Until a few years ago I took it for granted that you could tell from traffic logs what was happening on your network and why. It used to be that the perimeter of an enterprise network was the defensive moat, and everything inside was, as John Kindervag called it when he introduced the concept of Zero Trust, the “chewy center.” The threat actors learned ways to attack that chewy center directly, and the industry had to pivot to secure the chewy center in what came to be known as east-west security or microsegmentation. This was a tall order for sure - the number of internal devices on any network far exceeds the number of perimeter devices, so effective security policies and their enforcement points had to grow, sometimes exponentially. The transition took years, and by some accounts still isn’t complete.

The one saving grace we didn’t appreciate enough at the time was that the behavior of these internal devices was known. They were known devices communicating with other known devices over known protocols and accessing known data through known flows. The policy necessary to secure such a network might be enormous and complicated but it was definable. It was deterministic. As a defender you could spot deviations on your network because you could define what your network was supposed to be doing and measure against that definition.

Those days are long gone.

The recent Unit42 Incident Response report shows that 87% of intrusions now span multiple attack surfaces, up from 70% last year. A full 67% of those intrusions span three or more attack surfaces. Things get even worse when we look at what kind of entities make up this new attack surface. It’s increasingly made up of AI Agents, which behave not in a deterministic way but instead in a probabilistic way that is often hard to predict.

Take for instance the recent attack on AWS’s Bedrock AgentCore: the starter toolkit’s default IAM gave every agent in an AWS account the ability to read other agents’ memory, trigger runtimes, etc. Any single compromised agent in such an environment has the power to exfiltrate all of its data and disrupt the entire environment. It’s tempting to call this a one-off human error instead of a systemic difficulty but there’s an emerging pattern that suggests otherwise. The effective permissions and controls were set up under the assumption that the entity with the role would behave predictably, in a deterministic way. Agents break that assumption in potentially catastrophic ways because the agent’s behavior is affected by its prompt, its memory, and its upstream instructions, and each of these is a new and unique attack surface. A prompt injection doesn’t change the agent’s credentials - it changes the agent’s actions and its intent, and the agent executes that new intent using its existing, legitimate access. If we miss that initial prompt injection attack, we’re left with a malicious insider with broad access powers that behaves in probabilistic ways against defenses that are looking for deterministic malice.

The Bedrock AgentCore incident might be one of the first of this type but it certainly won’t be the last, and sooner than any of us would like these kinds of incidents won’t even be unique or noteworthy. We’ve built decades of best practices and compliance and strategy for deterministic policy, and are now aggressively embedding probabilistic actors in our networks and granting them broad access rights to get the job done. We know what we want agents to do and not do, but knowing what the agents themselves intend to do and not do and writing that policy is becoming as urgent as it is strange to seasoned practitioners.

Thomas Laugle is a cybersecurity specialist at Palo Alto Networks. The opinions expressed here are his own.