains high. According to a June 2025 Gartner forecast reported by Reuters, more than 40 per cent of agentic AI projects will be cancelled by 2027 due to cost pressures, unclear returns and weak governance. Governance must mature early to avoid expensive failures.
A pragmatic 90-day playbook
Organisations should implement these five controls within 90 days:
Contain the agent. Run agents in sandboxed networks, enforce allow-listed tools and APIs, deny raw shell access, rotate credentials and cap autonomy through step budgets (limits on autonomous actions). Require human approval for transactions or data exfiltration risks.
Secure the context. Treat all retrieved content as untrusted. Strip executable instructions, apply policy rendering, verify provenance and maintain audit-grade logging.
Test like an adversary. Use the Cloud Security Alliance red teaming guide to design multi-run scenarios that probe planning, memory, permissions and inter-agent handoffs. Track closure time and autonomy-budget violations as leading indicators.
Govern and assure. Map programmes to NIST RMF and the Generative AI Profile for risk management, and to ISO/IEC 42001 for operational assurance. Require suppliers to demonstrate compliance.
Prepare for deception. Run deepfake-in-the-loop exercises and mandate out-of-band verification for high-value transactions. The Arup case offers a realistic scenario to test CFO-style approval traps.
A note on editorial choices
Commonly cited but misleading examplesâsuch as the 2016 Tay chatbot incident or unqualified â80 per cent ransomwareâ claimsâwere deliberately omitted or reframed for accuracy. The goal is to focus on verifiable, current evidence rather than anecdotes.
The bottom line
Agentic AI is changing both the threat surface and the control plane. Treat agents as powerful automation: constrain their blast radius, test their behaviour continuously and govern them with the same rigour applied to any safety-critical system. The organisations that will benefit are those that pair measured autonomy with measured assurance â and test both relentlessly.
Keywords : Hashtags: #CyberSecurity #AgenticAI #AIThreats #AITactics #CyberDefense #ThreatIntelligence #Deepfakes #Ransomware #AIGovernance #AIRegulation #ZeroTrust #RedTeam #BlueTeam #AIAttacks #MachineLearning #SecurityStrategy #InformationSecurity #CISO #CyberRisk #SOC #VulnerabilityManagement #EthicalAI #AIEthics #AIAssurance #CyberThreats #AdaptiveSecurity #SecurityLeadership #Infosec #DataSecurity #Malware #AutonomousAgents #AIinSecurity #CyberResilience #CISOStrategy #AIFuture
