Close Menu
    Trending
    Tuesday, June 23
    Cybersecurity

    Don’t Let Outdated Systems Sabotage Your AI Agents

    CarterBy Updated:No Comments6 Mins Read
    Stop Your Legacy Infrastructure from Hijacking Your AI Agents

    The security team never needs to interact with the AI agent. The attacker gets full access to the production S3 bucket through John’s AWS credentials. In this case, three moderate findings, each of which alone is unlikely to be prioritized for immediate remediation, when chained together create a critical attack path. The attacker exploited the Tomcat server vulnerability in March 2025, escalated privileges through Active Directory misconfiguration, and used stored AWS CLI keys to read sensitive data from S3. The AI agent was never directly attacked. Instead, the attacker went through the underlying infrastructure to compromise it.

    Why This Keeps Happening

    There are a few reasons this pattern of attack keeps repeating across enterprises.

    First, AI security conversations focus almost exclusively on the AI layer. Teams invest heavily in detecting prompt injection attacks and preventing model tampering and data leakage. These are real threats. However, they represent only a fraction of the total attack surface. The AI layer sits on top of traditional infrastructure: Active Directory, cloud IAM, web servers, databases, and stored credentials. Attackers who can’t get in through the AI itself simply go around it, exploiting weaknesses in the underlying systems the AI depends on.

    Second, security teams often lack visibility into how AI agents connect to the rest of the environment. AI deployments frequently happen quickly, sometimes without full security review. Agents are granted broad permissions to function, and the resulting web of connections – between cloud services, identity providers, data stores, and API keys – grows fast. Security teams frequently have no complete map of what an agent can access, what credentials it relies on, or what the blast radius looks like if those credentials are stolen.

    Third, existing infrastructure weaknesses are deprioritized when they exist outside the AI stack. In the example above, each of the three findings taken individually would likely not be treated as urgent. An unpatched web server here, a misconfigured AD permission there, a developer with more cloud access than necessary. Each one is moderate on its own. But when you look at them as a connected path rather than individual issues, the picture changes completely. The problem is that most security tools evaluate risks in isolation, not as attack paths.

    What Security Teams Should Do

    Protecting AI agents requires looking beyond the AI itself. Here are concrete steps security teams can take, starting with the most impactful.

    1. Map every dependency your AI agents rely on. You cannot protect what you cannot see. Start by inventorying every cloud service, IAM role, stored credential, and data store your AI agents connect to. Understand the full chain of trust – from the agent, through its permissions, down to the underlying infrastructure. Without this map, you’re securing the AI layer on top of a blind spot.

    2. Apply strict least privilege to AI agent permissions. The data is clear: organizations where AI systems are over-privileged suffer incidents at a rate of 76%, versus 17% for those enforcing least privilege. Audit what your agents can actually access and remove permissions they don’t need. Pay special attention to production data stores and sensitive credentials.

    3. Identify and fix infrastructure-level attack paths, not just individual vulnerabilities. The attack described above didn’t depend on a single catastrophic flaw. It worked because three moderate issues lined up in sequence. Security teams need tools and processes that surface these connected attack paths – chaining together cloud IAM misconfigurations, unpatched servers, and Active Directory weaknesses – before an attacker does it for you.

    4. Include AI agent environments in your regular attack surface management. Traditional vulnerability scanning and pen testing often miss the unique risks AI deployments introduce. Make sure your regular security assessments cover the full environment your agents operate in, not just the AI components themselves.

    5. Treat stored credentials as high-value targets. The AWS CLI keys on John’s workstation were the linchpin of the entire attack. Rotate stored credentials frequently, use temporary credentials wherever possible, and restrict when and where credentials can be used from.

    AI agents are powerful tools, but their security is only as strong as the infrastructure beneath them. The path of least resistance for an attacker isn’t always a direct assault – sometimes it’s simply walking through an open door that was never connected to the AI in the first place.

    • What to Do About It

      The attack sequence I just outlined spans four distinct layers: network, identity, cloud, and AI. Most security teams evaluate each of these layers in isolation, and the vulnerabilities within each may already be documented. For example, an EASM tool might identify the Tomcat server, an AD security tool could detect the delegation misconfiguration, and a CSPM tool may flag the overly permissive S3 access. Each tool reports a moderate-severity issue that might be deprioritized for remediation. However, when combined, these issues create a critical vulnerability: a Tomcat flaw on the perimeter can be chained through AD to a developer’s cloud credentials, ultimately reaching an AI agent’s knowledge base.

      Addressing these attack paths begins with an exposure management strategy that treats AI agent dependencies—such as knowledge bases, storage buckets, and Lambda functions—as critical assets in their own right. From there, work backward: identify the identity relationships, permissions, and infrastructure linked to those assets, and determine which of these connections present exploitable vulnerabilities within your specific environment. By mapping the entire attack path, you can identify choke points—locations where a single remediation effort can block multiple routes to your AI assets.

      If your exposure management platform can trace the complete path—from a legacy server through AD and cloud infrastructure to an AI agent’s knowledge base—you can address the vulnerability before an attacker exploits the chain. If it cannot, no amount of safeguards at the AI layer alone will close the gap.

      The Bottom Line

      AI agent adoption is rapidly increasing across all enterprise departments. And every new agent you deploy connects to infrastructure that already has existing vulnerabilities. This means your attack surface grows with each deployment.

      The key question for security leaders is not whether your AI layer is secure. It’s whether the environment in which these agents operate—including your core legacy infrastructure—is providing attackers with the pathways to compromise them.

      Because attackers don’t require novel techniques to breach AI agents. They simply rely on proven methods—and an environment that allows them to leverage old vulnerabilities to exploit new technologies.

      Note: This article was expertly crafted and contributed for our audience by Zur Ulianitzky, SVP of Product and Security Research at XM Cyber.

      Found this article insightful? This article is a contributed piece from one of our valued partners. Follow us on Google News, Twitter, and LinkedIn to read more exclusive content we post.

    Share.

    Related Posts

    Leave A Reply