What makes agentic AI security different from LLM security?

Agentic systems maintain persistent memory, invoke external tools, coordinate with other agents, and operate over extended time horizons. These capabilities introduce new threat vectors—memory poisoning, supply-chain compromise, and covert collusion—that stateless LLM security models do not address. Traditional defenses like prompt injection filters are insufficient.

What are slow-burn threats in agentic AI?

Slow-burn threats unfold over multiple sessions or weeks, such as gradual memory poisoning, alignment drift that manifests as insider behavior, or covert coordination between agents. They are harder to detect than instantaneous attacks because they accumulate gradually and may not trigger immediate alarms. The paper shows these threats are the least studied but most dangerous.

How should I prioritize agentic AI security investments?

Focus first on the governance and observability layer (audit trails, memory snapshots, tool invocation logs) and multi-agent coordination layer (peer communication monitoring). These layers address the slow-burn, high-impact threats that most existing defenses ignore. Then work backward to lower layers (tool execution, memory) with continuous monitoring rather than one-time hardening.

← Content

AI · 8 min read · April 28, 2026

Agentic AI Security Requires Layered Defense, Not Just Prompt Guards

A new framework maps AI agent vulnerabilities across seven architectural layers and four time horizons, revealing that 93% of research ignores the slowest, most dangerous threats.

Source: arxiv/cs.LG · Kexin Chu · open original ↗ ↗

Share: X LinkedIn

Agentic AI systems need security models that account for persistent memory, tool use, and multi-agent coordination across extended time horizons.

— Layered Attack Surface Model (LASM) maps seven distinct architectural components vulnerable to different threat classes.
— Attack temporality spans four classes: instantaneous, session-persistent, cross-session cumulative, and sub-session non-bounded.
— Most dangerous threats cluster at high layers (governance, multi-agent, ecosystem) with slow-burn temporality.
— Only 7% of 120 reviewed threat-defense pairs address the high-layer, slow-burn zone.
— Covert agent collusion, long-term memory poisoning, and supply-chain compromise represent emerging high-risk vectors.
— Existing defenses focus on low-layer, fast attacks (prompt injection, jailbreaking) leaving systemic gaps.
— Agentic security requires distributed systems thinking, not stateless LLM security models.

Frequently asked

Agentic systems maintain persistent memory, invoke external tools, coordinate with other agents, and operate over extended time horizons. These capabilities introduce new threat vectors—memory poisoning, supply-chain compromise, and covert collusion—that stateless LLM security models do not address. Traditional defenses like prompt injection filters are insufficient.

#agentic-ai #security #threat-modeling #multi-agent #memory-safety

Agentic AI Security Requires Layered Defense, Not Just Prompt Guards

Frequently asked

Synthetic Computers Enable Agent Training at Scale

ActiNet: Self-Supervised Model Improves Wrist Activity Classification

Mixed Precision Training Stabilizes Neural ODEs