← Back to blog

AI Security · DeepScan Research

AI agent tool abuse: what a pentest should actually test

The agentic AI risks that matter in production: excessive agency, weak tool authorization, unsafe workflows, and cross-system impact.

AI agentstool abuseexcessive agencyLLM security

AI agent risk becomes serious when a model can use tools. A prompt injection that only changes wording is a content integrity issue. A prompt injection that causes an agent to query a database, send a message, change a CRM field, create a ticket, or expose a file is a security issue with operational impact.

Tool authorization should be tested separately from user interface authorization. A user might be blocked from clicking an admin button but still able to persuade an agent to call an admin tool. Every tool needs explicit permissions, input validation, tenant checks, rate limits, and audit logging.

Test excessive agency. Agents should not decide to take high-impact actions without approval. Examples include sending external emails, deleting records, changing billing state, altering permissions, exporting data, or making irreversible workflow changes. A pentest should verify where human approval is enforced.

Test chained actions. Many real failures require more than one step: retrieve sensitive context, summarize it, call a tool with the summary, then share the output. Multi-turn testing is essential because single-prompt checks often miss the chain that creates impact.

Test indirect control. If the agent reads tickets, documents, websites, emails, chat messages, or vendor questionnaires, those sources are untrusted input. They can carry instructions that attempt to control tool use. The system should treat retrieved content as data, not authority.

Evidence should include the full transcript, retrieved content, tool call inputs, tool call outputs, permission state, and final impact. Without that, engineering teams cannot distinguish model behavior from application authorization bugs.

DeepScan tests AI agents as production systems, not demos. That means combining prompt injection, RAG boundary testing, API authorization, workflow abuse, and reportable proof into one engagement.