Microsoft’s New Agentic AI and the Security Risks

With Windows 11’s new agentic AI comes new risks. Users can choose to give permission to background agents to perform tasks, interact with applications, and manage files. But Microsoft’s own security notes make clear that convenience comes security concerns: semi-autonomous agents create semi-autonomous risks. If settings are wrong, permissions are too loose, or prompts are manipulated by malicious content or compromised apps, attackers could steal data or install malware.

For security teams, and especially penetration testers (pentesters), this changes the threat model. Pentesting was about probing network boundaries and privilege escalations; now it must include evaluating how AI agents interpret prompts, what they can access, and whether isolation barriers stand up under pressure. Pentesters will need to simulate malicious prompt injection and analyze permission leakage, treating AI agents as new users with their own exploitable surfaces. Platforms like Cyver (core.cyver.io) will be important in automating pentest reporting and organizing workloads.

New AI features and new attack paths

AI agents work in an isolated environment that’s meant to keep them separate from the main user session. In theory, this helps contain risks and prevents them from accessing anything outside their permissions.

According to Microsoft’s own notes, these agents can still interact with many parts of the system depending on the permissions users grant. If those permissions are too broad, or if a malicious app manages to feed harmful prompts to the agent, the AI could end up doing things the user never intended. For example, a harmful prompt hidden inside a document, webpage, or email could mislead the AI into copying data, opening sensitive files, or executing actions that put the device at risk.

Microsoft also highlights the risk of cross-prompt injections (XPIA). This happens when malicious content hidden in a UI element, document, or app overrides an agent’s instructions and causes it to perform actions the user never intended.

In a worst-case scenario, a compromised application could trigger an AI agent to install malware or disable security controls. Even though the agent workspace is designed with constraints, attackers are always looking for ways to bend or bypass those rules

Why pentesting matters even more now

Pentesting has always been about finding weak spots before attackers do. But with AI agents entering the picture, pentesting needs to evolve. Instead of only checking networks, applications, and user accounts, pentesters will have to consider how AI behaves under different conditions and how it responds to unexpected instructions.

One major task for pentesters will be testing how well the agent workspace handles prompt injection. This means trying to trick the AI into doing something harmful by feeding it carefully crafted text or commands. If a simple document or webpage can influence an AI agent, that’s a serious security issue – and pentesters need to uncover these weaknesses early.

Pentesters will also assess permission settings. Some risks come from users clicking “Allow” without understanding the full consequences. By simulating attacks where permissions are misconfigured, pentesters can show organizations how attackers might take advantage of too much access.

Microsoft says the agents operate separately from the main session, but pentesters will want to push those boundaries. They’ll check whether an agent can access files it shouldn’t, and whether it can be used to reach into another process or communicate with software it wasn’t supposed to.

Last word

Many people will be interested in the convenience of agentic AI, but there are new security challenges. Windows 11 may have affectively just become smarter and more helpful, but potentially more problematic. By understanding permissions, being careful with files and apps, and knowing how prompts can affect AI agents, users can stay safer.