Agentic AI Expands Threat Model for Enterprise Security

Zscaler published a blog post on June 25, 2026, titled "Agentic AI Threat Model: Prompt Injection, Context Poisoning, and Agent Behavior Drift." The post outlines three primary threats for agentic AI: prompt injection, context poisoning, and agent behavior drift, and situates those threats across the agent lifecycle. Zscaler describes a set of controls that map to lifecycle phases, including build-time adversarial testing and prompt hardening, deployment-time discovery and posture assessment, and runtime guards, monitoring, and remediation.

The blog defines the three threats as follows: prompt injection occurs when hidden instructions appear in user inputs, retrieved documents, or tool outputs; context poisoning happens when malicious content is ingested into trusted data sources and later retrieved; and agent behavior drift describes gradual deviation from intended policies as agents interact with tools and data. Zscaler emphasises that different controls are required for each threat class because runtime guards that block injections do not retroactively remove poisoned ingestion or correct slow drift.

Industry-pattern observations: As organisations move from single-query LLM use to agentic workflows that use tool access, memory, and delegated permissions, the attack surface expands from model outputs to cross-system actions. Security teams building comparable protections typically need instrumentation for provenance, retrieval filtering, integrity checks on ingested content, and policy-enforced execution limits for tools and APIs.

For practitioners, Zscaler's framework consolidates common risk modes into a lifecycle checklist that is actionable for threat modeling and red teaming. The guidance echoes broader community recommendations around adversarial testing, data hygiene, and runtime enforcement but focuses attention on persistence and multi-step action chains that are more prominent in agentic deployments.

Indicators to monitor include anomalous retrievals from knowledge stores, unexpected tool invocations, policy-exempt permission escalations, and slow behavioral shifts revealed by long-term audit trails. Observers should also track vendor toolings for retrieval provenance, ingestion validation, and runtime policy enforcement as these capabilities mature.