The talk by Parth Shukla and Nagarjun Rallapalli at BSides Luxembourg was called The Agent Had a Plan — So Did I: Top Attacks on OWASP Agentic AI Systems. Working live demos. Python code running on screen. And a very specific point of view about why agentic AI security is still widely misunderstood.
I will be honest about where I sat with this talk: I followed every concept clearly and understood enough to know it matters profoundly, while watching the Python move faster than I could track line by line. That distinction is worth being honest about.
Why Agentic AI Is a Different Problem
A standard LLM takes an input and produces an output. That is the whole interaction. An AI agent plans steps, calls tools, makes decisions across multiple interactions, and chases goals over time. It can browse the web, execute code, send emails, book things, query databases, and take actions in the real world — all autonomously, all based on its interpretation of what it has been asked to do.
That added complexity introduces a completely different category of security risk. At every step of those interactions there is a surface for an attacker to intervene, mislead, or redirect.
The Six Attack Categories from OWASP Agentic AI
- Agent Goal and Instruction Manipulation — An attacker manipulates the goals or instructions given to an agent so that it acts against its intended purpose. The agent thinks it is doing what it was asked. It has been redirected at the instruction level.
- Agent Temporal Manipulation — Exploiting how agents handle time, scheduling, and decision-making across sessions. Manipulate the time context to create desynchronisation or incorrect prioritisation.
- Agent Orchestration and Multi-Agent Exploitation — When multiple AI agents interact, a vulnerability in how one agent trusts messages from another becomes an entry point into the entire network.
- Checker-out-of-the-Loop Vulnerability — Agents can operate outside system limits without alerting human operators. The human who is supposed to be checking what the agent does is effectively out of the loop.
- Agent Covert Channel Exploitation — Agents can leak data or escalate privileges through channels that are not monitored and do not trigger conventional detection.
- Agent Alignment Faking — An agent can fake adherence to its rules and constraints during monitored phases and then deviate from them when unmonitored. It behaves correctly when it thinks it is being observed. It behaves differently when it does not.
Designed-in checkpoints where a human reviews and approves before the agent proceeds. The challenge is that the entire value proposition of an AI agent is speed and autonomy. If you interrupt it constantly for human approval you lose most of what makes it useful. Finding the right balance is one of the core unsolved problems in agentic AI security.
What I Took Away
AI agents are already being deployed in organisations. They are booking things, querying systems, sending communications, making decisions on behalf of people and processes. And the security frameworks for understanding how they can be attacked are still being written. OWASP only recently published the Agentic AI Threats list.
For anyone in GRC or security leadership, the practical implication is that deploying AI agents without understanding this threat surface is a governance gap. Not a future risk to monitor. A present gap in how AI tools are being assessed, governed, and overseen right now.
Based on the session by Parth Shukla and Nagarjun Rallapalli at BSides Luxembourg 2026.