In June 2025, a vulnerability known as EchoLeak (CVE-2025-32711) was discovered in Microsoft Copilot. It allowed attackers to embed invisible instructions (for example, using hidden text or formatting) into everyday messages like emails or meeting invites. Without any user action, the AI assistant interpreted these as legitimate commands, potentially leading to data leaks, unintended actions or unauthorised access to sensitive systems.
Similar flaws were quickly identified in other AI agents. But EchoLeak was not just another bug. It revealed something deeper: the risk of giving decision-making power to systems that interpret human language.
Unlike traditional software, AI agents are non-deterministic. The same input does not always lead to the same output. And because they work in human language, even normal-looking content can be used to manipulate them in ways we do not anticipate.
From Tools to Actors ๐
AI is still perceived as simple chat interfaces, like ChatGPT. But IA agents are far more than that. They are already embedded across our personal and professional environments. They read emails, manage calendars, access documents, and interact with other systems.
A personal assistant might reply to low-priority emails to save time. But if tricked, it could pull confidential information from a document library and send it out.
If a user can be manipulated with a convincing message (Social Engineering), so can an AI assistant, but at machine speed and scale. A single successful manipulation could cause more damage, more quickly, and across more systems than a human ever could.
Their power is also their risk. They are fast, adaptable and increasingly autonomous. That makes them difficult to monitor and secure through traditional means.
While much of the defence lies with the technology providers, organisations using these tools can still take meaningful steps to reduce risk.
This begins by recognising how different these systems are. Traditional applications are static and predictable, secured through fixed permissions, network controls, and known behaviours. AI agents are dynamic. They evolve, adapt, and operate across system boundaries.
This means we must shift our mindset. AI agents should not be treated as conventional tools, but as digital team members. Like human identities, they require continuous governance: knowing what they can access, what they are authorised to do, who is responsible for them, and how they behave over time.
The same principles we apply to secure human users can help us secure these systems:
- Least privilege: Grant only the access they truly need.
- Segregation of duties: Avoid allowing agents to complete sensitive tasks on their own.
- Oversight and boundaries: Prevent agents from moving freely across systems without controls.
- Audit and monitoring: Track their actions and decision logic. If something goes wrong, we need to know what triggered it, what the context was and what data was involved. Without visibility, we lose accountability.
- Resilience to manipulation: Anticipate how normal-seeming communication might be misused to influence behaviour.
Some will argue that this is nothing new. That these are the principles of zero trust and identity-based security we have been advocating for years. That is true. But the context has changed. What was best practice is now critical. These systems are more autonomous, interconnected and unpredictable.
That said, both zero trust and identity-based security suffer from their own hype. The concepts are solid, but they often get lost in jargon. If we want these practices to work in the real world, we need to explain them simply and apply them clearly.
A Changing Security Paradigm ๐
AI agents are not just tools. They increasingly behave like people in how they read, decide and act. And just like people, they can be tricked, make mistakes or misinterpret what they see.
That is why our security thinking must change. We must apply the same frameworks used to reduce human error, such as clear roles, limited access and layered oversight, to these systems as well.
These systems operate faster and act on more data than any person could. A small manipulation can escalate into a major outcome, in seconds.
This is not only about preventing the next vulnerability. It is about adapting to a future where intelligent agents are making decisions on our behalf and making sure we remain in control.