ParallelCS Start here

HomeTracksAgentic Systems EngineeringAgent Security & Prompt Injection

Week 11 concept

Agent Security & Prompt Injection

An autonomous agent with tools is an attack surface. Prompt injection, tool poisoning, the lethal trifecta of private data plus untrusted content plus exfiltration, and least-privilege agent design.

Bridges to Information Security — threat modeling and least privilege

Builds on: Evaluating Agents & Verifiable Software 3.0

Study notes

Master this concept.

Agent Security & Prompt Injection

What it is

Agent security focuses on protecting autonomous AI systems that can execute actions via tools. Prompt injection occurs when an attacker provides a crafted input that tricks the LLM into ignoring its original system instructions and executing unauthorized commands instead.

Why it matters

In a simple chatbot, a prompt injection might only result in a funny or rude response. In an agentic system, the LLM has "hands", the ability to call APIs, read databases, and send emails. An injection attack can turn an agent into a proxy for the attacker, allowing them to delete data, steal credentials, or manipulate business logic.

Core concepts to master

  • Indirect Prompt Injection: This happens when an agent processes untrusted third-party data (like a website or an email) that contains hidden instructions. The agent "reads" the attack and executes it without the user's knowledge.
  • The Lethal Trifecta: The highest risk occurs when three conditions meet: the agent has access to private data, it processes untrusted external content, and it has a tool capable of exfiltration (like sending an HTTP request).
  • Tool Poisoning: This occurs when an attacker manipulates the data a tool returns, tricking the agent into taking a specific, harmful action based on that falsified information.
  • Least-Privilege Design: The principle that an agent should only have the absolute minimum permissions necessary to complete its task. If an agent only needs to read a file, it should not have a tool that can write or delete files.

Common mistakes

  • Over-trusting the LLM: Assuming the model will always follow system prompts regardless of user input.
  • Excessive Permissions: Giving an agent a "god-mode" API key that can access all company data instead of scoped, read-only access.
  • Implicit Trust of Input: Failing to sanitize or isolate data retrieved from the web before passing it back into the agent's context window.

Track connection

This concept bridges the gap between Agent Architecture (how tools are connected) and Production Deployment. Once you build a functional agent, security defines the constraints and guardrails required to move that agent from a local prototype to a secure, customer-facing product.

Notes written for this concept by the ParallelCS in-house model. Always cross-check against the linked sources below.

Go to the source

Read, watch, and practice.

Free, world-class material chosen for this concept.

Back to the Agentic Systems Engineering plan