AI agents that browse the web, run code, and call APIs are now common enough that researchers have produced a formal taxonomy of how they can be attacked — and how they can attack.
A paper published on arXiv lays out what its authors call a "security duality" in large language model agents. On one side, autonomous agents introduce new vulnerabilities: prompt injection through external data sources, tool misuse, memory poisoning, and compromised orchestration layers. On the other, the same capabilities — persistent context, multi-step reasoning, tool access — make agents increasingly useful for threat detection, penetration testing, and incident response. The survey proposes what the authors describe as the first framework that maps agent capabilities against the full offensive and defensive security lifecycle.
The framing matters because most security discourse treats AI risk and AI capability as separate conversations. This work argues they are self-reinforcing: better defenses for agents produce more reliable autonomous defenders, and deploying agents as offensive tools exposes new weaknesses to fix. That feedback loop is underappreciated in a field that tends to publish vulnerability papers and capability papers in separate silos.
The timing is pointed. AI agents are moving from demos into production pipelines faster than security frameworks can follow — a dynamic that looks familiar to anyone who watched cloud adoption outpace cloud security by half a decade. A survey paper does not close that gap, but mapping the terrain is a reasonable first step.