Full Report
Earlier this month, I spoke at the Gartner Security & Risk Management Summit about a blind spot most security programs are still not accounting for - how attackers are circumventing AI security programs by using legacy infrastructure to hijack AI agents. AI adoption is moving faster than security programs can account for. Roughly 71% of organizations are piloting AI agents across their
Analysis Summary
# Best Practices: Securing AI Agents Against Legacy Infrastructure Risks
## Overview
These practices address a critical "blind spot" in modern security: the hijacking of AI agents via vulnerabilities in traditional, legacy infrastructure. Rather than attacking the AI model itself, threat actors exploit unpatched servers, misconfigured Active Directory (AD) permissions, and cached credentials to inherit the high-privileged access granted to AI agents. These guidelines focus on closing the "attack paths" that connect old vulnerabilities to new AI capabilities.
## Key Recommendations
### Immediate Actions
1. **Enforce Minimum Necessary Privileges:** Audit AI agent service accounts and immediately revoke "Admin" or overly broad "Read" access. Use the principle of least privilege (PoLP) for all S3 buckets and cloud storage feeding AI models.
2. **Patch Perimeter Vulnerabilities:** Prioritize patching external-facing servers (e.g., Apache Tomcat) against CVEs listed in CISA’s Known Exploited Vulnerabilities (KEV) catalog.
3. **Credential Hygiene:** Clear cached credentials and session tokens from developer machines and build servers that have access to AI orchestration layers.
### Short-term Improvements (1-3 months)
1. **AI Exposure Mapping:** Map every AI agent's "reach"—identify every database, Lambda function, and SaaS integration it connects to.
2. **Zero Trust for AI:** Implement Zero Trust Network Access (ZTNA) to replace traditional VPNs, ensuring users and agents connect directly to applications rather than the broad network.
3. **Identity Security Audit:** Review Active Directory and IAM roles to ensure a compromise in legacy infrastructure (like an on-prem server) cannot escalate into cloud-based AI environments.
### Long-term Strategy (3+ months)
1. **Exposure Management Program:** Move beyond reactive scanning to a proactive exposure management strategy that identifies complex attack paths linking legacy systems to AI workloads.
2. **Governance Modernization:** Map every AI action to a specific human owner and establish automated guardrails that prevent the provisioning of over-privileged AI accounts.
3. **Continuous Supply Chain Security:** Integrate security scanning into the CI/CD pipeline to catch vulnerabilities before AI agents are moved from pilot to production.
## Implementation Guidance
### For Small Organizations
- **Focus:** SaaS Security and Identity.
- **Action:** Rely on built-in security features of AI platforms (e.g., AWS Bedrock guardrails) and enforce Multi-Factor Authentication (MFA) across all identity providers (IdP).
### For Medium Organizations
- **Focus:** Permission Management.
- **Action:** Conduct a "permission cleanup" to ensure that data exports (e.g., Salesforce to S3) aren't accessible to unauthorized internal users or developers who don't need production access.
### For Large Enterprises
- **Focus:** Attack Path Analysis and Segmentation.
- **Action:** Use automated tools to visualize lateral movement paths from legacy Active Directory environments to cloud-native AI agents. Implement micro-segmentation to isolate AI-power functions from the general corporate network.
## Configuration Examples
* **S3 Bucket Policy:** Explicitly deny `s3:*` and only allow `s3:GetObject` for the specific AI service principal.
* **Lambda Execution Roles:** Avoid `AdministratorAccess`; use custom IAM policies that restrict execution to specific resource ARNs.
* **Service Accounts:** Configure AI service accounts with "no-interactive-login" flags to prevent them from being hijacked for lateral movement via RDP or SSH.
## Compliance Alignment
- **NIST AI RMF (Risk Management Framework):** For managing risks to individuals and organizations.
- **ISO/IEC 42001:** For AI management system standards.
- **CISA KEV:** For prioritizing vulnerability remediation.
- **CIS Benchmarks:** For hardening legacy servers (Apache, Windows Server) that support AI ecosystems.
## Common Pitfalls to Avoid
- **"AI-Only" Security Focus:** Ignoring the underlying infrastructure (servers, IDPs, databases) while focusing solely on prompt injection or model poisoning.
- **Permission Bloat:** Granting AI agents more permissions than the humans they assist; this creates a high-value target for attackers.
- **Shadow AI:** Allowing teams to move pilots into production workflows without a security review of the "inherited" legacy permissions.
## Resources
- **CISA Known Exploited Vulnerabilities Catalog:** [hXXps://www[.]cisa[.]gov/known-exploited-vulnerabilities-catalog]
- **OWASP Top 10 for LLM Applications:** [hXXps://owasp[.]org/www-project-top-10-for-large-language-model-applications/]
- **Gartner Security & Risk Management Summit:** [hXXps://www[.]gartner[.]com/en/conferences/na/security-risk-management-us]