By using this site, you agree to the Privacy Policy and Terms of Use.
Accept
World of SoftwareWorld of SoftwareWorld of Software
  • News
  • Software
  • Mobile
  • Computing
  • Gaming
  • Videos
  • More
    • Gadget
    • Web Stories
    • Trending
    • Press Release
Search
  • Privacy
  • Terms
  • Advertise
  • Contact
Copyright © All Rights Reserved. World of Software.
Reading: How to detect compromised AI agents
Share
Sign In
Notification Show More
Font ResizerAa
World of SoftwareWorld of Software
Font ResizerAa
  • Software
  • Mobile
  • Computing
  • Gadget
  • Gaming
  • Videos
Search
  • News
  • Software
  • Mobile
  • Computing
  • Gaming
  • Videos
  • More
    • Gadget
    • Web Stories
    • Trending
    • Press Release
Have an existing account? Sign In
Follow US
  • Privacy
  • Terms
  • Advertise
  • Contact
Copyright © All Rights Reserved. World of Software.
World of Software > News > How to detect compromised AI agents
News

How to detect compromised AI agents

News Room
Last updated: 2026/07/05 at 10:20 PM
News Room Published 5 July 2026
Share
How to detect compromised AI agents
SHARE

However, with regard to its framework, Meta also admits limitations. Accordingly, various popular use cases did not fit seamlessly into the framework, which means that designs based on the “Rule of Two” could still be prone to errors. This is just confirmation that the problem has already outpaced the solution at the architectural level. The extent of the security gaps is no longer just theoretical: an investigation of the Common Crawl Repositories by security researchers from Google brought to light various prompt injection attacks on publicly accessible websites. According to Google, attacks of this type occurred between November 2025 and February 2026 by 32 percent added. The security experts found that their level of maturity is currently still low. However, they also point out that the trend is a clear signal that attackers’ interest is increasing. In other words, the environment that the “Lethal Trifecta” once warned about has become a reality.

5 signs of compromised AI agents

When nearly every AI agent deployed exhibits the characteristics of the “Lethal Trifecta,” practitioners need the right clues to distinguish compromised behavior from normal operations within a system. This requires a shift: away from assessments at the architectural level and towards behavioral detection at the runtime level. The need for this change was most recently demonstrated in January 2026, when four different exploits against popular AI productivity tools were discovered within just five days. IBM Bob, Superhuman AI, Notion AI and Claude Cowork were affected. In all four cases, the attackers used indirect prompt injection to exfiltrate data. This was done via a channel to which the respective agent had legitimate access.

In the case of Claude Cowork, a hidden prompt embedded in an uploaded document caused the AI ​​agent to exfiltrate files via the API domain whitelisted by Anthropic itself – invisible to all perimeter control measures and indistinguishable from normal agent behavior until the data had already been stolen. The four exploits also had in common that the “Lethal Trifecta” was an operating condition.

The following five signals can help detect compromised AI agents:

