The seven new failure modes it has recognized are:
- Agentic Provide Chain Compromise —agent conduct may be affected by pure language reasonably than malicious code;
- Aim Hijacking — adversarial directions seem aligned with respectable job completion, whereas silently redirecting the agent’s terminal objective;
- Inter-Agent Belief Escalation —a compromised agent asserts false identification or inflates claimed permissions to an orchestrator;
- Pc Use Agent (CUA) Visible Assault — brokers working by way of graphical interfaces may be manipulated by way of content material that carries adversarial directions for the agent;
- Session Context Contamination —an adversary introduces information that biases the agent’s reasoning in subsequent steps, with out triggering security controls at any particular person step;
- MCP / Plugin Abuse — an replace on the unique taxonomy’s protection of operate compromise round MCP and plugin protocols, particularly assault surfaces particular to these protocols;
- Functionality / Structure Disclosure —an agent reveals inner implementation particulars reminiscent of software names and schemas, system-prompt construction, reminiscence interfaces, or consent/human-in-the-loop set off logic.
Microsoft advises safety groups utilizing these definitions to affect their planning to stock their your provide chain, producing a software program invoice of supplies (SBOM) for each deployed agent, to confirm agent identification cryptographically, not positionally, by issuing attestable credentials at provisioning, so as to add the seven new failure modes to their red-team protection matrix, and to audit the human-in-the-loop person expertise as a safety management.
