Likelihood: MODERATE
Impact: HIGH
Treatment: MITIGATE
Confidence: Moderate
Likelihood is moderate because exploitation of prompt injection against AI agents requires adversary awareness of deployed agent capabilities and access scopes, and no confirmed in-the-wild exploitation of these 18 techniques is documented — however, the attack surface is expanding rapidly as agentic deployments proliferate and 200+ documented patterns lower adversary effort. Impact is high because AI agents with privileged access to email, CRM, shell commands, and enterprise data stores represent a force-multiplier for an attacker: a single successful injection can achieve data exfiltration, BEC at scale, or operational disruption without malware or credential theft, bypassing most traditional detection controls.
Treatment rationale: The threat is active, the attack surface is growing with each new agentic deployment, and the potential business consequence (unauthorized access to high-value data systems via a trusted internal agent) is too material to accept or transfer without first establishing controls — avoidance is not viable given the strategic investment in AI agents.
Third-Party / Supply-Chain Risk
Material. CrowdStrike Falcon AIDR is explicitly named as an affected platform, meaning organizations relying on a third-party AI security or agentic product inherit its prompt-layer attack surface. Any enterprise AI platform delivered as SaaS or via API (LLM providers, CRM-integrated AI assistants, productivity copilots) constitutes a shared-platform exposure under NIST SP 800-161: the organization does not control the model's system prompt hardening, guardrail implementation, or update cadence for injection defenses. Vendor security posture for the AI prompt layer should be assessed as a fourth-party dependency where the LLM provider's model is the underlying component.
Loss Exposure (illustrative)
Magnitude: high — illustrative $500K–$5M per incident for an organization with AI agents embedded in email and CRM workflows, driven by incident response costs, potential regulatory exposure, and operational disruption; organizations with smaller agentic footprints or limited data access would sit at the lower end
Frequency: Illustrative: for an organization that has deployed AI agents with broad enterprise data access and has not modeled the prompt layer as an attack surface, 1 material incident per 3–5 years is plausible as adversary tooling matures and agentic deployments expand; organizations with no agent-specific input validation or monitoring face higher frequency
Annualized: Illustrative ALE: $100K–$1.67M annualized, derived from $500K–$5M magnitude at 0.2–0.33 annual frequency
Basis: Magnitude derived from: IR and forensics engagement for a multi-system compromise (email + CRM + potential shell access), regulatory notification costs if PII is involved, reputational and customer-trust impact from a BEC-at-scale scenario, and operational recovery. Frequency derived from: no confirmed active exploitation of these specific techniques today (suppressing near-term frequency), offset by rapid growth in agentic deployments, documented 200+ attack patterns reducing adversary effort, and absence of mature detection tooling for the prompt injection layer. Both ends of the range are illustrative and reflect the spread of plausible organizational exposure profiles.
Illustrative estimate — not actuarially derived.
Insurance / Contractual / Legal — Potential Obligations
Potential triggers, not legal determinations. Verify with counsel/broker before acting.
• Unauthorized exfiltration of PII or regulated data via a compromised AI agent may invoke state and federal breach-notification obligations — verify with counsel.
• AI agent access to CRM and email systems may constitute a covered 'computer system' or 'data compromise' event under cyber insurance policy definitions — verify with broker whether prompt injection triggering unauthorized data access meets policy trigger language.
• If AI agents process payment card data or health information, a successful injection-driven exfiltration may implicate PCI-DSS incident reporting or HIPAA breach notification requirements — verify with counsel.
• Contracts with enterprise customers granting AI agent access to shared data environments may include security incident notification clauses — verify with counsel and review data processing agreements.