Five Threat Zones: Threat Modeling Agentic AI for Corporate Defense

Description:

Your organization is rolling out Copilot, custom agents, and MCP-based tool integrations, and your security team is doing what it has always done: decompose the system, assess each component, sign off on the boxes. Agentic AI attacks do not respect those boxes. A retrieved document biases the planner, the planner picks the wrong tool, the tool acts on stale permissions, a second agent trusts the output without checking it. We have already seen this in the wild: zero-click prompt injection in enterprise copilots and indirect data exfiltration through tool chains. Every component passed its review. The attack path between them did not exist on anyone's diagram.

This talk gives security architects a practical way to close that gap. I introduce a five-zone decomposition for agentic AI architectures — input surfaces, planning and reasoning, tool execution, memory and state, and inter-agent communication — and a seven-step methodology for tracing cross-zone attack chains that component-level reviews miss. I then work through three scenarios security teams are being asked to evaluate right now: RAG pipeline poisoning, tool-integration supply-chain attacks via MCP, and multi-agent goal cascades. Each scenario includes an attack tree and maps to concrete controls from the OWASP Top 10 for LLM and Agentic AI Applications.

You leave with a threat-zone mapping template, a cross-zone attack-path checklist, and worked attack trees your team can apply to its own agentic AI deployments the following week.