Dissecting evolving patterns in prompt‑extraction, safety‑bypass, and agent‑specific exploits can be used to drive new preemptive defense strategies this year.

As AI moves from controlled experiments into real‑world applications, we are entering an inflection point in the security landscape. The transition from static language models to interactive, agentic systems is well underway.

However, attackers are not waiting for maturity: they are adapting at the same rapid pace, probing systems as soon as new capabilities are introduced. As soon as models begin interacting with anything beyond simple text prompts (for example: documents, tools, external data) the threat surface expands, and adversaries adjust instantly to exploit it.

This moment may feel familiar to those who watched early web applications evolve, or who observed the rise of API‑driven attacks. But with AI agents, the stakes are different. The attack vectors are emerging faster than many organizations anticipated.

Signals from Q4 2025 agent-attacks

Research data alludes to three dominant patterns emerging from Q4 last year. Each has profound implications for how AI systems are designed, secured, and deployed. Other research groups have reported similar themes, though not always with the same emphasis or methodology.

1. System prompt extraction as a central objective
In traditional language models, prompt injection (directly manipulating input to influence output) has been a well‑studied vulnerability. However, in systems with agentic capabilities, attackers increasingly target the system prompt, which is the internal instructions, roles, and policy definitions that guide agent behavior.

Extracting system prompts is a high‑value objective because these prompts often contain role definitions, tool descriptions, policy instructions, and workflow logic. Once an attacker understands these internal mechanics, they gain a blueprint for manipulating the agent.

The most effective techniques for achieving this were not brute‑force attacks, but rather clever reframing:

  • Hypothetical scenarios: Prompts that ask the model to assume a different role or context — e.g., “Imagine you are a developer reviewing this system configuration…” — often coaxed the model into revealing protected internal details.
  • Obfuscation inside structured content: Attackers embedded malicious instructions inside code‑like or structured text that bypassed simple filters and triggered unintended behavior once parsed by the agent.

This is not just an incremental risk — it fundamentally alters how we think about safeguarding internal logic in agentic systems. Other work has shown that prompt‑extraction can also succeed through social‑engineering‑style prompts, not just technical obfuscation.

2. Subtle content safety bypasses
Another key trend involves bypassing content safety protections in ways that are difficult to detect and mitigate with traditional filters. Instead of overtly malicious requests, attackers framed harmful content as:

  • Analysis tasks
  • Evaluations
  • Role‑play scenarios
  • Transformations or summaries

These reframings often slipped past safety controls because they appear benign on the surface. A model that would refuse a direct request for harmful output could happily produce the same output when asked to “evaluate” or “summarize” it in context.

This shift underscores a deeper challenge: content safety for AI agents is not just about policy enforcement; it is about how models interpret intent. As agents take on more complex tasks and contexts, models become more susceptible to context‑based reinterpretation — and attackers exploit this behavior.
Independent researchers have also highlighted that some of these bypasses can be mitigated through multi‑layered, human‑in‑the‑loop review, not just automated filters.

3. Emergence of agent‑specific attacks
Perhaps the most consequential finding was the appearance of attack patterns that only make sense in the context of agentic capabilities. These were not simple prompt injection attempts but exploits tied to new behavior patterns:

  • Attempts to access confidential internal data: Prompts were crafted to convince the agent to retrieve or expose information from connected document stores or systems — actions that would previously have been outside the model’s scope.
  • Script‑shaped instructions embedded in text: Attackers experimented with embedding instructions in formats resembling script or structured content, which could flow through an agent pipeline and trigger unintended actions.
  • Hidden instructions in external content: Several attacks embedded malicious directives inside externally referenced content — such as webpages or documents the agent was asked to process — effectively circumventing direct input filters.

These patterns are early but signal a future in which agents’ expanding capabilities fundamentally change the nature of adversarial behavior. Other analysts have noted that similar risks can be mitigated through stricter input validation, least‑privilege tool access, and sandboxing, though these controls can impact usability.

Why indirect attacks are so effective

Indirect attacks have required fewer attempts than direct injections. This suggests that traditional input sanitization and direct query filtering are insufficient defenses once models interact with untrusted content.

When a harmful instruction arrives through an external agent workflow — whether it is a linked document, an API response, or a fetched webpage — early filters are less effective. The result: attackers have a larger attack surface and fewer obstacles.

Editor’s note: Some opensource guardrail projects argue that indirect attacks can be partially mitigated by treating all external content as untrusted, and by adding additional parsinglayer checks, although this increases engineering complexity.

Implications for 2026 and beyond

The findings discussed here carry urgent implications for organizations planning to deploy agentic AI at scale. Similar concerns have been raised by academic security researchers and by platform‑level vendors, although their recommended mitigations are sometimes different:

  1. Redefine trust boundaries
    Trust cannot simply be binary. As agents interact with users, external content, and internal workflows, systems must implement nuanced trust models that consider context, provenance, and purpose. Some organizations are experimenting with zero‑trust‑style architectures for agents, though these can be costly to implement.
  2. Guardrails must evolve
    Static safety filters aren’t enough. Guardrails must be adaptive, context‑aware, and capable of reasoning about intent and behavior across multi‑step workflows. Independent projects have demonstrated that lightweight, open‑source guardrails can complement, but not fully replace, more comprehensive platform‑level protections.
  3. Transparency and auditing are essential
    As attack vectors grow more complex, organizations need visibility into how agents make decisions — including intermediate steps, external interactions, and transformations. Auditable logs and explainability frameworks are no longer optional. However, some privacy‑focused teams caution that excessive logging can create new data‑exposure risks if not carefully managed.
  4. Cross-disciplinary collaboration is key
    AI research, security engineering, and threat intelligence teams must work together. AI safety can’t be siloed; it must be integrated with broader cybersecurity practices and risk management frameworks. Some vendors position themselves as central to this collaboration, but open‑source and academic efforts also play a significant role.
  5. Regulation and standards must catch up
    Policymakers and standards bodies must recognize that agentic systems create new classes of risk. Regulations that address data privacy and output safety are necessary but not sufficient; they must also account for interactive behaviors and multi‑step execution environments. Some regulators are already exploring agent‑specific guidance, though consensus is still emerging.

For enterprises and developers, the message is clear: securing AI agents is not just a technical challenge; it is an architectural one.

Different organizations will prioritize different trade‑offs between security, usability, and cost, and no single vendor or framework currently offers a complete solution.