Likelihood: MODERATE
Impact: HIGH
Treatment: MITIGATE
Confidence: Moderate
Likelihood is moderate because exploitation of agentic AI systems requires attacker access to prompt interfaces, supply chain footholds, or workflow integrations — not trivial, but prompt injection techniques are maturing rapidly and agentic deployments are expanding faster than defensive controls; exploitation is not yet confirmed at scale but threat actor interest is documented. Impact is high because a successful manipulation of an AI agent operating with broad permissions can autonomously propagate data exfiltration, configuration changes, or transaction execution across connected systems before human detection, with operational, financial, and reputational consequences that outpace a traditional endpoint compromise.
Treatment rationale: The threat is material and the attack surface is expanding with adoption, making avoidance impractical for organizations already integrating agentic AI and making acceptance unacceptable given autonomous blast radius; mitigation — through least-privilege agent design, human-in-the-loop checkpoints, prompt validation controls, and supply chain vetting — is the only treatment that reduces risk while preserving business value.
Third-Party / Supply-Chain Risk
High third-party exposure: agentic AI systems routinely depend on third-party model providers, orchestration frameworks (e.g., LangChain-style tooling), external tool integrations, and API-connected SaaS platforms, any of which can introduce poisoned instructions or compromised tool outputs into an agent's decision chain; per NIST SP 800-161, organizations must assess AI vendor software integrity, model supply chain provenance, and the security posture of every external service an agent is authorized to invoke.
Loss Exposure (illustrative)
Magnitude: High — illustrative $500K–$5M per significant incident, reflecting potential for autonomous propagation across connected systems, operational disruption, regulatory scrutiny, and reputational damage
Frequency: Illustrative 1-in-5 to 1-in-3 chance of a material agentic AI security event within 24 months for an organization with broad agentic deployment and immature controls, declining substantially with control implementation
Annualized: Illustrative ALE: $100K–$1.7M annually for an exposed organization, weighted toward the lower bound for organizations implementing CISA guidance controls and toward the upper bound for organizations with over-permissioned agents, no prompt validation, and third-party orchestration dependencies
Basis: Loss magnitude derived from operational disruption scope of autonomous agent actions (affecting multiple connected systems simultaneously), regulatory exposure where personal or financial data is in scope, and incident response complexity for AI-specific events which exceeds traditional malware response; frequency derived from the nascent but accelerating threat actor interest in prompt injection, the rapid expansion of enterprise agentic deployments, and the documented gap between deployment pace and security control maturity flagged in the CISA guidance itself; no third-party actuarial data cited.
Illustrative estimate — not actuarially derived.
Insurance / Contractual / Legal — Potential Obligations
Potential triggers, not legal determinations. Verify with counsel/broker before acting.
• Autonomous agent actions resulting in unauthorized data movement or system modification may invoke cyber-insurance incident reporting obligations — verify with broker whether agentic AI operations require policy endorsement or disclosure.
• If agentic AI processes personal data and is manipulated into exfiltrating or mishandling it, state and international breach-notification obligations may be triggered — verify with counsel.
• Contracts with enterprise customers or regulated entities may contain AI governance or data processing clauses that agentic deployments could implicate — verify with counsel.
