Glossary
Key terms in agentic security — defined precisely, with real examples and context. Written for practitioners who need clarity, not buzzwords.
Agent Identity
The persistent, verifiable attribution of an AI agent's actions — establishing which agent took which action, under whose authorization, at what time — as the prerequisite for auditability, accountability, and access control in multi-agent systems.
Agentic Security
The discipline of designing AI agent systems so that structural constraints — what agents can access, what tools they can call, and where data can flow — limit the blast radius of compromise, regardless of the agent's runtime behavior.
Agentic Supply Chain
The full dependency graph of an AI agent system — MCP servers, plugins, SDKs, base models, fine-tunes, prompt templates, and external data sources — each of which represents an attack surface that a threat actor can target to compromise the agent without touching your code.
AI Agent
An autonomous software system powered by a large language model that can perceive its environment, reason about tasks, use tools, and take multi-step actions to achieve goals — with minimal human intervention per step.
Blast Radius
The maximum scope of harm a compromised or misbehaving AI agent can cause, determined entirely by the structural constraints — permissions, tool access, data scope — placed on that agent at design time.
Context Window Poisoning
An attack that introduces malicious content into an AI agent's active context window — through injected documents, manipulated tool outputs, or compromised memory retrieval — causing the agent to reason over attacker-controlled information as though it were legitimate.
Human-in-the-Loop (HITL)
A security control that requires human confirmation before an agent takes irreversible or high-blast-radius actions — the last structural defense when everything else has already failed.
Indirect Prompt Injection
An attack where malicious instructions are embedded in external content — documents, emails, web pages, database records — that an AI agent retrieves and processes, hijacking the agent's behavior without ever touching the model directly.
MCP Poisoning
An attack that compromises an MCP (Model Context Protocol) server to inject malicious tool behavior, manipulated outputs, or unauthorized instructions into an AI agent's reasoning pipeline.
Memory Poisoning
An attack where adversarial content is injected into an AI agent's persistent memory stores, causing the agent to reference and act on false, biased, or malicious information in future interactions — often long after the initial attack.
Prompt Injection
An attack where malicious instructions embedded in data processed by an AI agent override the agent's intended instructions, causing it to perform unauthorized actions on behalf of an attacker.
Tool Misuse
An attack in which an adversary manipulates an AI agent into using its legitimate, authorized tools in unintended ways — turning approved capabilities into exfiltration channels, privilege escalation vectors, or destructive actions.
Tool Shadowing
An attack where a malicious MCP server registers tools with names identical to legitimate ones, causing an agent to call the attacker's tool instead — no jailbreak required, just a naming collision.