The emergence of autonomous AI agents has introduced a new category of risk that existing security frameworks were never designed to address.

In 2026, securing AI agents has emerged as what Bessemer Venture Partners describes as “the defining cybersecurity challenge” of the year. For organisations deploying AI to automate workflows, manage data, and interact with customers, the legal and regulatory consequences of getting this wrong are potentially severe.

This article examines the threat landscape, the frameworks emerging to address it, the security products being rushed to market, and — critically — what all of this means for your organisation’s data protection obligations.

Agents Are Actors, Not Tools

The first and most important conceptual shift is this: AI agents are not tools in the traditional sense. As Bessemer Venture Partners noted in their analysis, “AI agents aren’t tools — they’re actors. They make decisions, take actions, and interact with systems on behalf of your customers. Securing an actor is a fundamentally different problem than securing a tool.”

A traditional software tool does what it is told, when it is told. An AI agent, by contrast, operates with a degree of autonomy — it plans, reasons, chains actions together, calls external services, reads and writes to databases, sends emails, executes code, and makes decisions across extended timeframes, often without a human reviewing each step. When such an agent is compromised, the damage does not stop at the point of breach. It radiates outward through every system the agent has permission to touch.

IBM’s 2025 Cost of a Data Breach Report put a number on this: shadow AI breaches — those involving ungoverned or undiscovered AI systems — cost an average of £3.6 million per incident, some £520,000 more than a standard breach. When an AI agent is compromised, it can traverse systems, exfiltrate data, and escalate privileges at machine speed, before a human analyst can respond. The blast radius is not linear — it is exponential.

The OWASP Top 10 for Agentic Applications 2026

The OWASP GenAI Security Project’s Top 10 for Agentic Applications 2026 — developed with over 100 industry experts — is the first peer-reviewed framework dedicated to the unique risks of autonomous AI systems. Its ten risks range from Agent Goal Hijack (ASI01), described as “the new SQL Injection for the autonomous world,” through Tool Misuse (ASI02), Agent Identity and Privilege Abuse (ASI03), and Agentic Supply Chain Compromise (ASI04), to the more insidious Memory and Context Poisoning (ASI06) — where persistent agent memory stores are corrupted to bias future reasoning long after the initial attack. We examine each of these risks in detail, with particular focus on their data protection implications, in our dedicated post about this OWASP Top 10 a few days ago.

The Databricks AI Security Framework: A Technical Benchmark

For organisations seeking a comprehensive technical framework, the Databricks AI Security Framework (DASF) — now at version 3.0 — represents a thorough mapping of AI-specific security risks to practical controls currently available. Version 3.0 introduces Agentic AI as its 13th system component, adding 35 new technical security risks and six new mitigation controls, bringing the framework’s total to 97 risks and 73 controls.

The framework is structured around three architectural layers that characterise modern agentic systems. The Agent Core (covering memory and reasoning) faces risks including Memory Poisoning (Risk 13.1), where false context alters current or future agent decisions, and Cascading Hallucination Attacks, where corrupted reasoning propagates through multi-step workflows. The MCP Server layer — covering the tool interfaces through which agents interact with enterprise systems — faces Tool Poisoning (Risk 13.18), where malicious instructions are embedded in tool definitions, and Prompt Injection within tool descriptions that bypasses security controls. The MCP Client layer (connection interfaces) faces risks from Agent Communication Poisoning (Risk 13.12) and Rogue Agents in Multi-Agent Systems (Risk 13.13), where agents operate outside monitoring boundaries.

The six new mitigation controls introduced in DASF v3.0 are directly actionable for enterprise security teams: implementing least privilege for tools and resources; applying human-in-the-loop oversight for high-stakes actions; sandboxing and isolation for agent-generated code; deploying AI Gateways and Guardrails for real-time monitoring and safety filtering; implementing observability of an agent’s reasoning through agentic tracing; and applying rigorous supply chain security for MCP servers and tool registries.

The DASF is significant not merely as a technical guide but as a potential standard of care benchmark. Organisations facing regulatory scrutiny or litigation following an AI agent incident will need to demonstrate they assessed and addressed known risks. The DASF, alongside the OWASP Agentic Top 10, provides the documented basis for that defence.

Regulators Take Notice: NIST and the Standards Race

The regulatory community has moved quickly to acknowledge the problem. In January 2026, the Centre for AI Standards and Innovation (CAISI) at NIST issued a Request for Information about Securing AI Agent Systems, noting that “AI agent systems are capable of taking autonomous actions that impact real-world systems or environments, and may be susceptible to hijacking, backdoor attacks, and other exploits” that “may impact public safety, undermine consumer confidence, and curb adoption of the latest AI innovations.”

CAISI sought information on what security threats, risks, and vulnerabilities exist for AI agents; security best practices; how to assess the security of deployed agents; and whether the operational environment can be monitored or constrained to mitigate risks. In February 2026, NIST followed this with an AI Agent Standards Initiative aimed at developing interoperable and secure AI agent systems across industries.

This regulatory activity matters for several reasons. First, it signals that formal guidance is coming — and that organisations which have not yet assessed their agentic AI deployments risk being caught behind the regulatory curve when standards are formalised. Second, the framing of AI agents as systems that “impact real-world systems or environments” is directly relevant to data protection analysis under existing frameworks including the UK GDPR, the EU AI Act, and sector-specific regulations in financial services and healthcare. Third, the reference to “consumer confidence” signals a consumer protection dimension that may well generate enforcement action independent of data breach events.

