Living Off the Agent: The New Tactic Hijacking Enterprise AI

The surge of agentic AI in the enterprise mirrors earlier cloud and container revolutions, but its unique capability to act autonomously across APIs creates a blind spot for legacy security controls. While firewalls, XDR and SIEM platforms excel at flagging known malware signatures and network anomalies, they lack visibility into the intent and decision‑making of AI agents that can issue legitimate‑looking API calls on behalf of users. This gap is amplified by the Model Context Protocol (MCP), a nascent standard that enables agents to retrieve data, invoke tools, and coordinate workflows, yet also offers a convenient foothold for malicious packages that masquerade as trusted MCP servers.

Recent red‑team research from Straiker highlights the practical danger: 87 distinct agent‑related exploits were cataloged, with 24 exhibiting the LOTA pattern where a compromised agent leverages its trusted status to execute malicious actions. In real‑world scenarios, a productivity agent tasked with managing emails can be tricked into scanning cloud drives, harvesting credentials, and even spawning new rogue agents—all without raising traditional alerts. The speed and scale of these attacks—dozens of autonomous agents operating 24/7—mean that a single phishing email or crafted prompt can cascade into a full‑blown breach, eroding the talent advantage that organizations hoped to gain from AI automation.

To counter LOTA threats, security teams must adopt AI‑aware defenses that monitor agent behavior, validate MCP interactions, and enforce strict provenance for agentic code. Emerging solutions include behavioral analytics for API call patterns, sandboxed execution environments for agents, and continuous supply‑chain audits of AI models and plugins. By integrating these controls with existing security operations, enterprises can preserve the productivity gains of autonomous agents while mitigating the risk of them becoming inadvertent spies in the corporate network.