Gen AI

New reports reveal escalating risks as AI agents become powerful yet vulnerable tools

Saturday, 21 February 2026 5:59PM UTC

CrowdStrike and Cisco warn that advancing AI systems are doubling both productivity and attack surfaces, with many organisations unprepared for emerging threats and manipulation tactics.

Two new vendor reports underline a widening problem: AI systems that act on behalf of users are becoming both powerful productivity tools and attractive attack surfaces, yet many organisations remain unprepared to secure them.

According to a CrowdStrike threat brief, autonomous agents with capabilities such as shell access, browser control and integrated APIs can be manipulated through prompt injection to perform adversary-desired actions. CrowdStrike warns that agents which persist configuration or conversation history locally and possess broad execution privileges are particularly vulnerable. The company is also advancing its own agentic tooling: its recently announced Threat AI platform uses autonomous agents to automate malware analysis and continuous threat hunting, a capability CrowdStrike says strengthens detection and response across the kill chain.

Cisco reaches similar conclusions in its State of AI Security 2026 report. The research finds that while the majority of organisations intend to deploy agentic AI, a much smaller share believe they can do so safely; the report highlights supply‑chain fragility, the expanding risks tied to Model Context Protocols, and the rapid evolution of prompt‑injection and jailbreak techniques. Cisco has begun repositioning its product portfolio around these risks, describing additions such as AI supply‑chain governance, runtime protections and AI‑aware traffic controls in its Secure Access Service Edge offerings to reduce manipulation and exploitation of agentic workflows.

The combined message from both vendors is stark: the ability to act multiplies risk, and current tooling lags behind attackers' creativity. Industry incidents from 2025 illustrate the danger. High‑severity vulnerabilities and exploitation chains, ranging from an email that triggered automatic data exfiltration from a major Copilot deployment to widespread cascade compromises via a chat‑agent integration, and high success rates in data‑exfiltration tests against other agent platforms, have shown how quickly an automated assistant can become a conduit for breach.

A common criticism of enterprise responses is scope and access: vendor solutions such as endpoint sensors or cloud controls are effective for organisations that can afford and deploy them, but they do not address the full ecosystem of developers, researchers and smaller teams building agents. In a developer blog on dev.to the author behind an open‑source project called ClawMoat argues for tooling that inspects agents at runtime and in session transcripts. The project aims to detect and flag patterns associated with prompt injection and jailbreaks, search agent input/output for exposed credentials, monitor for unauthorised outbound data flows, identify malicious instructions embedded in persistent memory or context files, enforce policy between agents and external tools, and surface privilege boundary violations. The author says the tool is distributed under an MIT licence and is intended to sit in the execution path so operators can catch attacks before they escalate.

There is no single technical fix. Cisco and CrowdStrike both emphasise a mix of approaches: stronger runtime controls, supply‑chain governance, agent‑aware network and access policies, and improved telemetry to spot anomalous behaviour. CrowdStrike’s agentic threat‑intelligence approach illustrates one way vendors expect to use AI to help secure AI, while Cisco’s product updates signal a push to bake AI‑specific protections into networking and access layers.

For teams building agentic systems, the immediate priorities are practical: minimise execution privileges, avoid persisting sensitive context where it can be tampered with, apply strict allowlists and rate limits for tool integrations, and instrument agents so their actions are observable. Where organisations cannot rely on enterprise suites, community tools that monitor sessions and enforce policy can help close gaps, though they are not a substitute for architectural hardening and threat‑informed design.

The technological momentum behind agentic AI is accelerating both utility and risk. As vendors publish more detailed threat analyses and update product roadmaps in response, the critical work will be translating those findings into the controls and observability that actually prevent abuse in real deployments.

