DARR
MR-071 Security & adversarial Both scope

Autonomous agent hijacking and excessive-agency abuse

A deployed AI agent is hijacked (via injected instructions, poisoned context, or poisoned tools) and abuses its legitimate tool access and permissions to take harmful autonomous actions such as exfiltrating data, destroying data, harvesting credentials, or acting as command-and-control.

Risk family
Security & adversarial
MIT domain
n/a (MITRE ATLAS-derived)
MIT subdomain
n/a
AI type
Agentic, GPAI
Scope
Both
Source standard
MITRE ATLAS v5.6.0 (gap analysis)

Provenance

Source standard
MITRE ATLAS v5.6.0 (gap analysis)
Source frameworks
MITRE ATLAS v5.6.0
Nearest MIT-derived risk
MR-020 Insecure tool integration and MR-054 Loss of oversight: each covers a facet (the integration surface, the oversight failure) but not the combined excessive-agency action abuse.

Framework crosswalk

Every framework item mapped to this risk. Items marked partial overlap only in part; definitions appear on hover where the source licence permits.

Sourcesframeworks that contributed to the register
MITRE ATLAS15

Expanded into this risk’s technique sub-risks.

Cross-checksframeworks mapped in to test coverage
IBM2
  • ibm-exploit-trust-mismatch Exploit trust mismatch
  • ibm-unauthorized-use Unauthorized use
Cisco18
  • AISubtech-1.3.1 Goal Manipulation (Models, Agents) partial
  • AISubtech-1.3.2 Goal Manipulation (Tools, Prompts, Resources) partial
  • AISubtech-14.2.1 Permission Escalation via Delegation
  • AISubtech-3.1.2 Trusted Agent Spoofing
  • AISubtech-4.1.1 Rogue Agent Introduction
  • AISubtech-4.2.1 Context Window Exploitation partial
  • AISubtech-4.2.2 Session Boundary Violation partial
  • AISubtech-4.3.1 Schema Inconsistencies
  • AISubtech-4.3.2 Namespace Collision
  • AISubtech-4.3.3 Server Rebinding Attack
  • AISubtech-4.3.4 Replay Exploitation
  • AISubtech-4.3.5 Capability Inflation
  • AISubtech-4.3.6 Cross-Origin Exploitation
  • AISubtech-5.1.1 Long-term / Short-term Memory Injection partial
  • AISubtech-5.2.1 Agent Profile Tampering
  • AISubtech-7.2.1 Memory Anchor Attacks partial
  • AISubtech-7.2.2 Memory Index Manipulation partial
  • AISubtech-8.2.3 Data Exfiltration via Agent Tooling
NIST AML1
  • NISTAML.039 Compromising connected resources
OWASP LLM1
  • LLM06:2025 Excessive Agency
OWASP Agentic8
  • ASI01 Agent Goal Hijack
  • ASI02 Tool Misuse and Exploitation
  • ASI03 Identity and Privilege Abuse
  • ASI04 Agentic Supply Chain Vulnerabilities
  • ASI05 Unexpected Code Execution (RCE)
  • ASI06 Memory and Context Poisoning
  • ASI07 Insecure Inter-Agent Communication
  • ASI10 Rogue Agents

Sub-risks (13)

Technique-level decompositions of this risk, each anchored to the MITRE ATLAS technique it derives from.

MR-071.1

Abuse of AI agent tool invocation

#

An attacker with access to an AI agent invokes the agent's tools to act on systems and data.

MITRE ATLAS technique: AML.T0053 AI Agent Tool Invocation
MR-071.2

AI agent context poisoning

#

The context an agent's model relies on is manipulated to steer its decisions and actions.

MITRE ATLAS technique: AML.T0080 AI Agent Context Poisoning
MR-071.3

Tampering with AI agent configuration

#

Agent configuration files are modified to enable malicious behavior or evade defenses.

MITRE ATLAS technique: AML.T0081 Modify AI Agent Configuration
MR-071.4

RAG-based credential harvesting

#

Agent or LLM access to a RAG store is used to locate and harvest credentials.

MITRE ATLAS technique: AML.T0082 RAG Credential Harvesting
MR-071.5

Credential theft from agent configuration

#

Credentials for other tools and services are read from an AI agent's configuration.

MITRE ATLAS technique: AML.T0083 Credentials from AI Agent Configuration
MR-071.6

Data exfiltration through agent tool invocation

#

Write-capable agent tools are invoked to send data out of the environment.

MITRE ATLAS technique: AML.T0086 Exfiltration via AI Agent Tool Invocation
MR-071.7

Agent-tool credential harvesting

#

Access to an agent is used to retrieve credentials held by its tools.

MITRE ATLAS technique: AML.T0098 AI Agent Tool Credential Harvesting
MR-071.8

Poisoning of data agent tools retrieve

#

Malicious content is placed where an agent's tools will retrieve and act on it.

MITRE ATLAS technique: AML.T0099 AI Agent Tool Data Poisoning
MR-071.9

Deceptive content baiting AI agents

#

Deceptive web or interface content baits computer-using agents into harmful actions.

MITRE ATLAS technique: AML.T0100 AI Agent Clickbait
MR-071.10

Data destruction through agent tool invocation

#

Mutative agent tools are invoked to delete or destroy data.

MITRE ATLAS technique: AML.T0101 Data Destruction via AI Agent Tool Invocation
MR-071.11

Adversary-deployed AI agent in the environment

#

An attacker launches AI agents inside the victim environment to act on their behalf.

MITRE ATLAS technique: AML.T0103 Deploy AI Agent
MR-071.12

AI agent abused for command and control

#

An agent present on the system is abused as a command-and-control channel.

MITRE ATLAS technique: AML.T0108 AI Agent
MR-071.13

Poisoning of AI agent tools

#

Tools used by agents (including built-ins) are poisoned to achieve persistence and control.

MITRE ATLAS technique: AML.T0110 AI Agent Tool Poisoning

More in Security & adversarial

Part of the Deployer AI Risk Register, an open-source resource developed by MindXO. Version 1.0, 3 July 2026. Derived from the MIT AI Risk Repository (V4, December 2025) under CC BY 4.0; an independent derivative work, not endorsed by or affiliated with MIT. Sub-risk decomposition references MITRE ATLAS™ v5.6.0 (© 2021-2026 The MITRE Corporation, reproduced and distributed with permission). ISO/IEC and EU AI Act references are by number only. License: CC BY 4.0. Full attribution and licensing.