agentic AI real security priorities
NDC: Data lake exposure eclipses prompt injection as critical risk in agentic systems NDC ConferencesTL;DW
- Prompt injection receives disproportionate focus—spend 90% of AI security budget on it and miss critical threats like data lake breaches that destroy enterprises.
- Data lake access is the most dangerous security surface: treat every connection as internet-exposed; require security engineers to personally review and execute all data queries, never allow direct access.
- Split data lakes by workload type (agentic vs. classic, active vs. static) to apply appropriate security controls and prevent cross-contamination between agents, teams, and business units.
- Guard models (Llama Guard, IBM Granite, GPT-O) provide free, open-source ingress/egress sanitization layers—they take text in, output safe/dangerous, replacing manual prompt filtering.
- Parameterize inputs and keep arbitrary data outside AI systems: don't send real emails, credit cards, or URLs to agents; tokenize or primitize them instead.
- Encryption key material cannot be deep-faked by AI—encrypt sensitive data at rest and in transit, only decrypting at the correct model/workload/customer combination.
- Treat attack response time in seconds/minutes with AI, not hours/days: implement kill switches and company-wide character set sanitization at the gateway, not just per-application.
- Track injection attacks at each infrastructure layer differently: gateway hits are normal; cloud hits are concerning; backend database hits signal breach; agentic layer hits indicate lateral movement or insider threat.
- Learn model families, training data sources, and known vulnerabilities for each model your engineers propose—cursory knowledge of model security prevents deployment mistakes.
- Assign lifecycle ownership and maintenance costs to each security control; with limited team capacity, prioritize controls you'll actually sustain rather than deploying 30 controls and maintaining none.
TL;DW
- Prompt injection receives disproportionate focus—spend 90% of AI security budget on it and miss critical threats like data lake breaches that destroy enterprises.
- Data lake access is the most dangerous security surface: treat every connection as internet-exposed; require security engineers to personally review and execute all data queries, never allow direct access.
- Split data lakes by workload type (agentic vs. classic, active vs. static) to apply appropriate security controls and prevent cross-contamination between agents, teams, and business units.
- Guard models (Llama Guard, IBM Granite, GPT-O) provide free, open-source ingress/egress sanitization layers—they take text in, output safe/dangerous, replacing manual prompt filtering.
- Parameterize inputs and keep arbitrary data outside AI systems: don't send real emails, credit cards, or URLs to agents; tokenize or primitize them instead.
- Encryption key material cannot be deep-faked by AI—encrypt sensitive data at rest and in transit, only decrypting at the correct model/workload/customer combination.
- Treat attack response time in seconds/minutes with AI, not hours/days: implement kill switches and company-wide character set sanitization at the gateway, not just per-application.
- Track injection attacks at each infrastructure layer differently: gateway hits are normal; cloud hits are concerning; backend database hits signal breach; agentic layer hits indicate lateral movement or insider threat.
- Learn model families, training data sources, and known vulnerabilities for each model your engineers propose—cursory knowledge of model security prevents deployment mistakes.
- Assign lifecycle ownership and maintenance costs to each security control; with limited team capacity, prioritize controls you'll actually sustain rather than deploying 30 controls and maintaining none.
Jon McCoy argues prompt injection concern reflects survivor bias while the real threat is multi-agent, multi-team data lake access without workload isolation. Recommends treating data lake connections as internet-exposed endpoints, decomposing lakes by workload, and having security teams own every data pull.
