A chatbot that gives a wrong answer is embarrassing. An AI agent that takes a wrong action — sends the email, issues the refund, changes the record, calls the API — is a security incident. That one-word difference, action, is why securing an agent is a fundamentally different job from prompting a chatbot well.
And here's the part teams get wrong most often: the instinct is to control the agent by writing rules into its system prompt — "never send an email without approval," "don't touch financial records." Those lines feel like guardrails. They aren't. The system prompt is a wish you whisper to a probabilistic model. The actual boundary is what the agent's credentials let it do. If you only take one idea from this, take that one — and then the rest of agent security is just working out its consequences.
Why agents rewrote the threat model
With a plain chatbot, the worst outcomes are bounded: a wrong answer, a confidently false claim, maybe a data leak if you pipe sensitive text to a third-party model. The output is text, and a human reads it before anything happens.
An agent turns the model's output into an action in a real system: a sent message, a changed status, a created ticket, a transferred file. Now a single model mistake — or a single successful attack — doesn't just say the wrong thing; it does the wrong thing. And it does it perfectly legally: nothing is "hacked," no access is stolen. The agent simply used the permissions you handed it. It's worth sitting with how hard that is to test away: because the model decides which tool to call and when, the same input can produce different actions on different runs. You can't enumerate the behavior with a handful of examples the way you'd test a normal function. The whole shape of the risk changes:








