Agentic workflows are a pipe dream...

Artificial Intelligence

...until a large number of vulnerabilities can be addressed. The “vibe workflow” mindset that has dominated the agentic space is creating a ton of opportunities for bad actors to exploit and a lot of failure modes. To be clear, many of these vulnerabilities are simply inherited from LLMs (e.g., prompt injection -there is no clear separation between the data and the instructions) but a combinatorial explosion takes place when LLM-based agents are composed and able to act on real-world systems. A lot of bad stuff can happen at the interface between agents.

Attached is a paper worth reading, a sort of catalog of horrors, which I don’t think is even fully exhaustive but should be enough to scare off anyone who does not live in Silicon Valley. At this point, agentic workflows (and even lone LLM agents) should only be considered in highly constrained use cases, in secure environments, where each step can be audited and validated.

The catalog of horrors is extensive. The paper lists 30-40 unique vulnerabilities/attack vectors:

1 Input Manipulation: Prompt injections (direct, SQL, indirect), five jailbreak variants, five adversarial/evasion attacks

2 Model Compromise: Prompt-level backdoors (BadPrompt, PoisonPrompt), parameter backdoors (BadAgent, DemonAgent), composite & encrypted multi-backdoors, data- and memory-poisoning techniques

3 System & Privacy Attacks: Speculative side-channels, membership inference, datastore leakage, social-engineering simulations, federated-learning attacks, contagious recursive blocking, etc.

4 Protocol Vulnerabilities: 12 explicit threats in Table VI (e.g. cross-agent prompt injection, schema poisoning, rogue-agent registration, token theft/replay, MitM, DoS)

It also offers mitigation procedures and counter-measures. Most are hard and will take time to develop and implement (if possible at all). Before that time, poorly protected agentic workflows will be the norm and a dream for bad actors.

There may be enough momentum and economic enthusiasm behind agentic workflows to address them all. Companies offering technology and services at the intersection of security, safety and observability are best positioned to reap the rewards. In the meantime let’s not have the FAA implement agentic workflows at Newark airport.

https://www.economist.com/business/2025/07/14/ai-is-killing-the-web-can-anything-save-it