  • Anomalies in following instructions: As a rule, a compromised agent does not behave fundamentally differently than an intact one – it follows instructions. The only question is whose. Agent actions that have no plausible connection to a user-initiated task should therefore raise alarm bells. An agent who is asked to summarize a quarterly report but then sends a DNS request to an unknown domain did not spontaneously “decide” to do so – he was prompted to do so.
  • Tool call sequences that break the expected topology: In a well-designed AI agent system, the sequence of tool invocations for a specific task should be relatively predictable. A programming agent tasked with fixing a bug must edit files, run tests, and possibly review documentation. However, it should not access email or calendar APIs. As soon as the expected limits of a workflow are exceeded in this context, skepticism is recommended: such tool call sequences should be marked as suspicious, even if each individual call appears legitimate in itself.
  • Exfiltration over low bandwidth channels: The classic prompt injection exfiltration attack routes stolen data through a mechanism legitimately accessed by the agent – the URL of a rendered image with encrypted query parameters, an API call with data embedded in a parameter, or a link in a generated document. Taken on their own, these actions do not look like data theft, but rather seem completely normal. In order to detect exfiltration, it should be checked which data the agent had access to and what it embedded in its output. This in turn requires agent actions to be transparent throughout – not just the final output.
  • Access to credentials and secrets outside the task scope: If an agent with legitimate access rights accesses a Secrets Store or Key Vault that is unrelated to the current task, this is also a red flag. An agent that is supposed to fix a React rendering error certainly doesn’t need AWS credentials to do so. The least privilege principle serves here as an architectural defense measure. However, only monitoring that specifically checks whether login data is accessed “out of scope” can reveal such processes.
  • Anomalies in memory write operations: Agents with persistent memory represent a growing attack surface. A manipulated memory entry that looks like legitimate user context could contain hidden “trigger instructions” that persist across sessions and are only triggered long after the actual prompt injection. On the other hand, it helps to design the observability pipeline for AI agents accordingly: memory writes should be monitored for command-like content. Writing processes that took place during sessions with untrustworthy content must also be viewed critically.

For security practitioners who manage an agentic AI infrastructure in production, the development of the “Lethal Trifecta” as the new standard only confirms what you have already known for a long time: your AI agents are at risk. This challenge is at runtime level to encounter, not at the architectural level. EDR and SIEM are located there for traditional architectures. AI agents require the same instrumentation – which does not yet apply to the vast majority of deployments. (fm)

This article is im Original published by our sister publication CSOonline.com.

Sign Up For Daily Newsletter

Be keep up! Get the latest breaking news delivered straight to your inbox.
By signing up, you agree to our Terms of Use and acknowledge the data practices in our Privacy Policy. You may unsubscribe at any time.
Share This Article
Facebook Twitter Email Print
Share
What do you think?
Love0
Sad0
Happy0
Sleepy0
Angry0
Dead0
Wink0
Previous Article In 1993, no one could find the supposed red ninja from ‘Mortal Kombat’. There was a reason: it didn’t exist yet In 1993, no one could find the supposed red ninja from ‘Mortal Kombat’. There was a reason: it didn’t exist yet
Next Article Can carbon really defy the laws of superconductivity? Can carbon really defy the laws of superconductivity?
Leave a comment

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Stay Connected

248.1k Like
69.1k Follow
134k Pin
54.3k Follow

Latest News

WhatsApp usernames raise fears of possible identity theft
WhatsApp usernames raise fears of possible identity theft
Software
Can carbon really defy the laws of superconductivity?
Can carbon really defy the laws of superconductivity?
Computing
In 1993, no one could find the supposed red ninja from ‘Mortal Kombat’. There was a reason: it didn’t exist yet
In 1993, no one could find the supposed red ninja from ‘Mortal Kombat’. There was a reason: it didn’t exist yet
Gaming
where to watch the free match live HD? 🔴
where to watch the free match live HD? 🔴
Mobile

You Might also Like

Self-addiction vs. achievement: How to thwart egoists
News

Self-addiction vs. achievement: How to thwart egoists

5 Min Read
Values-based leadership: 4 important principles for managers
News

Values-based leadership: 4 important principles for managers

3 Min Read
How AI is transforming the enterprise software market
News

How AI is transforming the enterprise software market

3 Min Read
11 Open Source AI Tools for Developers | Computer Week
News

11 Open Source AI Tools for Developers | Computer Week

4 Min Read
//

World of Software is your one-stop website for the latest tech news and updates, follow us now to get the news that matters to you.

Quick Link

  • Privacy Policy
  • Terms of use
  • Advertise
  • Contact

Topics

  • Computing
  • Software
  • Press Release
  • Trending

Sign Up for Our Newsletter

Subscribe to our newsletter to get our newest articles instantly!

World of SoftwareWorld of Software
Follow US
Copyright © All Rights Reserved. World of Software.
Welcome Back!

Sign in to your account

Lost your password?