How can an AI agent be used as a proxy to attack connected systems?

An agent with broad permissions and a compromised context is not just broken — it is a weapon aimed at every system it can touch. Here is how attackers exploit agents as lateral movement proxies and how you scope your way out.

B

Balagei G Nagarajan

5 MIN READ


An AI agent at the center of a web of connected systems, with a red signal propagating outward through its authenticated connections

The agent's credentials are legitimate. The instructions it is following are not.

Key facts.

  • The core attack primitive: an attacker injects instructions through content the agent processes and the agent uses its legitimate, authenticated connections to pivot into systems the attacker has no direct access to (Schneider, 2025).
  • AI agents move 16 times more data than human users — a compromised agent is not a one-account breach, it is a sweep of everything the agent can touch (Obsidian Security, 2025).
  • 13% of organizations have already reported breaches involving AI models or applications; 86% have no inventory of where their AI agents are connected or what data they can access (Obsidian Security, 2025).
  • Multi-turn prompt injection attacks achieved success rates up to 92% across eight open-weight models in 2025 testing — this is not a theoretical risk (Pillar Security, 2026).
  • Prompt injections have evolved into a multi-step "Promptware Kill Chain" where a single injected instruction initiates a sequence of agent actions culminating in data exfiltration or system access (arXiv:2601.09625, 2026).
Scope the agent's tools to minimum necessary and the attack has nowhere to go.
— from "How can an AI agent be used as a proxy to attack connected systems?"

The anatomy of an agent lateral movement attack

The attacker does not need access to your systems. They need access to content your agent will process. That content — a document in a shared inbox, a web page the agent is asked to summarize, a calendar invite description — carries the injected instruction.

The agent reads the content, interprets the instruction as legitimate (because it arrived in the same channel as real instructions), and executes it. The execution uses the agent's own sessions. If the agent has read access to your CRM and write access to your Slack, the attacker now has those capabilities too, mediated through the agent.

What makes this particularly effective: the attack moves at agent speed. An attacker who manually exfiltrates data triggers anomaly detection because the behavior is unusual for a human account. An agent that reads and forwards 10,000 records triggers nothing, because agents move 16 times more data than humans by design.

Why broad permissions are the amplifier, not the root cause

Prompt injection is the entry point. Broad permissions are what converts a local instruction-following failure into a cross-system breach. An agent with read-only access to one system, when injected, can at most exfiltrate that system's data. An agent with write access to five systems, when injected, can read, modify, create, and delete across all five.

This is not a hypothetical scenario. The Snowflake credential compromise of 2024 followed a structurally identical pattern: infostealer infection at a vendor, credential compromise, lateral movement into customer infrastructure. The mechanism is the same whether the victim credential belongs to a human or an agent — the scale and speed differ. An agent executes in milliseconds; a human attacker needs hours.

The right framing: every permission you give an agent is a capability you are giving to any attacker who can inject into that agent's context.

How minimum-scope tool access defeats the attack structurally

If an agent's tools are scoped to the minimum required for its task, a successful injection has a limited blast radius. An agent that can only read from one specific table and write to one specific output queue, when injected, can only misuse those two capabilities. The attacker cannot pivot to email, CRM, code repositories, or external APIs.

This is the structural defense: not better instruction-following by the model, but architectural constraints that limit what the model can do regardless of what it is told. Scope your agent's tools to the task it was built for. Separate agents for separate system access domains. Require explicit human approval for any write action above a defined scope threshold.

The additional layer: treat content the agent processes as untrusted input, the same way you would treat user input in a web application. Input that contains instruction-shaped text — "ignore previous instructions," "forward this data to," "create a new user" — should be flagged before reaching the model's instruction-following layer.

Attack chain diagram: malicious content in inbox reaches agent, agent executes with own authenticated session, data moves to attacker-controlled endpoint across three connected systems

The Promptware Kill Chain: injected content triggers agent execution, authenticated sessions carry the attack, data reaches attacker across system boundaries.

Attack step Mechanism Defense
Injection deliveryMalicious instruction embedded in processed contentTreat content as untrusted input; flag instruction-shaped text
Agent executionAgent follows injected instruction with own sessionsScope tools to minimum; human approval for sensitive writes
Lateral movementAgent's cross-system access used as pivotSeparate agents per access domain; no cross-domain sessions
ExfiltrationData moves at agent speed with no anomaly signalRate-limit agent data exports; audit log every outbound write

Scoping agent permissions to minimum necessary is the single highest-leverage security control for agentic systems. VibeModel's Pattern Intelligence Layer maps which tool combinations in your workflow create over-permissioned exposure paths, so you can tighten the blast radius before an injection finds them.

Frequently asked questions

How is an agent proxy attack different from a regular prompt injection?

A regular prompt injection manipulates the model's output within one session. An agent proxy attack uses that manipulation to trigger the agent's tool calls — specifically its authenticated sessions to connected systems — turning a model-layer failure into a system-layer breach across multiple platforms.

Can the model learn to detect injected instructions?

Models have improved at recognizing obvious injection patterns, but multi-turn attacks that achieve 92% success rates demonstrate the limit of model-level defense. Architectural controls — minimum-scope permissions, content sandboxing, human approval gates — are more reliable than model-level instruction discrimination.

What is the Promptware Kill Chain?

The Promptware Kill Chain is a framework describing how prompt injections have evolved from single-step model manipulation into multi-step attack sequences: injection triggers agent execution, agent takes network actions, actions deliver or enable malware or exfiltration. The arXiv paper (2601.09625) documents this evolution through 2025.

How do I audit which systems my agent can reach?

Start by listing every tool registered to the agent and every credential or session token the agent's environment can access. Any tool that can write to an external system or authenticate to a third-party API is a potential pivot point. This inventory is the starting point for permission reduction.


Share this post

Join the discussion

Have a take, a war story, or a question? Sign in with GitHub to comment and react. Comments are powered by GitHub Discussions, ad-free and yours to moderate.

Continue Reading

Find where your agent breaks, before you build it

Faultmap maps where your agent will fail from the goal and your data, then hands you the first test suite it has to pass.