The agent's credentials are legitimate. The instructions it is following are not.
Key facts.
- The core attack primitive: an attacker injects instructions through content the agent processes and the agent uses its legitimate, authenticated connections to pivot into systems the attacker has no direct access to (Schneider, 2025).
- AI agents move 16 times more data than human users — a compromised agent is not a one-account breach, it is a sweep of everything the agent can touch (Obsidian Security, 2025).
- 13% of organizations have already reported breaches involving AI models or applications; 86% have no inventory of where their AI agents are connected or what data they can access (Obsidian Security, 2025).
- Multi-turn prompt injection attacks achieved success rates up to 92% across eight open-weight models in 2025 testing — this is not a theoretical risk (Pillar Security, 2026).
- Prompt injections have evolved into a multi-step "Promptware Kill Chain" where a single injected instruction initiates a sequence of agent actions culminating in data exfiltration or system access (arXiv:2601.09625, 2026).
The anatomy of an agent lateral movement attack
The attacker does not need access to your systems. They need access to content your agent will process. That content — a document in a shared inbox, a web page the agent is asked to summarize, a calendar invite description — carries the injected instruction.
The agent reads the content, interprets the instruction as legitimate (because it arrived in the same channel as real instructions), and executes it. The execution uses the agent's own sessions. If the agent has read access to your CRM and write access to your Slack, the attacker now has those capabilities too, mediated through the agent.
What makes this particularly effective: the attack moves at agent speed. An attacker who manually exfiltrates data triggers anomaly detection because the behavior is unusual for a human account. An agent that reads and forwards 10,000 records triggers nothing, because agents move 16 times more data than humans by design.
Why broad permissions are the amplifier, not the root cause
Prompt injection is the entry point. Broad permissions are what converts a local instruction-following failure into a cross-system breach. An agent with read-only access to one system, when injected, can at most exfiltrate that system's data. An agent with write access to five systems, when injected, can read, modify, create, and delete across all five.
This is not a hypothetical scenario. The Snowflake credential compromise of 2024 followed a structurally identical pattern: infostealer infection at a vendor, credential compromise, lateral movement into customer infrastructure. The mechanism is the same whether the victim credential belongs to a human or an agent — the scale and speed differ. An agent executes in milliseconds; a human attacker needs hours.
The right framing: every permission you give an agent is a capability you are giving to any attacker who can inject into that agent's context.
How minimum-scope tool access defeats the attack structurally
If an agent's tools are scoped to the minimum required for its task, a successful injection has a limited blast radius. An agent that can only read from one specific table and write to one specific output queue, when injected, can only misuse those two capabilities. The attacker cannot pivot to email, CRM, code repositories, or external APIs.
This is the structural defense: not better instruction-following by the model, but architectural constraints that limit what the model can do regardless of what it is told. Scope your agent's tools to the task it was built for. Separate agents for separate system access domains. Require explicit human approval for any write action above a defined scope threshold.
The additional layer: treat content the agent processes as untrusted input, the same way you would treat user input in a web application. Input that contains instruction-shaped text — "ignore previous instructions," "forward this data to," "create a new user" — should be flagged before reaching the model's instruction-following layer.
The Promptware Kill Chain: injected content triggers agent execution, authenticated sessions carry the attack, data reaches attacker across system boundaries.
| Attack step | Mechanism | Defense |
|---|---|---|
| Injection delivery | Malicious instruction embedded in processed content | Treat content as untrusted input; flag instruction-shaped text |
| Agent execution | Agent follows injected instruction with own sessions | Scope tools to minimum; human approval for sensitive writes |
| Lateral movement | Agent's cross-system access used as pivot | Separate agents per access domain; no cross-domain sessions |
| Exfiltration | Data moves at agent speed with no anomaly signal | Rate-limit agent data exports; audit log every outbound write |
Scoping agent permissions to minimum necessary is the single highest-leverage security control for agentic systems. VibeModel's Pattern Intelligence Layer maps which tool combinations in your workflow create over-permissioned exposure paths, so you can tighten the blast radius before an injection finds them.
Frequently asked questions
How is an agent proxy attack different from a regular prompt injection?
A regular prompt injection manipulates the model's output within one session. An agent proxy attack uses that manipulation to trigger the agent's tool calls — specifically its authenticated sessions to connected systems — turning a model-layer failure into a system-layer breach across multiple platforms.
Can the model learn to detect injected instructions?
Models have improved at recognizing obvious injection patterns, but multi-turn attacks that achieve 92% success rates demonstrate the limit of model-level defense. Architectural controls — minimum-scope permissions, content sandboxing, human approval gates — are more reliable than model-level instruction discrimination.
What is the Promptware Kill Chain?
The Promptware Kill Chain is a framework describing how prompt injections have evolved from single-step model manipulation into multi-step attack sequences: injection triggers agent execution, agent takes network actions, actions deliver or enable malware or exfiltration. The arXiv paper (2601.09625) documents this evolution through 2025.
How do I audit which systems my agent can reach?
Start by listing every tool registered to the agent and every credential or session token the agent's environment can access. Any tool that can write to an external system or authenticate to a third-party API is a potential pivot point. This inventory is the starting point for permission reduction.

