AI Agents: New Attack Surface

ESET Research publicly disclosed PromptLock on August 27, 2025, a proof‑of‑concept ransomware that queries a locally hosted gpt‑oss:20b model via the Ollama API to generate and execute cross‑platform Lua scripts in real time. (eset.com) Microsoft published a Secure Agentic AI strategy and said Agent 365 — a control plane that ties Microsoft Defender, Entra and Purview together to observe and govern agents — will be generally available on May 1, 2026 and is included in Microsoft 365 E7. (microsoft.com) Microsoft-managed Conditional Access policies are exposed in the Entra admin center and the company reports that requiring multifactor authentication via these policies reduces the risk of compromise by more than 99%. (learn.microsoft.com) Microsoft documentation and third‑party IAM guidance name Azure managed identities, service principals and service accounts as common non‑human identities and explicitly recommend enforcing least‑privilege, automated credential rotation and just‑in‑time access to reduce blast radius. (chanceofsecurity.com) Agentic capabilities are rolling into mainstream enterprise software: Salesforce/AWS collaboration has generated more than $2 billion in AWS Marketplace lifetime sales in under 18 months, Oracle announced agentic features for Fusion apps on March 24, 2026, and new platforms like Automatic.co are launching agentic deployment tools — all of which increase the number of potential unmanaged agent endpoints. (aws.amazon.com) U.S. federal ransomware guidance continues to stress phish‑resistant MFA and offline, regularly tested backups as primary mitigations, as reflected in CISA’s ongoing #StopRansomware advisories and joint agency guidance. (cisa.gov)