The End of Click-Ops Security Agent-Driven Applications

A security talk about AI Agents at TASK.

Notes

• SaaS is DEAD because of Agentic AI
• AI is on the boom, exponential amount of AI projects on Github and models on Huggingface
• LLM < AI-Native Applications < AI Agent
• There are higher stakes with AI agents since they have write operations
• Modern threats for applications:
  • LLM:
    • Prompt injection
    • Harmful content
  • AI-Native Applications:
    • Data leakage
    • Unauthorized access
  • AI Agents:
    • Autonomous Chaos
• Cloud is still more risky than AI
  • Capitalone lost millions from bad EC2 configuration
• AI Security
• Most RAG will still contain sensitive data
• Most if not all LLMs will have AI Alignment to prevent obviously harmful prompts (like, asking for a users credit card number) by default
• AI is Stochastic Algorithm, and you can often get different results from the same input
• AI can be used in XSS attacks and CSRF to visit attackers sites
• AI Agents Diagram:

  Drawing 2025-05-28 19.53.25.excalidraw

  ⚠ Switch to EXCALIDRAW VIEW in the MORE OPTIONS menu of this document. ⚠

  Text Elements

  Model Orchestrator

  Agents

  Vector Database

  RAG Pipeline

  Models

  Tools

  Systems of Record

  User

  Link to original

• Its not like cloud where there is an agreement for the end-user to manage security.
• Model security is the providers responsibility
• We have to secure data pipelines, prompt layer on our user end
• Model Context Protocol
• Agent to Agent Protocol
• STAR AI Security Framework is created by Straiker to secure AI agents
• You have to treat Agentic AI like an employee. this means Principle of Least Privilege, etc.
• Use Regex to match for sensitive information like credit cards does not work anymore, since prompt injectors can specify a certain format for output
• To handle this:
  • Enhance legacy DLP
  • Fine-tune your models
  • Use a medley of experts (Use RL with knowledgable trainers)
• Straiker
• For AI, you have to sanitize your inputs AND your outputs
  • You can use a host of LLM judges to check outputs
• For instrumenting:
  • You can setup a SDK
  • You can setup __ on the Langchain infrastructure
  • You can set this up on the API
• Reduce output to cannonical form, this makes it easier, only have one character set to work with
  • ASCII Smuggling is a tactic
• Straiker has a AI red team model that tries every possible tactic