Multifactor's leadership recently attended Black Hat USA 2025 and DEF CON 33, where we had dozens of great conversations with industry leaders across sectors like FinTech, HealthTech, defense, manufacturing, and cyber. Their most pressing concern today? Enterprise deployment of AI agents has raced far ahead of cybersecurity solutions in this field, causing agentic AI to be a glaring cyber weakness that CISOs are struggling to contend with, when it should be an organization's strength.

It has been 0 DAYS since the last AI agent security implosion...

We recently began keeping track of major security incidents involving AI agents, and the results are alarming. On a daily basis, we see reports of AI agents destroying production databases, wiping hard drives, and taking other irreversible actions with limited recourse. At DEF CON 33, researchers demonstrated that a simple calendar invite could enable indirect prompt injection into Google's Gemini assistant, leading to highly destructive actions like triggering IoT devices, downloading files, deleting emails, and exfiltrating sensitive data. With companies increasingly using agentic AI for high-stakes workflows like overseeing manufacturing processes, it's clear that agentic is poised to become the next major pillar of cybersecurity.

The AAA Threat: Authentication, Authorization, and Auditing

Breaking down the attacks we've seen so far both in academia and in the real world, we find that while initial access is largely accomplished by prompt injection and other social engineering tactics, we can identify three key areas of concern that amplify the damage that these attacks can cause: authentication, authorization, and auditing. We refer to these as the AAA threat, and they are the three pillars of security that must be addressed to secure agentic applications.

Authentication

While AI-native solutions like Model Context Protocol (MCP) are being deployed to enable easy agentic interoperability with legacy solutions, most online services are slow to adopt these protocols, leading most AI agents to fall back to browser-based interactions. This creates significant security challenges, as logging in to a shared account through a browser typically involves sharing sensitive information like passwords and session tokens directly with the agent (and the underlying LLM provider). In general, we find faulty authentication mechanisms like these to be the first major cause of vulnerabilities in agentic applications, indicating a serious need for universal mechanisms that allow AI agents to access shared accounts without seeing user credentials.

That’s where I see the space moving — identity security for agents, but I think it’s an open field right now. I don’t think it’s been solved.

Authorization

Once logged in with a shared account through a browser, AI agents inherently have the ability to take any action that the account is capable of. When combined with possibility of indirect prompt injection and the non-deterministic nature of LLMs, this means that an agent that is originally configured to view bank account balances could be easily tricked into transferring money, changing credentials, or taking other unauthorized actions that the user never intended. The ability for agents to use browser-based mechanisms to exceed their original scope constitutes the second major challenge that security practitioners must contend with in securing agentic applications.

Auditing

When something does go wrong, it's often nearly impossible to trace down the root cause. With browser-based AI agents, the lack of robust logging and monitoring makes it difficult to understand what actions were taken and why. By default, agent transcripts look like "move mouse to x: 192, y: 590" and then "press left mouse button." Tracing these actions back to their semantic meaning, especially months later when website content may have changed significantly, is a daunting task, meaning that robust auditability is a critical requirement for securing agentic applications that isn't achieved for free. We see the problem of robustly tracking what agents did and why they did it as the third major challenge in securing agentic applications.

Security for Human, Agentic, and Hybrid Applications

In the real world, applications today are often not purely agentic nor purely human. Many applications are hybrid, where humans and agents work together to accomplish tasks. This means that security solutions must be able to handle both human and agentic interactions seamlessly. At Multifactor, we're squarely focused on solving the AAA security threat of authentication, authorization, and auditing for human, agentic, and hybrid applications. If your company just added AI agents to its workflows and lacks a dedicated agentic security solution, please don't hesitate to reach out to us. Our next post on this subject will focus on how Multifactor is addressing the AAA threat with our agentic security platform, so please stay tuned for updates.

Related Posts

Colin Roberts: Why I’m Excited About the Future of Multifactor

2025-07-03

CompanyTeamResearch

Colin Roberts, Co-Founder and CTO, shares his journey from pure mathematics to crypto-focused startups and now Multifactor, explaining why he's excited about the future of the company.

CR

Colin Roberts

Co-Founder & CTO

A Fresh Coat of Paint: Introducing Multifactor's New Look

2025-05-09

CompanyBrandDesign

Multifactor has a new look today across our social media and digital presence. Our redesign stays true to our roots while embracing a more modern aesthetic that better represents the 'multi' part of 'multifactor'.

RT

Roman Tesliuk

Product Designer

Multifactor Wins Hertz Foundation's Harold Newman and David Galas Entrepreneurial Initiative

2025-07-25

CompanyPublic BenefitFunding

We are honored to receive this recognition, and are grateful to the Hertz Foundation for their belief in our mission to reinvent zero-trust for the modern web.

VN

Vivek Nair

Co-Founder & CEO