Search papers, labs, and topics across Lattice.
This paper analyzes the cybersecurity risks introduced by agentic AI systems, which autonomously retrieve information and invoke tools, shifting the attack surface to runtime dependencies. It categorizes threats into data and tool supply chain attacks, highlighting vulnerabilities like transient context injection, persistent memory poisoning, and malicious tool invocation. The paper identifies the "Viral Agent Loop," where agents propagate generative worms without code-level exploits, and proposes a Zero-Trust Runtime Architecture using cryptographic provenance to constrain tool execution.
Agentic AI's ability to autonomously retrieve information and invoke tools opens a Pandora's Box of runtime vulnerabilities, including self-propagating "Viral Agent Loops" that bypass traditional code-level exploits.
Agentic systems built on large language models (LLMs) extend beyond text generation to autonomously retrieve information and invoke tools. This runtime execution model shifts the attack surface from build-time artifacts to inference-time dependencies, exposing agents to manipulation through untrusted data and probabilistic capability resolution. While prior work has focused on model-level vulnerabilities, security risks emerging from cyclic and interdependent runtime behavior remain fragmented. We systematize these risks within a unified runtime framework, categorizing threats into data supply chain attacks (transient context injection and persistent memory poisoning) and tool supply chain attacks (discovery, implementation, and invocation). We further identify the Viral Agent Loop, in which agents act as vectors for self-propagating generative worms without exploiting code-level flaws. Finally, we advocate a Zero-Trust Runtime Architecture that treats context as untrusted control flow and constrains tool execution through cryptographic provenance rather than semantic inference.
