.png)
Blog: Art-Kubed
Your Agents Are Running. Who’s Watching? Every AI Agent Is a New Attack Surface
SaaS platforms, hyperscaler studios, and consumer AI tools are all shipping agentic capabilities. Each one introduces runtime blind spots your existing security stack wasn’t built to cover.
Agentic AI is taking over the workforce. Salesforce is embedding agents into CRM workflows. Microsoft is giving developers a full agent orchestration cloud. AWS is launching a managed runtime for production agents. And your employees are already using ChatGPT as a de facto automation layer with or without your approval.
Each of these platforms creates a new attack surface: tool calls that aren’t validated, data retrieved without scope controls, prompts that can be hijacked, and model behaviors that drift between what was tested and what runs in production. Your WAF doesn’t see it. Your SIEM doesn’t log it. Your DLP doesn’t intercept it.
Here’s a breakdown of the risks across these platforms and how Operant closes the gap at the layer that matters: runtime.
Data Oversharing and Unscoped Access
Across Salesforce Agentforce, Azure AI Foundry, and AWS AgentCore, agents routinely operate with permissions that were scoped for development convenience and never revisited in production. Agentforce agents inherit CRM-level access and can retrieve customer records, deal data, and internal communications well beyond what any single task requires. In Foundry, agents inherit Azure RBAC roles and managed identities that grant standing access to storage, databases, and APIs. In AgentCore, IAM role sprawl compounds as deployments scale, agents are cloned and redeployed without a corresponding permission review. The result is the same across all three: agents that can access far more than they should, with no runtime mechanism to stop them.
Operant’s Agent ScopeGuard feature enforces least-privilege access dynamically, constraining what each agent can retrieve based on its active task context — not what its identity technically permits. Operant also maps agent activity to the underlying IAM and RBAC roles in use, flagging policy violations in real time and intercepting out-of-scope calls before they execute.
Prompt Injection and Input-Borne Attacks
Any platform where agents process external input is an injection surface. On Salesforce Agentforce, malicious instructions embedded in a customer support ticket or web form can redirect agent behavior entirely. On ChatGPT and custom GPTs with operator tool access, injections can arrive through documents, web content retrieved during deep research, or files uploaded by users. On AI agent studios, where agents are built by non-technical teams with minimal security review, there is often no guardrail between external input and agent execution. In multi-agent environments like Azure AI Foundry, the risk compounds: an injection that compromises one agent can propagate through the entire orchestration chain via context handoffs.
Operant’s Agent Protector monitors every prompt and tool call in real time, detecting injection patterns before they alter agent behavior. In multi-agent environments, Operant inspects context at every handoff point, not just at the ingress layer, so a compromised upstream agent cannot silently corrupt downstream execution.
Shadow Agents and Ungoverned Deployments
Low-code agent studios and consumer platforms like ChatGPT have made it trivially easy for non-security teams to deploy agents against production data. Marketing builds a GPT with access to internal documents. Operations deploys an agent studio workflow connected to Salesforce. A developer spins up an AgentCore agent under a permissive IAM role. None of these goes through a security review. By the time your team is aware they exist, they’ve been running for weeks, accessing data, calling tools, and generating outputs with no visibility into what’s actually happening.
Operant continuously discovers active agents across your environment without requiring agent owners to register them. Shadow deployments surface automatically. Runtime policy enforcement then applies regardless of how the agent was built, whether it came from a low-code builder, a custom GPT, or a developer’s deployment script, so ungoverned agents don’t remain ungoverned just because they bypassed the review process.
Unmonitored Tool Calls and MCP Exposure
As MCP becomes the standard protocol for connecting agents to tools and data sources, it introduces a security surface that no existing tool was designed to cover. Across Agentforce, ChatGPT operator integrations, Foundry, and AgentCore, agents invoke external APIs, read files, query databases, and trigger automations as a normal part of their workflow. None of these platforms natively logs tool calls in a format that gives security teams actionable visibility into what was invoked, what data was passed, whether the call was within scope, and whether the response contained sensitive content.
Operant’s MCP Gateway sits between agents and every tool they invoke. Every call is authenticated, scoped, and logged with full input and output context. Calls that fall outside the authorized scope are blocked before execution. The complete audit trail is available for SIEM ingestion, giving your team the signal needed to detect, investigate, and respond without waiting for the downstream impact to surface the problem.
Execution Opacity in Managed Runtimes
AWS AgentCore and Azure AI Foundry both abstract significant portions of the execution environment. That’s operationally useful, but it creates a structural visibility gap for security teams. Session memory in AgentCore means sensitive data from one interaction can persist and surface in a later session with a different user or scope. Model substitution in Foundry means a developer can swap the underlying model, changing behavior, guardrail effectiveness, and data handling characteristics without triggering any security review. In both environments, what’s happening at inference time is largely opaque to the teams responsible for securing it.
Operant instruments the runtime layer directly, surfacing every prompt, tool call, data retrieval, and model response regardless of which managed infrastructure is running underneath. Session data governance enforces retention policies so sensitive content doesn’t persist beyond its authorized window. And because Operant’s protection layer is model-agnostic, a model swap doesn’t create a security gap; inspection, filtering, and policy enforcement remain in effect regardless of what’s running.
Risks and Operant Coverage at a Glance
.png)
This is why Operant built a platform designed for this full stack:
Operant is a runtime AI security platform. It sits between your AI agents and the tools, data, and models they interact with, enforcing policy, surfacing behavior, and stopping threats at the moment they occur.
AI Gatekeeper
Real-time inspection layer for every prompt and response. Detects and blocks sensitive data — PII, credentials, proprietary content before it reaches a model, and filters outputs before they reach end users. Operates at the network layer with no changes required to existing applications or agent code. Delivers audit-ready logging of every AI interaction for SIEM ingestion.
MCP Gateway
Security layer for every tool call made by an agent — database queries, API invocations, file reads. Provides tool-call authentication, scope enforcement, and full audit logging with input and output context. Blocks unauthorized calls before execution and protects against tool poisoning and malicious server impersonation.
Agent Protector
Runtime defense layer for AI agents in production. Detects prompt injection, monitors behavioral baselines, and enforces security policy without requiring security logic to be written into agent code. Provides full multi-agent chain visibility with inspection at every handoff point, not just at ingress.
Bottom Line
Every platform above provides useful built-in controls. Some have trust boundaries. Some have audit logs. Some have RBAC. But none of them were designed to be your security layer, and none of them give you the runtime visibility and enforcement you need to answer the questions that matter to your board and your regulators.
What data did that agent access? Did it stay within its authorized scope? Was any prompt in that workflow tampered with? What did the model output, and did any of it violate policy?
Operant answers those questions for every agent, every platform, every call in real time. Not post-incident. Not from a weekly log export. At runtime, where it counts.
Sign up for a 7-day free trial to experience the power and simplicity of Operant’s robust security for yourself.
.png)
.png)