Likelihood: MODERATE
Impact: HIGH
Treatment: MITIGATE
Confidence: Moderate
Likelihood is moderate because exploitation requires an adversary to craft effective prompts against a deployed agentic AI system — technically feasible and increasingly documented, but dependent on organizational adoption of agentic AI and the absence of architectural controls; the Five Eyes joint guidance signals rising threat actor interest without confirmed active exploitation. Impact is high because a manipulated agent operating on legitimate credentials bypasses conventional detection, enabling data exfiltration, unauthorized system changes, or destruction of records touching financial, regulated, or customer-facing systems — consequences that are both operationally severe and regulatorily consequential.
Treatment rationale: The risk is architectural and design-time in nature — it cannot be transferred away cleanly or accepted at this impact level — and the Five Eyes guidance provides a concrete, actionable control set (least-privilege identity, constrained tool permissions, human approval gates) that directly reduces both likelihood and impact, making mitigation the appropriate primary treatment.
Third-Party / Supply-Chain Risk
Significant third-party exposure exists: organizations consuming agentic AI capabilities through vendor platforms (e.g., Microsoft Security Copilot, Azure AI, or any SaaS-delivered AI agent) inherit the security architecture decisions of those platforms. Per NIST SP 800-161, this constitutes a supplier risk requiring verification that vendor-implemented controls — identity scoping, tool permission boundaries, audit logging, and override mechanisms — meet organizational risk thresholds. Shared-platform deployments (multi-tenant AI services) additionally surface cross-tenant isolation as a dependency outside direct organizational control.
Loss Exposure (illustrative)
Magnitude: High — illustrative $500K–$5M per incident for an organization with meaningful agentic AI deployment touching regulated data or financial systems, reflecting potential costs of incident response, forensic reconstruction of agent actions, regulatory inquiry, and operational disruption from unauthorized system changes
Frequency: Illustrative 1–2 material incidents per 3–5 year window for an exposed organization that deploys agentic AI without architectural controls, rising as adversary prompt-injection techniques mature and agentic AI adoption increases
Annualized: Illustrative ALE framing: $100K–$500K annually for an exposed organization, driven by moderate event frequency against high per-incident magnitude; higher end applies where agents have broad system permissions and minimal human oversight gates
Basis: Magnitude derived from: (1) forensic complexity of reconstructing agent action chains versus conventional malware, (2) regulatory notification and response costs where PII or regulated records are in scope, (3) operational disruption cost where agents have write/delete access to production systems. Frequency derived from: current exploitation status (not confirmed active) discounted against rising adversary interest signaled by Five Eyes joint advisory and increasing agentic AI deployment surface. No third-party loss report figures used.
Illustrative estimate — not actuarially derived.
Insurance / Contractual / Legal — Potential Obligations
Potential triggers, not legal determinations. Verify with counsel/broker before acting.
• Unauthorized access to or exfiltration of customer or employee PII via a manipulated agent may invoke state breach-notification obligations — verify with counsel.
• Unauthorized modification or deletion of regulated records (financial, healthcare, legal) by an agentic system may trigger regulatory reporting requirements under applicable sector rules — verify with counsel.
• An incident involving an AI agent operating beyond its authorized scope may implicate cyber-insurance policy conditions around system integrity, unauthorized access, or AI-specific exclusions now appearing in policy renewals — verify with broker.
• Vendor agreements for agentic AI platforms should be reviewed for shared-responsibility language that could affect indemnification or breach liability if a manipulated agent causes downstream harm — verify with counsel.