Autonomous agent hijacking and excessive-agency abuse
A deployed AI agent is hijacked (via injected instructions, poisoned context, or poisoned tools) and abuses its legitimate tool access and permissions to take harmful autonomous actions such as exfiltrating data, destroying data, harvesting credentials, or acting as command-and-control.
- Risk family
- Security & adversarial
- MIT domain
- n/a (MITRE ATLAS-derived)
- MIT subdomain
- n/a
- AI type
- Agentic, GPAI
- Scope
- Both
- Source standard
- MITRE ATLAS v5.6.0 (gap analysis)
Provenance
Framework crosswalk
Every framework item mapped to this risk. Items marked partial overlap only in part; definitions appear on hover where the source licence permits.
Expanded into this risk’s technique sub-risks.
- ibm-exploit-trust-mismatch Exploit trust mismatch
- ibm-unauthorized-use Unauthorized use
- AISubtech-1.3.1 Goal Manipulation (Models, Agents) partial
- AISubtech-1.3.2 Goal Manipulation (Tools, Prompts, Resources) partial
- AISubtech-14.2.1 Permission Escalation via Delegation
- AISubtech-3.1.2 Trusted Agent Spoofing
- AISubtech-4.1.1 Rogue Agent Introduction
- AISubtech-4.2.1 Context Window Exploitation partial
- AISubtech-4.2.2 Session Boundary Violation partial
- AISubtech-4.3.1 Schema Inconsistencies
- AISubtech-4.3.2 Namespace Collision
- AISubtech-4.3.3 Server Rebinding Attack
- AISubtech-4.3.4 Replay Exploitation
- AISubtech-4.3.5 Capability Inflation
- AISubtech-4.3.6 Cross-Origin Exploitation
- AISubtech-5.1.1 Long-term / Short-term Memory Injection partial
- AISubtech-5.2.1 Agent Profile Tampering
- AISubtech-7.2.1 Memory Anchor Attacks partial
- AISubtech-7.2.2 Memory Index Manipulation partial
- AISubtech-8.2.3 Data Exfiltration via Agent Tooling
- NISTAML.039 Compromising connected resources
- LLM06:2025 Excessive Agency
- ASI01 Agent Goal Hijack
- ASI02 Tool Misuse and Exploitation
- ASI03 Identity and Privilege Abuse
- ASI04 Agentic Supply Chain Vulnerabilities
- ASI05 Unexpected Code Execution (RCE)
- ASI06 Memory and Context Poisoning
- ASI07 Insecure Inter-Agent Communication
- ASI10 Rogue Agents
Sub-risks (13)
Technique-level decompositions of this risk, each anchored to the MITRE ATLAS technique it derives from.
An attacker with access to an AI agent invokes the agent's tools to act on systems and data.
The context an agent's model relies on is manipulated to steer its decisions and actions.
Agent configuration files are modified to enable malicious behavior or evade defenses.
Agent or LLM access to a RAG store is used to locate and harvest credentials.
Credentials for other tools and services are read from an AI agent's configuration.
Write-capable agent tools are invoked to send data out of the environment.
Access to an agent is used to retrieve credentials held by its tools.
Malicious content is placed where an agent's tools will retrieve and act on it.
Deceptive web or interface content baits computer-using agents into harmful actions.
Mutative agent tools are invoked to delete or destroy data.
An attacker launches AI agents inside the victim environment to act on their behalf.
An agent present on the system is abused as a command-and-control channel.
Tools used by agents (including built-ins) are poisoned to achieve persistence and control.
Part of the Deployer AI Risk Register, an open-source resource developed by MindXO. Version 1.0, 3 July 2026. Derived from the MIT AI Risk Repository (V4, December 2025) under CC BY 4.0; an independent derivative work, not endorsed by or affiliated with MIT. Sub-risk decomposition references MITRE ATLAS™ v5.6.0 (© 2021-2026 The MITRE Corporation, reproduced and distributed with permission). ISO/IEC and EU AI Act references are by number only. License: CC BY 4.0. Full attribution and licensing.