Top 10 Security Risks of AI Agents Revealed by Unit 42

Growing Security Challenges of AI Agents

As AI agents evolve from experimental tools to production-level technologies, their increasing autonomy brings new security vulnerabilities. Palo Alto Networks’ Unit 42 recently published an in-depth report titled “AI Agents Are Here. So Are the Threats,” highlighting that the main security risks do not primarily come from the AI frameworks themselves but from how these agents are designed, deployed, and interact with external tools.

Framework-Agnostic Vulnerabilities

Unit 42 researchers built two functionally identical AI agents using different frameworks—CrewAI and AutoGen—to test vulnerabilities. Both agents exhibited similar security weaknesses, proving that these risks are framework-agnostic. The key issues stem from misconfigurations, poorly designed prompts, and insecure integration with external tools.

The Top 10 Threats Identified

The report identifies ten critical threats exposing AI agents to risks such as data leaks, tool exploitation, and remote code execution:

• Prompt Injection and Broad Prompts: Attackers manipulate agent behaviors by exploiting loosely defined prompts.
• Framework-Agnostic Risk Surfaces: Vulnerabilities arise from design flaws like insecure role delegation and ambiguous prompt scopes.
• Unsafe Tool Integrations: Poorly controlled integration of tools like code executors and web scrapers expands the attack surface.
• Credential Exposure: Agents may leak sensitive tokens and API keys.
• Unrestricted Code Execution: Unsandboxed code interpreters allow attackers to run arbitrary code.
• Lack of Layered Defense: Single-layer defenses are inadequate; a defense-in-depth approach is necessary.
• Prompt Hardening: Strict role definitions and scope enforcement reduce manipulation risks.
• Runtime Content Filtering: Real-time monitoring filters out malicious inputs.
• Tool Input Sanitization: Validating inputs prevents injection attacks.
• Code Executor Sandboxing: Restricting execution environments limits breach impacts.

Real-World Attack Simulations

Unit 42 demonstrated these vulnerabilities by simulating nine attack scenarios on a multi-agent investment assistant:

• Extracting internal agent instructions and tool schemas.
• Stealing credentials via injected Python scripts accessing cloud metadata.
• Exploiting SQL injection and broken object-level authorization.
• Indirect prompt injection through malicious websites causing data leaks.

These scenarios highlight that common design oversights, not zero-day exploits, are the main cause of vulnerabilities.

Comprehensive Defense Strategies

Mitigating these risks demands holistic security measures:

• Harden prompts to restrict instructions and tool access.
• Apply input and output content filtering before and after inference.
• Rigorously test tool integrations using static, dynamic, and dependency analyses.
• Employ strict sandboxing for code execution, including network and system call restrictions.

Palo Alto Networks recommends its AI Runtime Security and AI Access Security platforms to provide visibility, monitor misuse, and enforce policies on AI agent interactions.

The Need for Security-First AI Agent Development

The rise of AI agents expands the vulnerability landscape due to their integration with external tools and complex communication. Securing these systems requires deliberate design, continuous monitoring, and layered defenses. Enterprises adopting AI agents at scale must prioritize security to keep pace with advancing AI capabilities.