CERT-In warns on the Hidden cybersecurity Risks targeting AI Agents and Applications

New Delhi, India | June 2026

As organizations rush to deploy AI agents for automation, customer service, software development, decision support, and operational workflows, these systems are becoming high-value targets.

Compromising an AI agent isn’t just about stealing data, it can mean hijacking autonomous actions with real-world consequences.

Core Risks to AI Agents and Applications

Here are the key adversarial and operational risks outlined or implied in the CERT-In blueprint:

1. 1. Prompt Injection and Input Manipulation Attackers craft specially designed inputs (text, images, or structured data) to override an AI’s intended behavior. In agentic systems with tool-calling or action capabilities, this can lead to unauthorized API calls, data exfiltration, or execution of malicious commands. Traditional input sanitization often fails against sophisticated, context-aware injections. The blueprint explicitly calls for prompt injection protection, input validation/sanitization, and behavioral monitoring.
2. 2. Model Manipulation, Poisoning, and Adversarial Examples Attackers can poison training or fine-tuning data to implant backdoors, degrade performance, or create hidden triggers. For deployed models, adversarial perturbations (subtle changes to inputs) can cause misclassification, unsafe outputs, or evasion of safety filters. This is especially dangerous in vision, multimodal, or decision-making agents. The blueprint stresses model integrity validation, provenance checks, and adversarial testing.
3. 3. Insecure Integrations, APIs, and Orchestration Pipelines AI systems rarely operate in isolation. They connect to retrieval systems (RAG), plugins, external APIs, databases, and enterprise tools. Weaknesses here enable data leakage, privilege escalation, or lateral movement. Agentic AI that can act autonomously amplifies the blast radius. CERT-In recommends secure API design, secrets management, access controls, and continuous monitoring of AI activity and telemetry.
4. 4. AI Model Theft and Intellectual Property Extraction Sophisticated attackers can extract model architecture, weights, or training data through query-based attacks or side-channel methods. This not only steals valuable IP but can enable further attacks or competitive intelligence gathering. The blueprint emphasizes protecting against unauthorized modification and maintaining version control and inference validation.
5. 5. Sensitive Data Leakage AI outputs can inadvertently reveal training data, proprietary information, or user context (membership inference, model inversion). Public or semi-public AI platforms compound this when employees upload sensitive data. The blueprint stresses data classification, retention policies, monitoring of AI-related data flows, and strict policies against uploading regulated or sensitive information to public AI services.
6. 6. Risks Specific to Autonomous and Agentic AI Systems This is perhaps the most forward-looking concern. Agentic AI, systems that can plan, use tools, and execute multi-step actions with limited human intervention, introduces new attack surfaces. A compromised agent could perform financial transactions, modify infrastructure, or escalate privileges autonomously. The blueprint specifically calls for:
   • Defined operational boundaries and permissions
   • Continuous monitoring and audit logging
   • Override and emergency shutdown mechanisms
   • Human oversight for high-impact decisions
7. 7. Third-Party AI Provider and Supply-Chain Risks Many organizations rely on external LLMs, AI APIs, or hosted models. These introduce dependency risks, potential data exfiltration to foreign providers, and supply-chain attacks if the provider is compromised. The blueprint recommends assessing provider security posture, reviewing contractual data-handling obligations, and maintaining contingency plans.
8. 8. AI-Assisted Development Risks (DevSecOps) Ironically, using AI coding assistants can introduce vulnerabilities if generated code isn’t rigorously reviewed. The blueprint advises treating AI-generated code and dependencies with the same scrutiny as human-written code, applying SAST, DAST, and dependency analysis.

Why These Risks Matter Now

Traditional perimeter and signature-based defenses are insufficient against attacks that target the logic and behavior of AI systems.

AI agents, by design, are granted more autonomy and tool access than conventional applications, making them attractive targets for sophisticated adversaries (including nation-state actors and advanced persistent threats).

The CERT-In blueprint notes that exploitation timelines are shrinking and attacks are becoming more autonomous.

Defending AI systems requires a shift toward assume-breach mindsets, continuous validation (including red teaming and adversarial simulations), AI-specific controls, and strong governance.

What Organizations Should Do

The blueprint outlines practical measures across 16 areas for secure AI adoption, including:

• Maintaining comprehensive AI asset inventories (including shadow AI)
• Conducting AI-specific risk assessments before deployment
• Implementing layered controls: access management, prompt protection, logging, and behavioral monitoring
• Performing adversarial testing, prompt injection testing, and model integrity validation
• Establishing human oversight gates for critical actions
• Training staff on AI-related risks (data exposure, deepfakes, secure usage)
• Continuous governance review and adaptive policies

The Bottom Line

AI agents and applications are not just tools, they are becoming critical infrastructure components.

As they gain autonomy and integrate deeper into digital ecosystems, the attack surface expands dramatically.

The CERT-In blueprint serves as both a warning and a roadmap: organizations that treat AI security as an afterthought risk not only data breaches but the integrity of automated decision-making and operational processes.

Securing AI isn’t just about protecting models.

It’s about ensuring that the next generation of intelligent systems remains trustworthy, resilient, and under human accountability.

For the full technical recommendations, organizations can refer to the official CERT-In blueprint (Version 1.0 | 25.05.2026) and engage with the CERT-In AI Cyber Defence Center for guidance.