An AI agent is an AI system that
does not just generate text: it takes actions. It calls tools, queries
databases, browses the web, writes and runs code, sends messages, and
increasingly delegates work to other agents. The connecting layer is
often an open protocol such as MCP (the Model Context Protocol),
introduced by Anthropic in November 2024 and now widely adopted, which
gives a language model structured access to real systems.
Agent risk is the family of risks
that arises specifically because the system acts: a wrong output becomes
a wrong action, executed with real permissions, often in chains where
one mistaken step feeds the next. Security researchers identify threat
vectors that do not exist in passive AI: prompt injection through
content the agent reads, privilege escalation through over-broad
permissions, unintended action chains, data exfiltration through tool
use, and supply-chain compromise.
Three properties set this apart from classic software risk. Agents are
probabilistic: the same input can
produce different actions. They are open
to instruction: anything an agent reads, a web page, a PDF, an email,
another agent’s message, is potentially an instruction, which is why
prompt injection has no clean software analogue. And they operate at
machine speed and scale: a flawed
policy executes a thousand times before a human notices once.
Those three properties describe how an agent acts. A fourth difficulty
is about how its work is checked. Agent output behaves as a
credence good: fluent text is not
the same as correct, secure or well-governed work, and the person
relying on it often cannot tell the difference before acting on it,
after acting on it, or in some cases ever. That distance between fluent
and verified is why the assurance of agents is treated as a separate
problem from testing ordinary software, and it is the subject the
companion book takes up.