Intel Centre

arXiv cs.CR agent security reports that multi-agent systems (MAS) offer a scalable path forward for agentic AI, comprising multiple LLM-based agents, each assigned a system prompt and a position within a workflow that governs inter-agent coordination and output aggregation. Multi-agent systems can spread evaluator bias and bad assumptions across the workflow, creating correlated failures instead of independent checks. Avoid treating another model's judgement as neutral evidence. Log provenance and diversify evaluation paths for high-impact decisions.

arXiv cs.CR agent security reports that agentic AI systems orchestrate multiple LLM-based agents through workflow architectures that coordinate decisions, tools, and external actions. The leadership question is whether this expands what agents can read, decide, or do without a human in the loop. Review the affected workflow and decide which sources of context should be allowed to influence privileged actions.

arXiv cs.CR agent security reports that agentic retrieval-augmented generation (RAG) systems combine iterative reasoning loops, query decomposition, and adaptive retrieval to tackle multi-hop question answering. This is the uncomfortable version of agent risk: a normal-looking web page can become the first step in host compromise when the agent has local execution paths. Separate browsing from execution, inspect tool arguments, and replay browser-to-host exploit paths during security review.

CISA News published a new Agentic AI Security signal: CISA, US and International Partners Release Guide to Secure Adoption of Agentic AI. The leadership question is whether this expands what agents can read, decide, or do without a human in the loop. Review the affected workflow and decide which sources of context should be allowed to influence privileged actions.

OWASP and Aikido are bringing agentic code-audit capabilities to the AppSec community. That is a positive coverage signal, but it also changes the assurance model: teams will find more issues faster, while still needing evidence that the proposed fixes are correct and safe to ship.

OWASP Juice Shop adding AI features matters because training environments shape what security teams practise. If AppSec teams are going to defend AI-enabled applications, their labs need prompt injection, agent behaviour, and AI-assisted audit scenarios built in.

Cloudflare is making it easier for agents to deploy Workers through temporary accounts. That is useful for developer velocity, but it also moves cloud authority directly into an agent workflow. The security question is no longer whether an agent can suggest infrastructure changes, but whether it can safely create, modify, and tear them down.

Cloudflare’s agent-powered deployment stack turns operational knowledge into reusable agent skills. That makes deployment faster, but it also creates a new supply chain made of skills, prompts, connectors, and permissions. Those artefacts need the same governance as code dependencies.

Cloudflare is framing defence against frontier cyber models as an architecture problem, not just a patch-speed problem. That is the right leadership lens: when automated attackers can reason across systems, defenders need containment and telemetry that expose the path, not just the vulnerable component.

Cloudflare’s internal analytics agent shows how quickly AI can sit on top of sensitive business data. These systems can help teams move faster, but they also connect retrieval, business context, and potential action in one place. That needs strong data boundaries.

Unit 42 is warning that third-party agent skills can carry hidden vulnerabilities and multi-stage attack chains. This is the agent version of software supply-chain risk: the dangerous component may look like a helpful capability, not a suspicious binary.

Wiz’s Dirty Frag writeup is conventional kernel exploitation, but it still belongs on an agent-security radar. If agents can run workloads, trigger jobs, or operate near vulnerable hosts, infrastructure flaws can become part of the agent blast radius.

AutoJack shows the risk everyone worries about but rarely phrases clearly: a web page can become the first step toward host compromise when an AI browsing agent has access to local execution paths. This is not just prompt injection; it is prompt injection plus tool access plus insufficient isolation.

This research is about preserving and restoring execution state for low-latency on-device agents. For leadership, the security angle is state continuity: agents that pause, branch, resume, and re-enter workflows need controls that follow state across those transitions. Otherwise an approval or trust decision can become detached from the context that justified it.

LedgerAgent proposes structured state for agents that must call tools while following policy. That is relevant to customer-service, support, and operations agents where the agent’s internal state can decide what it is allowed to do next. The control surface is not only the prompt; it is the ledger of facts, obligations, and completed steps.

This paper argues that production mutation authority should not live inside a nondeterministic agent loop. That is exactly the problem CISOs face with deployment and cloud-control agents: broad credentials make the agent convenient, but also dangerous. Certificate-bound authority points toward tighter separation between reasoning and permission to act.

S-Agent is mainly a spatial-intelligence paper, but it still matters for risk teams because it shows agents using tools to reason over changing physical or 3D environments. When agents move from static answers to environment-aware action, safety depends on what observations they trust and what tools they can invoke.

This work looks at runtime policy monitoring and probabilistic verification for agents in complex digital environments. That is useful because leadership teams need more than benchmark scores before granting autonomy. They need evidence that policies are enforced while the agent operates, not only during offline evaluation.

The paper focuses on how evaluator bias can propagate through multi-agent systems. For security leaders, this is a warning against treating one model’s judgement as an independent control for another. Multi-agent workflows can amplify shared assumptions and produce correlated failures.

Schneier highlights malware authors adding content intended to interfere with AI-assisted analysis. This is a direct reminder that prompts and text artefacts inside malware should be treated as hostile input. The analysis pipeline itself is becoming a target.

Microsoft is describing agentic vulnerability detection moving into real security workflows across Windows, Azure, and identity. The message for leaders is that AI security tooling is leaving benchmark theatre and entering operational pipelines. That raises the bar for validation, ownership, and change control.

GitHub’s VS Code work shows why developer copilots need special treatment: they read untrusted repo content, issues, comments, and dependency text while sitting next to terminals, code edits, package installs, and secrets. The IDE is now an agent runtime.

Google’s threat-intelligence view is that indirect prompt injection is moving from lab concern to live adversarial behaviour. For CTOs and CISOs, the practical question is exposure: which external pages, documents, tickets, emails, or tool results can currently change what an agent does? Treat this as a workflow mapping exercise before approving broader agent autonomy.

Google is treating Workspace with Gemini as a multi-source agent environment, where malicious instructions can hide inside normal business content. That matters because email, docs, calendar entries, and drive files are already trusted by employees. Security leaders should assume collaboration data can become operational context and put controls around what it is allowed to trigger.

Chrome’s agentic browsing work shows browsers are becoming execution environments, not just user interfaces. A browser agent can see external web content while also sitting near sessions, credentials, downloads, forms, and enterprise apps. That combination needs a much stronger policy boundary than ordinary browser hardening.

Google’s layered-defence writeup reinforces that prompt injection cannot be solved by one detector or one system prompt. The useful leadership lens is resilience: what happens when detection is uncertain, when malicious content is embedded in a trusted source, or when an agent is about to act? Controls need to sit at the action boundary, not just at input time.

OpenAI’s chemist example shows agents moving beyond recommendation into domain-specific optimisation loops. Even outside software, the same governance issue appears: what can the agent change, what evidence supports the change, and when does a human need to approve it?

Endava’s work with AI agents in software delivery is a signal that agent-assisted engineering is becoming normal enterprise operating practice. Faster delivery is useful, but compressed review cycles can let weak controls reach production unless policy checks move into the workflow.