Microsoft’s AI Red Team has updated its taxonomy of agentic AI failure modes after a year of red-team work against deployed systems. The update matters because many organizations are moving from chatbots to agents that can read external content, call tools, operate browsers, use plugins, and make multi-step decisions with partial human oversight.
That shift changes the defensive problem. Traditional application security still matters, but agentic systems add new trust paths: natural-language tool descriptions, MCP servers, plugin registries, persistent memory, browser-like computer-use capabilities, and inter-agent handoffs. For small businesses and government contractors experimenting with AI automation, those trust paths can become real attack surface if they are treated as productivity features instead of production infrastructure.
What Microsoft changed
The updated taxonomy adds seven failure modes: agentic supply-chain compromise, goal hijacking, inter-agent trust escalation, computer-use-agent visual attacks, session context contamination, MCP/plugin abuse, and capability or architecture disclosure.
The common thread is control-plane confusion. An attacker does not always need to exploit a binary vulnerability. In an agentic workflow, they may be able to poison a tool description, insert adversarial instructions into retrieved content, manipulate what the agent sees on screen, or gradually contaminate the session context until a later action looks normal.
Why this matters for SMBs and government contractors
Agentic AI is attractive because it can reduce repetitive work: triaging tickets, summarizing emails, researching vendors, drafting reports, checking cloud consoles, or coordinating internal tasks. Those same workflows often touch sensitive data, client information, source code, proposals, credentials, and operational systems.
If the agent can access those resources, the agent’s integrations become part of the security boundary. A malicious plugin, untrusted MCP server, poisoned webpage, or deceptive approval prompt can become the AI equivalent of initial access.
The risk is especially sharp for government contractors because a small AI automation mistake can create outsized exposure: controlled business information, proposal material, subcontractor data, cloud credentials, or client deliverables can be pulled into an agent’s context and acted on before a human realizes the workflow has been redirected.
Defensive takeaways
- Treat tools and prompts like software supply chain. Inventory every plugin, MCP server, prompt template, browser automation path, and external tool definition. Pin versions and monitor changes.
- Separate trusted and untrusted context. Webpages, emails, documents, tickets, and chat messages should be handled as untrusted input, not mixed freely with system instructions or privileged memory.
- Harden human approval flows. Approval prompts should summarize the actual tool call and blast radius, not simply repeat the agent’s own explanation. Higher-risk actions need deterministic review.
- Limit agent permissions by task. Do not give a research agent the same access as an admin automation agent. Scope credentials, API tokens, repositories, and cloud permissions tightly.
- Log full sessions, not just final actions. Session context contamination and incremental escalation may only be visible when the entire chain is reviewed.
- Red-team the system, not just the model. Test poisoned documents, malicious webpages, deceptive UI elements, plugin abuse, memory poisoning, and inter-agent handoff failures.
Bulwark Black assessment
The practical lesson is simple: once an AI agent can call tools, browse, remember, or delegate, it becomes a semi-autonomous user in your environment. That user needs identity, least privilege, logging, approval controls, and supply-chain governance.
Organizations do not need to ban agentic AI to be safe. They do need to stop treating agent integrations as harmless convenience features. The proper model is zero trust for AI workflows: verify the tool, verify the source, verify the action, and verify the authority behind each handoff.
Source: Microsoft Security Blog — Updating the taxonomy of failure modes in agentic AI systems
