AI agents are moving into production faster than security defenses can keep up. A year of red team operations against deployed agentic systems has exposed critical vulnerabilities that didn't exist in earlier AI security frameworks, prompting Microsoft to overhaul its threat taxonomy with seven entirely new failure mode categories.

What Changed in AI Agent Security Over the Past Year?

When Microsoft's AI Red Team published its initial taxonomy of failure modes in agentic AI systems in April 2025, the threat landscape was largely theoretical. The framework was built on practitioner interviews and early operational experience, but real-world deployments were still sparse. Twelve months later, the evidence base has shifted dramatically.

Open-source agentic frameworks exploded onto the scene. OpenClaw, launched in January 2026, accumulated over 336,000 GitHub stars and spawned more than 2,100 agents within 48 hours of release. A security audit conducted shortly after launch identified 512 vulnerabilities, including a one-click remote code execution flaw via WebSocket hijacking. Within the first week, over 1,800 exposed instances were leaking API keys and credentials, and 336 malicious plugins were found in the skills marketplace, including credential stealers masquerading as trading bots.

The Model Context Protocol, or MCP, became the de facto standard for connecting AI models to external tools. In 2025 alone, 99 CVEs (common vulnerabilities and exposures) were published for MCP-related software, and tool poisoning moved from theoretical risk to live attack surface. Computer-use agents, which observe and interact with graphical interfaces, also moved from research to production, introducing attack surfaces with no analogue in earlier AI security work.

Which New Failure Modes Are Red Teams Seeing Most?

Microsoft's v2.0 taxonomy adds seven new failure mode categories grounded in 12 months of real red team engagements against deployed agentic systems. These aren't hypothetical threats; they represent patterns observed across actual deployments:

• Agentic Supply Chain Compromise: Agents consume plugin registries, MCP servers, prompt templates, and third-party tool integrations. Unlike traditional supply chain attacks that deliver malicious code, a compromised agentic component injects natural-language instructions that alter agent behavior without touching any binary.
• Goal Hijacking: Adversarial instructions that appear aligned with legitimate task completion silently redirect the agent's terminal goal without fully compromising the underlying agent.
• Inter-Agent Trust Escalation: In multi-agent architectures, a compromised agent can assert false identity or inflate claimed permissions to an orchestrator that doesn't independently verify them, mirroring confused deputy problems but induced through natural language.
• Computer Use Agent Visual Attack: Agents operating through graphical interfaces can be manipulated through visual content that appears innocuous to humans but carries adversarial instructions, including hidden text at non-human-readable scale and UI elements positioned outside the visible viewport.
• Session Context Contamination: An adversary introduces data early in a session that biases the agent's reasoning in subsequent steps, without triggering safety controls at any individual step.
• MCP and Plugin Abuse: Attack surfaces specific to standardized protocols, including tool description poisoning, server-side instruction injection, and cross-server instruction override.
• Capability and Architecture Disclosure: Agents reveal internal implementation details such as tool names, schemas, system-prompt structure, and memory interfaces, turning black-box probing into white-box exploit paths.

The most consistently exploited failure mode was human-in-the-loop bypass, or HitL bypass. Red teamers achieved bypass through consent fatigue, manipulation of probabilistic invocation, and incremental escalation chains where no individual step clearly warranted review but the compound outcome did. Most significantly, several engagements demonstrated zero-click end-to-end chains starting from an external input with no human interaction beyond the initial agent invocation, achieving high-impact outcomes such as exfiltration or lateral movement.

Cross-domain prompt injection and memory poisoning were observed at high frequency and frequently combined. Memory poisoning via cross-domain prompt injection, where injected instructions seed the agent's persistent memory for later retrieval, requires only a single successful injection, which the agent then propagates across subsequent sessions. Session context contamination and incremental escalation were highly effective and difficult to detect because neither the contaminating input nor any individual escalation step is clearly anomalous in isolation.

How Are Enterprises Preparing Their Defenses?

The urgency is real. Cisco estimates AI traffic will triple within three years, stressing both perimeter and internal controls simultaneously. Splunk's survey found that 86% of CISOs fear social engineering spikes powered by agentic reasoning loops, yet only 6% of enterprises run agents in revenue workloads, revealing a significant readiness gap.

Cisco has announced a comprehensive overhaul of its security stack centered on identity, network, and runtime layers converging into a single policy fabric. The Model Context Protocol now attaches metadata to every agent tool call for inspection. Zero Trust for agents extends just-in-time tokens and behavioral analytics to non-human actors. A hybrid firewall upgrade feeds agent traffic into Secure Firewall Threat Defense without latency spikes, with policy updates propagating through Cloud Control in under 30 seconds.

However, gaps remain. Independent researchers warn that inventory of active agents remains incomplete in many enterprises, and security teams struggle to map tool call provenance or verify decision trails. Even with advanced AI security platforms, runtime monitoring remains limited. Cisco counters that Agentic AI Security embeds observability hooks across network and application layers, but the company still lacks third-party breach data validating guardrail efficacy at scale.

Steps Security Leaders Should Take Now

Security leaders don't need to wait for perfect solutions. Microsoft's red team findings and Cisco's framework point to concrete actions that can reduce risk immediately:

• Agent Inventory: Document every agent, tool call, and permission scope within seven days. This baseline is load-bearing; without it, you cannot detect drift or anomalies.
• Identity Integration: Integrate agent identities into existing identity and access management systems to enable policy inheritance and faster revocation when threats emerge.
• Network Mirroring: Organizations running hybrid firewall deployments must mirror those rules within software-defined perimeters for agents, ensuring consistent enforcement across environments.
• Threat Mapping: Map detection telemetry to MITRE Atlas techniques for autonomous threats, creating a shared vocabulary for your security team.
• Red Team Validation: Invest in continuous red-teaming to validate Agentic AI Security controls before production rollout, rather than discovering gaps after deployment.
• Policy as Code: Adopt policy-as-code to simplify cross-platform enforcement and audit readiness, reducing manual configuration errors.

Beyond immediate tactical steps, organizations should enable network and application logging at one-second resolution, deploy runtime guardrails in monitor mode first, and simulate attack chains using open-source red teams. Mature teams should publish quarterly AI security scorecards that include response times and false positive rates.

The evidence is clear: agentic AI systems are moving into production at scale, and the threat landscape has evolved faster than most enterprises realize. The good news is that red team findings and vendor roadmaps now provide a concrete playbook for defense. The challenge is execution speed and organizational alignment.