Agentic Profiles in AI Security
- Agentic profiles are structured characterizations of AI systems that integrate planning, memory, tool use, and execution graphs to expose unique security vulnerabilities.
- Observability frameworks like AgentSeer decompose agentic executions into granular action and component graphs, enabling precise tracking of risk propagation.
- Agentic-level vulnerabilities diverge from traditional model risks, demanding dynamic evaluation and adaptive mitigation strategies in real-world deployments.
Agentic profiles denote the structured characterization and vulnerabilities of AI systems that operate in fully agentic settings—that is, settings where LLMs are embedded in workflows involving planning, tool use, memory, and contextual action graphs. As the industry transitions to agentic deployments, the security and reliability of these profiles diverge materially from those observed in standalone model settings. Recent research demonstrates that traditional evaluation of base models underestimates risks that emerge from dynamic interaction between agentic components, necessitating new observability and assessment paradigms.
1. Defining Agentic Profiles in Security Context
Agentic profiles in security analyses refer to the empirical and structural description of how an LLM-powered agent behaves, coordinates, and exposes vulnerabilities in a composite system comprising planning, memory (short-term and long-term), tool integrations, and agent-agent coordination. Unlike model-level profiles which focus on static LLM outputs to prompted queries, agentic-level profiles encapsulate execution traces, tool-calling contexts, memory dynamics, and the architecture of agentic workflows (Wicaksono et al., 5 Sep 2025, Wicaksono et al., 21 Sep 2025).
In these systems, each action—whether a LLM inference, a tool call, or an inter-agent communication—is a node in a temporally ordered action graph. Components such as agent instantiations (including system prompt, tool registry, and memory access), tools (with exposed interfaces), and memory systems (read/write/long/short-term) collectively constitute the component graph. Together, these graphs enable precise observability over the progression and surface area of agentic execution.
2. Observability Frameworks: Action and Component Graphs
AgentSeer is an exemplar observability-based evaluation framework that decomposes agentic executions into granular action and component graphs (Wicaksono et al., 5 Sep 2025). In this framework:
- Actions are discrete LLM operations (including text responses, tool calls, and agent transfers), chronologically ordered, each representing a distinct attack surface or behavioral pivot.
- Components are system entities such as agents (with their system prompts and tool assignments), tools (with semantic capability descriptions), and memory modules (short-term, working, long-term, persistent).
- Knowledge Graph Representation encapsulates bidirectional links between actions and components, enabling tracing of information, tool usage, and memory propagation.
The decomposition exposes path-dependent vulnerabilities: each state and transition on the graph can be systematically evaluated for contextual risk, with provenance logs capturing all intermediate outputs, making previously opaque vulnerabilities explicit.
3. Model-Level vs. Agentic-Level Vulnerability Profiles
Empirical evidence shows stark differences between model-level vulnerabilities (assessed by direct prompt attacks on LLMs) and agentic-level vulnerabilities (observed when the same model is deployed as an agent in a composite system) (Wicaksono et al., 5 Sep 2025, Wicaksono et al., 21 Sep 2025).
| Vulnerability Context | Attack Success Rate (ASR) | Typical Exposure |
|---|---|---|
| Model-Level (standalone) | 39–50% | Social-engineering on prompt output; visible logic errors |
| Agentic-Level (agentic loop) | 24–60% higher than model-level in tool-calling contexts | Tool execution, agent transfer, contextual memory exploitation |
Agentic-only vulnerabilities emerge distinctly in agentic profiles:
- Direct attacks that fail at the model level can succeed in the agentic setting when injected into stages involving tool calls, working memory access, or multi-step plan execution.
- Conversely, certain model-led exploits (e.g., prompt manipulation) fail in the agentic system, reflecting compensatory defense or altered information flow.
For instance, tool-calling contexts exhibit consistent increases in ASR (up to 60% for Gemini-2.0-flash), with agent transfer operations found to be the highest-risk category (ASR 67% in GPT-OSS-20B). Notably, semantic (meaning-based) vulnerabilities—not token length or superficial structure—were shown to dominate the agentic risk profile.
4. Agentic-Only and Context-Dependent Vulnerabilities
“Agentic-only” vulnerabilities are a haLLMark of agentic profiles. These are attack vectors inert against a base LLM but triggered by the additional semantics associated with agentic orchestration: tool invocation, dynamic context passage, reentrant memory, or inter-agent composition (Wicaksono et al., 5 Sep 2025, Wicaksono et al., 21 Sep 2025).
Key properties:
- Emergent Attack Surface: Instrumenting LLMs with external tool access or memory modules creates new points of semantic injection and privilege escalation.
- Context Dependency: Attack effectiveness is heavily impacted by the action type and context (e.g., human message vs. tool message injection). The same prompt may result in wildly different success/failure rates across these contexts.
- Instability of Exploits: The effectiveness of an attack may drop by 50–80% if reinjected under even slight context variation, showing that agentic vulnerabilities are both transient and context-sensitive.
5. Methodological Advances: Evaluation and Measurement
The agentic profile mandates observability at granular resolution. Key methodological components include:
- Iterative, Context-Aware Red Teaming: Successful agentic attacks apply iterative prompt engineering, re-injecting at specific action nodes (e.g., directly into a tool call phase, or before memory retrieval) rather than merely at input prompts.
- Cross-Model and Cross-Component Validation: Universal agentic patterns (such as the elevated risk in tool transfer or memory access operations) persist across both open-source and proprietary models, but with substantial model-specific variation in absolute ASR and optimal attack vector (Wicaksono et al., 5 Sep 2025).
- Structured Representation for Analysis: JSON/knowledge graph schemas encode the component-action linking, supporting browser-based visual exploration as well as systematic vulnerability scanning.
A representative JSON fragment (transcribed from (Wicaksono et al., 5 Sep 2025)) for an agentic execution schema:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 |
{
"components": {
"agents": [
{
"label": "agent_N",
"name": "<agent_name>",
"system_prompt": "<system_prompt>",
"tools": [
{ "tool_name": "<tool_name>", "tool_description": "<description>" }
]
}
],
"tools": [ ... ]
},
"actions": [ ... ]
} |
This explicit separation of action and component dimensions is crucial for scalable agentic-level risk evaluation.
6. Implications for Deployment and Mitigation
The divergence between model and agentic profiles necessitates deployment-aware, context-sensitive security practices:
- Tool-Calling Vigilance: Tool integration consistently expands the attack surface, requiring careful mediation, permission scoping, and audit logging.
- Dynamic Monitoring: Real-time observability over the knowledge/action graph is necessary to detect evolving attack vectors, especially those that exploit transient or iterative context features.
- Memory and Context Hygiene: Ensuring that working and persistent memory do not unwittingly propagate adversarial state is mandatory.
- Defense over Static Testing: Security paradigms need to shift: conventional static red teaming, though necessary, is insufficient. Instead, agentic evaluation—where the system is attacked holistically, iteratively, and in context—should be standard.
7. Conclusion
Agentic profiles in security capture a system’s dynamic, context-driven vulnerability landscape as it emerges from agentic AI architectures, especially under real-world deployment. The existence of agentic-only and context-dependent vulnerabilities introduces the necessity for new standards in agentic system observability and evaluation. Frameworks like AgentSeer establish the groundwork for such standards, enabling both research and operational defense to keep apace with the increasing sophistication—and risk surface—of agentic AI. Robust deployment thus requires context-integrated evaluation, fine-grained action tracing, and continuous adaptation to shifts in both attack and system dynamics (Wicaksono et al., 5 Sep 2025, Wicaksono et al., 21 Sep 2025).