Source: Noah Wire Services

More on this

https://dev.to/darbogach/crowdstrike-just-wrote-a-threat-brief-about-ai-agents-cisco-published-a-2026-report-heres-what-3jpi - Please view link - unable to able to access data
https://www.crowdstrike.com/en-us/press-releases/crowdstrike-threat-ai-leads-threat-intel-into-agentic-era/ - CrowdStrike has introduced Threat AI, the first agentic threat intelligence system designed to automate complex intelligence workflows and accelerate outcomes. This system comprises autonomous agents that proactively hunt adversaries and take decisive actions across the kill chain, enhancing analyst investigations and threat response capabilities. The initial agents include the Malware Analysis Agent, which automates malware analysis and classification, and the Hunt Agent, which conducts continuous, proactive threat hunting across environments. These agents are orchestrated to strengthen each other's outputs, providing a comprehensive approach to threat intelligence in the agentic era.
https://www.cisco.com/site/us/en/products/security/state-of-ai-security.html - Cisco's 2026 Annual Report, 'The State of AI Security,' offers an in-depth analysis of the evolving AI threat landscape. It highlights novel threats such as supply chain and agentic risks, examines the fragility of the modern AI supply chain, and discusses the growing risk surface of Model Context Protocol (MCP) agentic AI. The report also explores the evolution of prompt injection attacks and jailbreaks of AI systems, emphasizing the need for a fundamental change in how companies approach digital security in the age of AI.
https://newsroom.cisco.com/content/r/newsroom/en/us/a/y2026/m02/cisco-redefines-security-for-the-agentic-era.html - Cisco has announced a comprehensive evolution of its security portfolio to assist enterprises in securely adopting agentic AI. This includes significant updates to Cisco’s AI Defense solution, introducing AI supply chain governance and runtime protections to reduce the risk of compromise or manipulation. Additionally, Cisco has introduced AI-aware security advancements to its Secure Access Service Edge (SASE), pairing AI traffic detection and optimization to ensure agentic workflows remain safe, fast, and reliable. These initiatives aim to redefine security for the agentic era.
https://blogs.cisco.com/ai/cisco-state-of-ai-security-2026-report - Cisco's blog post provides insights into the 2026 State of AI Security report, shedding light on the AI threat landscape and marking the beginning of a major paradigm shift in AI security. The post discusses the proliferation of agentic AI, changes in government regulation, and growing attacker interest in AI. It also highlights the need for a fundamental change in how companies approach digital security, emphasizing the importance of understanding the evolving AI threat landscape to manage risks effectively.
https://www.crowdstrike.com/en-us/press-releases/crowdstrike-threat-ai-leads-threat-intel-into-agentic-era/ - CrowdStrike has introduced Threat AI, the first agentic threat intelligence system designed to automate complex intelligence workflows and accelerate outcomes. This system comprises autonomous agents that proactively hunt adversaries and take decisive actions across the kill chain, enhancing analyst investigations and threat response capabilities. The initial agents include the Malware Analysis Agent, which automates malware analysis and classification, and the Hunt Agent, which conducts continuous, proactive threat hunting across environments. These agents are orchestrated to strengthen each other's outputs, providing a comprehensive approach to threat intelligence in the agentic era.
https://www.cisco.com/site/us/en/products/security/state-of-ai-security.html - Cisco's 2026 Annual Report, 'The State of AI Security,' offers an in-depth analysis of the evolving AI threat landscape. It highlights novel threats such as supply chain and agentic risks, examines the fragility of the modern AI supply chain, and discusses the growing risk surface of Model Context Protocol (MCP) agentic AI. The report also explores the evolution of prompt injection attacks and jailbreaks of AI systems, emphasizing the need for a fundamental change in how companies approach digital security in the age of AI.

Noah Fact Check Pro

The draft above was created using the information available at the time the story first emerged. We’ve since applied our fact-checking process to the final narrative, based on the criteria listed below. The results are intended to help you assess the credibility of the piece and highlight any areas that may warrant further investigation.

Freshness check

Score: 8

Notes: The article references recent reports from CrowdStrike and Cisco, both dated February 2026, indicating timely information. However, the CrowdStrike report was published in September 2025, which may affect the freshness of some content. Additionally, the article includes a developer blog from dev.to, which may not be as authoritative as official reports. The combination of sources suggests a mix of fresh and potentially older information. Given the publication date of the article (February 21, 2026), the content appears to be relatively current. However, the inclusion of older sources and the developer blog may reduce the overall freshness score.

Quotes check

Score: 7

Notes: The article includes direct quotes from CrowdStrike and Cisco reports. However, the earliest known usage of these quotes cannot be independently verified, as the reports are not publicly accessible. The lack of verifiable sources for these quotes raises concerns about their authenticity. Additionally, the article includes a developer blog from dev.to, which may not be as authoritative as official reports. The combination of sources suggests a mix of verifiable and potentially unverifiable quotes. Given the lack of independent verification for some quotes, the overall score is reduced.

Source reliability

Score: 6

Notes: The article cites reports from CrowdStrike and Cisco, both reputable organizations in the cybersecurity field. However, the CrowdStrike report is dated September 2025, which may affect its relevance. The inclusion of a developer blog from dev.to introduces a less authoritative source, potentially impacting the overall reliability. The combination of sources suggests a mix of reliable and less reliable information. Given the inclusion of a less authoritative source and the age of some reports, the overall reliability score is moderate.

Plausibility check

Score: 8

Notes: The article discusses the security challenges associated with AI agents, referencing recent reports from CrowdStrike and Cisco. The claims align with known industry concerns about AI security. However, the inclusion of a developer blog from dev.to introduces a less authoritative source, which may affect the overall plausibility. The combination of sources suggests a mix of plausible and potentially less credible information. Given the inclusion of a less authoritative source, the overall plausibility score is slightly reduced.

Overall assessment

Verdict (FAIL, OPEN, PASS): CONDITIONAL

Confidence (LOW, MEDIUM, HIGH): MEDIUM

Summary: The article provides a timely overview of AI agent security challenges, referencing recent reports from reputable organizations. However, the inclusion of a developer blog from dev.to introduces a less authoritative source, and the reliance on reports from organizations with vested interests raises concerns about the independence of the verification sources. Given these factors, the overall assessment is CONDITIONAL, with a MEDIUM level of confidence.

AI security
autonomous agents
threat intelligence