In the rapid adoption of agentic artificial intelligence (AI) technology, development teams are sometimes moving faster than their understanding of how these new systems function at an architectural level. As a result, organizations are inadvertently introducing long-established software vulnerabilities into modern environments.
The footprint of AI agents across enterprise environments is expanding quickly. Data from Gartner and MIT Sloan Management Review suggests that approximately a third of organizations have either already adopted or plan to adopt agentic AI technology soon. However, these measurements often rely on self-reporting and generalized projections.
Despite common perceptions, these agents are not impenetrable black boxes. In an upcoming presentation at Infosecurity Europe, Acronis researchers Eliad Kimhy and Syed Aizad plan to demonstrate how these automated systems operate at a foundational level. By examining the mechanics of AI agents, their research indicates that current security vulnerabilities are rarely a flaw in the AI itself; instead, they are largely a byproduct of missing traditional security controls.
"What people don't understand is that agentic systems still rely on a lot of old world technology and a lot of old world vulnerabilities," Kimhy explains. He notes that as agentic AI spreads, unauthorized parties will likely target standard software vulnerabilities. If teams lack awareness of this connection, they may write insecure code and rely too heavily on the large language model (LLM) to manage system safety, an approach that leaves environments exposed.
Vulnerabilities in agentic AI
Security assessments over the past year have validated this perspective. Last fall, researchers discovered a critical vulnerability in Salesforce. If an unauthorized party submitted a specifically crafted prompt into a certain type of Salesforce form, a backend AI agent interpreting the input might execute the instructions. This exposure was compounded by the fact that the platform was still allowing connections to an expired, easily registrable domain.
Early this year, a researcher documented a dangerous sequence of security flaws in ServiceNow. The issue centered on an overly permissive chatbot protected only by factory default credentials. Because the system allowed users to authenticate simply by supplying an email address, the researcher demonstrated the ability to access and create powerful AI agents across organizational instances.
When analyzing these incidents, a pattern emerges. Agentic AI introduces new variables to organizational networks, but the underlying mechanisms of exposure—lack of input sanitization, hardcoded credentials, and insufficient access controls, are highly familiar.
While prompt bypasses and model manipulation receive the most public attention, Kimhy argues that these are not the primary failure points organizations need to focus on. Instead, Acronis researchers identify the intersection between the AI and the traditional software it interacts with as the most critical area to secure.
How AI agents operate
To protect agentic systems, security teams first need a clear understanding of their architecture.
"The problem is that, a lot of the time, people look at these agentic systems as a black box. They think, OK, there's input, there's some magic happening in the middle, and then there's output," Kimhy says. "The message that we're interested in helping people understand is that it is not a black box."
Architecturally, an AI agent functions as an ecosystem divided into two halves. One half consists of deterministic systems—traditional software tools and functions that take an argument and produce a highly predictable result. The other half is the non-deterministic system, the LLM, which operates based on probabilities.
The majority of agentic vulnerabilities arise exactly where these deterministic and non-deterministic components connect.
During their presentation, Kimhy and Aizad will demonstrate this interaction using a sample AI agent that powers a travel booking platform. Even when using modern reasoning agents connected to standard backend tools, security issues surface if foundational checks are missing. For example, a user might request booking information, and the agent might provide it without verifying whether the user is authorized to view that data.
This is an authentication gap, not a model failure. Researchers demonstrated a nearly identical scenario last December, using a program powered by a Microsoft Copilot Studio agent to expose personally identifiable information (PII) simply by asking for it.
Securing agentic technology
Designing an authentication check for an AI agent is a straightforward process when teams know to look for it. The challenge lies in ensuring that custom internal agents or increasingly common automated workflows account for authentication and access controls across thousands of potential interactions between the deterministic and non-deterministic halves.
Many teams deploy agentic AI without a deep understanding of how these connected systems pass data back and forth. The security controls required for an LLM are fundamentally different from the security controls required for traditional software. Currently, industry focus is heavily skewed toward securing the non-deterministic side, which addresses less than half of the actual attack surface.
The most effective remediation strategy relies on applying time-tested cybersecurity principles to this new technology. Organizations can prevent agents from exposing sensitive data by implementing standard token-based authentication and enforcing strict, identity-based access controls on the AI, granting it only the permissions necessary to complete its specific tasks, exactly as one would provision access for a human user.
By acknowledging that traditional software principles remain central to these modern ecosystems, security teams can safely integrate predictable tools with non-deterministic models, maintaining visibility and protection across the entire workflow.