Agentic Autonomy Levels and Security

Agentic workflows are the next evolution in AI-powered tools. They enable developers to chain multiple AI models together to perform complex activities…

Rich Harang
13 min readintermediate
--
View Original

Overview

The article discusses agentic workflows, which represent the evolution of AI-powered tools that enable complex task automation with minimal human interaction. It highlights the associated security risks, particularly focusing on prompt injection vulnerabilities in large language models (LLMs) and presents a framework for assessing and mitigating these risks in autonomous AI systems.

What You'll Learn

1

How to assess the risks associated with agentic workflows in AI systems

2

Why prompt injection poses a significant threat to LLMs in autonomous systems

3

When to implement taint tracing for sensitive tools in AI workflows

4

How to classify AI systems based on their autonomy levels

Prerequisites & Requirements

  • Understanding of AI workflows and security principles

Key Questions Answered

What are the different levels of autonomy in AI systems?
The article classifies AI systems into four levels of autonomy: Level 0 (Inference API), Level 1 (Deterministic system), Level 2 (Weakly autonomous system), and Level 3 (Fully autonomous system). Each level describes how user requests trigger inference calls and the complexity of decision-making involved.
How can prompt injection affect LLMs in agentic systems?
Prompt injection can occur in two forms: direct and indirect. Direct prompt injection happens when an adversary manipulates their own session, while indirect prompt injection involves malicious data affecting another user's session, posing significant risks to the integrity of LLM outputs.
What security controls are recommended for different autonomy levels?
For Level 0, standard API security is advised. Level 1 systems should manually trace data flows to prevent untrusted data from entering sensitive plugins. Level 2 systems require enumeration of data flows and potential sanitization, while Level 3 systems necessitate taint tracing and mandatory sanitization of untrusted data.
What is taint tracing and when should it be used?
Taint tracing is a method for marking execution flows that have received untrusted data, requiring manual re-authorization for sensitive tools. It is particularly important in Level 3 systems where the complexity of workflows makes tracking untrusted data challenging.

Technologies & Tools

Backend
Nvidia Nim Microservice
Serves as an example of a Level 0 system where a single user request results in a single inference call.
Backend
Nvidia Generative Virtual Screening For Drug Discovery Blueprint
Illustrates a Level 1 deterministic system where multiple inference requests are triggered in a predetermined order.
Backend
Nvidia Vulnerability Analysis For Container Security Blueprint
Serves as an example of a Level 3 fully autonomous system where the AI model can freely decide on actions.

Key Actionable Insights

1
Implementing taint tracing in AI systems can significantly enhance security by ensuring that any untrusted data is properly flagged and managed before it influences sensitive actions.
This is particularly crucial in Level 3 autonomous systems where the complexity of workflows can lead to unpredictable behavior if untrusted data is not adequately controlled.
2
Regularly assess the autonomy level of your AI systems to determine the appropriate security measures needed to mitigate risks associated with untrusted data.
Understanding the autonomy level helps in tailoring security controls and threat modeling strategies effectively, especially as systems evolve.
3
Ensure that sensitive plugins in AI workflows have robust isolation strategies to prevent untrusted data from impacting their operations.
This is vital in maintaining the integrity of actions taken by AI systems, especially in environments where multiple users interact with shared resources.

Common Pitfalls

1
Failing to properly isolate sensitive plugins from untrusted data can lead to significant security vulnerabilities in AI systems.
This often occurs when developers underestimate the complexity of data flows and the potential for adversarial manipulation, particularly in systems with higher autonomy levels.