A strong AI agents posture starts with comprehensive visibility across all AI assets and goes further by providing contextual insights \u2013 understanding what each agent can do and what it connected to, the risks it introduces, how it can be harden, and how to prioritize and mitigate issues before they turn into incidents. <\/p>\n
In this blog, we\u2019ll explore the unique security challenges introduced by AI agents and how Microsoft Defender helps organizations reduce risk and attack surface through AI security posture management across multi-cloud environments. <\/p>\n
Understanding the unique challenges <\/strong> <\/p>\n The attack surface of an AI agent is inherently broad. By design, agents are composed of multiple interconnected layers \u2013 models, platforms, tools, knowledge sources, guardrails, identities, and more. <\/p>\n Across this layered architecture, threats can emerge at multiple points, including prompt-based attacks, poisoning of grounding data, abuse of agent tools, manipulation of coordinating agents, etc. As a result, securing AI agents demands a holistic approach. Every layer of this multi-tiered ecosystem introduces its own risks, and overlooking any one of them can leave the agent exposed. <\/p>\n Let\u2019s explore several unique scenarios where Defender\u2019s contextual insights help address these challenges across the entire AI agent stack. <\/p>\n Agents are often connected to data sources, and sometimes -whether by design or by mistake- they are granted access to sensitive organizational information, including PII. Such agents are typically intended for internal use \u2013 for example, processing customer transaction records or financial data. While they deliver significant value, they also represent a critical point of exposure. If an attacker compromises one of these agents, they could gain access to highly sensitive information that was never meant to leave the organization. Moreover, unlike direct access to a database \u2013 which can be easily logged and monitored \u2013 data exfiltration through an agent may blend in with normal agent activity, making it much harder to detect. This makes data-connected agents especially important to monitor, protect, and isolate, as the consequences of their misuse can be severe. <\/p>\n Microsoft Defender provides visibility for those agents connected to sensitive data and help security teams mitigate such risks. In the example shown in Figure 1, the attack path demonstrates how an attacker could leverage an Internet-exposed API to gain access to an AI agent grounded with sensitive data. The attack path highlights the source of the agent\u2019s sensitive data (e.g., a blob container) and outlines the steps required to remediate the threat. <\/p>\n AI agents regularly interact with external data \u2013 user messages, retrieved documents, third-party APIs, and various data pipelines. While these inputs are usually treated as trustworthy, they can become a stealthy delivery mechanism for Indirect Prompt Injection (XPIA)<\/strong>, an emerging class of AI-specific attacks. Unlike direct prompt injection, where an attacker issues harmful instructions straight to the model, XPIA occurs where malicious instructions are hidden in external data source that an agent processes, such as a webpage fetched through a browser tool or an email being summarized. The agent unknowingly ingests this crafted content, which embeds hidden or obfuscated commands that are executed simply because the agent trusts the source and operates autonomously. <\/p>\n This makes XPIA particularly dangerous for agents performing high-privilege operations \u2013 modifying databases, triggering workflows, accessing sensitive data, or performing autonomous actions at scale. In these cases, a single manipulated data source can silently influence an agent\u2019s behavior, resulting in unauthorized access, data exfiltration, or internal system compromise. This makes identifying agents suspectable to XPIA a critical security requirement. <\/p>\n By analyzing an agent\u2019s tool combinations and configurations, Microsoft Defender identifies agents that carry elevated exposure to indirect prompt injection, based on both the functionality of their tools and the potential impact of misuse. Defender then generates tailored security recommendations for these agents and assigns them a dedicated Risk Factor<\/em><\/a>, that help prioritize them. <\/p>\n in Figure 2, <\/em>we can see a recommendation generated by the Defender for an agent with Indirect prompt injection risk and lacking proper guardrails \u2013 controls that are essential for reducing the possibility of an XPIA event. <\/p>\n In Figure 3<\/em>, we can see a recommendation generated by the Defender for an agent with both high autonomy and a high risk of indirect prompt injection, a combination that significantly increases the probability of a successful attack. <\/p>\n In both cases, Defender provides detailed and actionable remediation steps. For example, adding human-in-the-loop<\/em> control is recommended for an agent with both high autonomy and a high indirect prompt injection risk, helping reduce the potential impact of XPIA-driven actions. <\/p>\n In a multi-agent architecture, not every agent carries the same level of risk. Each agent may serve a different role \u2013 some handle narrow, task-specific functions, while others operate as coordinator agents, responsible for managing and directing multiple sub-agents. These coordinator agents are particularly critical because they effectively act as command centers within the system. A compromise of such an agent doesn\u2019t just affect a single workflow \u2013 it cascades into every sub agent under its control. Unlike sub-agents, coordinators might also be customer-facing, which further amplifies their risk profile. This combination of broad authority and potential exposure makes coordinator agents potentially more powerful and more attractive targets for attackers, making comprehensive visibility and dedicated security controls essential for their safe operation <\/p>\n Microsoft Defender accounts for the role of each agent within a multi-agent architecture, providing visibility into coordinator agents and dedicated security controls. Defender also leverages attack path analysis to identify how agent-related risks can form an exploitable path for attackers, mapping weak links with context. <\/p>\n For example, as illustrated in Figure 4, an attack path can demonstrate how an attacker might utilize an Internet- Hardening AI agents: reducing the attack surface<\/strong> <\/p>\n Beyond addressing individual risk scenarios, Microsoft Defender offers broad, foundational hardening guidance designed to reduce the overall attack surface of any AI agent. In addition, a new set of dedicated agents like Risk Factors<\/em> further helps teams prioritize which weaknesses to mitigate first, ensuring the right issues receive the right level of attention. <\/p>\n Together, these controls significantly limit the blast radius of any attempted compromise. Even if an attacker identifies a manipulation path, a properly hardened and well-configured agent will prevent escalation. <\/p>\n By adopting Defender\u2019s general security guidance, organizations can build AI agents that are not only capable and efficient, but resilient against both known and emerging attack techniques. <\/p>\n To address these challenges across the different AI Agents layers, Microsoft Defender provides a suite of security tools tailored for AI workloads. By enabling AI Security Posture Management (AI-SPM) within the Defender for Cloud Defender CSPM plan, organizations gain comprehensive multi-cloud posture visibility and risk prioritization across platforms such as Microsoft Foundry, AWS Bedrock, and GCP Vertex AI. This multi-cloud approach ensures critical vulnerabilities and potential attack paths are effectively identified and mitigated, creating a unified and secure AI ecosystem. <\/p>\n Together, these integrated solutions empower enterprises to build, deploy, and operate AI technologies securely, even within a diverse and evolving threat landscape. <\/p>\n To learn more about Security for AI with Defender for Cloud, visit our website<\/a> and documentation<\/a>. <\/p>\nScenario 1: Finding agents connected to sensitive data<\/strong> <\/h2>\n
![](\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2026\/01\/image-15.webp\")
Scenario 2: Identifying agents with indirect prompt injection risk<\/strong> <\/h2>\n
![](\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2026\/01\/image-17.webp\")
![](\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2026\/01\/image-18.webp\")
Scenario 3: Identifying coordinator agents<\/strong> <\/h2>\n
<\/s>exposed API to gain access to Azure AI Foundry coordinator agent. This visualization helps security admin teams to take preventative actions, safeguarding the AI agents from potential breaches. <\/p>\n![](\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2026\/01\/image-19.webp\")
![](\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2026\/01\/image-16.webp\")
Build AI agents security from the ground up<\/strong> <\/h2>\n