{"id":5987,"date":"2026-06-26T14:50:08","date_gmt":"2026-06-26T18:50:08","guid":{"rendered":"https:\/\/solutionsreview.com\/security-information-event-management\/?p=5987"},"modified":"2026-06-30T15:44:30","modified_gmt":"2026-06-30T19:44:30","slug":"why-securing-ai-agents-has-to-come-before-deploying-them","status":"publish","type":"post","link":"https:\/\/solutionsreview.com\/security-information-event-management\/why-securing-ai-agents-has-to-come-before-deploying-them\/","title":{"rendered":"Why Securing AI Agents Has to Come Before Deploying Them"},"content":{"rendered":"
\n
\n
\n
\n
\n
\n
\n
\n

\"Why<\/a><\/p>\n

This article, which expands on insights from a recent Solutions Spotlight event with Radware<\/a>, examines why companies need to secure their AI agents before deploying them.<\/strong><\/em><\/p>\n

The race to deploy AI agents in enterprise environments is outpacing the security frameworks designed to govern them. Organizations are spending heavily on AI adoption, building agents into workflows and connecting them to email systems, file repositories, ERP platforms<\/a>, and customer-facing services, while the budgets and strategies for securing those agents lag significantly behind. That gap is not theoretical. It is already producing exploitable attack surfaces that most security teams do not yet know how to monitor, let alone block.<\/p>\n

Dror Zelber, Vice President of Product Marketing at Radware, made this case during a recent Solutions Review Solution Spotlight<\/a>, walking through the current state of AI adoption, the emerging threat landscape specific to agentic AI, and why the security assumptions organizations bring from traditional application protection do not transfer cleanly into this new environment.<\/p>\n

\n

The Agentic AI Security Risks Organizations Are Not Prepared For<\/strong><\/h3>\n

The speed of AI adoption creates a specific kind of organizational blind spot. When the pressure to deploy comes from the board and executive leadership, and when the productivity gains from early deployments are visible and compelling, the security review process tends to compress. The result is that agents go into production with access to sensitive systems, organizational data, and user communications without the security architecture required to govern what they actually do.<\/p>\n

Zelber framed this with a distinction that is worth sitting with. Agentic AI is categorically more powerful than conversational generative AI, and not just in terms of what it can accomplish productively. An agent operates with organizational privileges. It can read and write to email systems, access cloud storage, interact with internal databases, and take actions on behalf of users, sometimes without those users being aware of what triggered the action. That expanded capability is exactly what makes agents valuable. It is also what makes the security stakes considerably higher than those in any prior AI deployments.<\/p>\n

Why LLM Models Do Not Contain Native Security Protections<\/strong><\/h3>\n

A common and dangerous assumption in enterprise AI deployments is that the underlying language model provides some inherent security layer. It does not. The core architecture of large language models does not distinguish between instructions originating from a legitimate user and those injected into the prompt context by an attacker.<\/p>\n

Models will process what they receive. If malicious instructions are embedded in that input, then the model will execute them. This is not a flaw that security patches will fix in the near term. It is a structural characteristic of how these models are built and trained. Organizations that deploy agents assuming the LLM will recognize and reject harmful instructions are operating on a false premise. The protection has to come from outside the model.<\/p>\n

Standard guardrails, the filtering and moderation layers that many organizations treat as their primary defense, are similarly insufficient for agentic threats. Guardrails designed to block profanity, off-topic content, or known harmful phrases do not address the attack vectors that are most dangerous in agentic environments. The most sophisticated attacks target the agent’s intent, not the surface-level content of individual prompts.<\/p>\n

How Prompt Injection Attacks Exploit Natural Language as a Weapon<\/strong><\/h3>\n

Prompt injection is the most immediately understood of the agentic attack vectors, but its simplicity belies how effective it has proven in practice. The mechanism is straightforward: an attacker embeds instructions in content that the agent will process, which the model then treats as legitimate directives.<\/p>\n

Early versions of this attack were blunt. A prompt telling a system to ignore all previous instructions and return confidential employee data sounds like something any reasonable system would reject. And yet documented cases confirm that formulations like this worked. As organizations deploy basic filtering to catch the obvious patterns, attackers adapt the framing, adding context that mimics authority or urgency. The agent, lacking the judgment to distinguish authentic organizational authority from a convincing impersonation of it, complies.<\/p>\n

The implications for sensitive data exposure are significant. An agent connected to HR systems, financial records, or customer databases operates with the access privileges of whoever deployed it. A successful prompt injection does not need to defeat a firewall. It simply needs to convince the agent that the request is legitimate.<\/p>\n

What Indirect Prompt Injection and Shadow Leak Mean for Enterprise Data<\/strong><\/h3>\n

The more serious evolution of prompt injection involves attacks that bypass the user entirely. Zelber described a scenario that Radware researchers demonstrated in practice, in which malicious instructions were embedded invisibly in an email. The instructions were formatted in white text on a white background, spread across the body of the message in fragments, invisible to any human reader.<\/p>\n