The seven new failure modes it has recognized are:
- Agentic Provide Chain Compromise —agent habits might be affected by pure language quite than malicious code;
- Aim Hijacking — adversarial directions seem aligned with respectable activity completion, whereas silently redirecting the agent’s terminal aim;
- Inter-Agent Belief Escalation —a compromised agent asserts false identification or inflates claimed permissions to an orchestrator;
- Pc Use Agent (CUA) Visible Assault — brokers working by graphical interfaces might be manipulated by content material that carries adversarial directions for the agent;
- Session Context Contamination —an adversary introduces knowledge that biases the agent’s reasoning in subsequent steps, with out triggering security controls at any particular person step;
- MCP / Plugin Abuse — an replace on the unique taxonomy’s protection of operate compromise round MCP and plugin protocols, particularly assault surfaces particular to these protocols;
- Functionality / Structure Disclosure —an agent reveals inner implementation particulars equivalent to instrument names and schemas, system-prompt construction, reminiscence interfaces, or consent/human-in-the-loop set off logic.
Microsoft advises safety groups utilizing these definitions to affect their planning to stock their your provide chain, producing a software program invoice of supplies (SBOM) for each deployed agent, to confirm agent identification cryptographically, not positionally, by issuing attestable credentials at provisioning, so as to add the seven new failure modes to their red-team protection matrix, and to audit the human-in-the-loop consumer expertise as a safety management.