Organisations in the EU should note that the EU AI Act’s classification of high-risk AI systems includes those making decisions with “significant effect on persons.” Many agentic AI deployments — autonomous decision-making in hiring, credit, insurance, or access to public services — may already fall within high-risk categories, triggering conformity assessment obligations, transparency requirements, and human oversight mandates that map directly onto the technical controls in DASF v3.0 and the OWASP Agentic Top 10.

The Vendor Response: Security Products for the Agentic Era

The security industry has responded to this challenge with speed. The major cybersecurity and AI platforms have each unveiled significant new capabilities specifically for agentic AI environments.

CrowdStrike has taken the position that the endpoint is the epicenter of AI security. Their new Falcon platform capabilities announced in March 2026 include AIDR for Desktop, which extends prompt-layer protections to AI applications including ChatGPT, Gemini, Microsoft Copilot, GitHub Copilot, and Cursor — monitoring and intercepting malicious prompts at the point of entry. Shadow AI Discovery for Cloud identifies ungoverned AI services, risky large language models, and MCP connections across infrastructure and application layers — addressing the growing problem of employees deploying AI agents without organisational oversight or security review. CrowdStrike also introduced Falcon Data Security, specifically designed to stop data theft across the agentic enterprise, providing real-time visibility into how sensitive data moves through AI pipelines.

NVIDIA took a different and technically significant approach, releasing OpenShell in March 2026 — an open-source runtime that enforces policy-based security, network, and privacy guardrails for autonomous agents. Rather than applying security controls at the model or application layer (where they can be circumvented through prompt manipulation), OpenShell applies them at the infrastructure level: each agent operates inside an isolated sandbox where system-level policies define and enforce permissions, resource access, and operational constraints. NVIDIA has built compatibility partnerships with Cisco, CrowdStrike, Google, Microsoft Security, and Trend Micro. The CrowdStrike-NVIDIA Secure-by-Design AI Blueprint, announced simultaneously, integrates Falcon platform protections directly into OpenShell at the infrastructure layer — a significant architectural advance for enterprise deployments.

Palo Alto Networks unveiled Prisma Browser in March 2026, positioning it as the industry’s first enterprise browser built specifically for the agentic AI era. As employees increasingly delegate tasks to autonomous agents that operate through web interfaces, the browser becomes a primary attack surface for prompt injection, agent hijacking, and shadow AI adoption. Prisma Browser provides an Agentic Workspace that allows organisations to deploy and govern AI agents across any LLM platform, Data Protection capabilities that discover and protect sensitive data throughout the entire AI lifecycle, and Business Continuity features that ensure operational resilience for agent-dependent workflows. Its ability to prevent leakage into shadow AI environments addresses one of the most significant data protection risks in agentic deployments.

These products represent the beginning of a distinct new market category. Organisations evaluating AI security products should look for capabilities that address the specific threat vectors in the OWASP Agentic Top 10 — particularly prompt injection detection, memory integrity monitoring, MCP server governance, and agent identity management.

Data Protection Law in the Agentic Era: Key Legal Implications

The legal implications of these threats for organisations subject to UK GDPR, EU GDPR, and the EU AI Act are significant and, in several cases, still developing.

Accountability and the Human Review Problem. Both UK and EU GDPR place data controllers under a duty of accountability — the ability to demonstrate compliance. When an AI agent operates autonomously across multiple systems, processing personal data as part of a multi-step workflow, demonstrating accountability requires the kind of agentic tracing and observability that DASF v3.0 identifies as a core control. Organisations deploying agents without robust logging of agent reasoning and actions will struggle to demonstrate compliance in the event of a regulatory inquiry.

Automated Decision-Making Under Article 22. Many agentic AI deployments will constitute “solely automated processing” producing “decisions which produce legal effects” or “similarly significantly affect” data subjects. The obligation to provide meaningful information about the logic involved, and to ensure a right to human review, requires that agent decision paths are auditable and that human override mechanisms are technically implemented — not merely promised in a privacy notice.

Data Minimisation and Least Privilege. Memory Poisoning (DASF Risk 13.1) and Agent Identity and Privilege Abuse (OWASP ASI03) both arise in environments where agents have been granted access to far more data than any single task requires. The principle of data minimisation under Article 5(1)(c) GDPR, applied to agentic AI, requires that agents operate on a least-privilege basis — a technical control explicitly identified in both DASF v3.0 and the vendor products described above.

Security of Processing Under Article 32. The obligation to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk is directly engaged by every threat in the OWASP Agentic Top 10. A controller that deploys agentic AI without having conducted a proper assessment of these specific risks — and without implementing controls proportionate to them — will face significant difficulty defending an Article 32 claim following a breach. The existence of published frameworks (DASF, OWASP), regulatory RFIs (NIST), and commercial products specifically addressing these risks means that ignorance of the threat landscape is an increasingly difficult position to maintain.

Data Protection Impact Assessments. The UK ICO and the EDPB have both confirmed that high-risk processing requires a DPIA under Article 35. Agentic AI deployments that operate autonomously, process personal data at scale, or make consequential decisions suggests a DPIA that specifically addresses agentic threat vectors — including those catalogued in the OWASP Top 10 and DASF v3.0.

Incident Response and Breach Notification. An AI agent breach presents distinctive incident response challenges. Because agents operate continuously and may interact with dozens of systems, identifying the full scope of a breach — which data was accessed, which instructions were followed, which outputs were generated — requires the agentic tracing capabilities that DASF v3.0 identifies as essential. Organisations that lack this observability will face difficulties meeting the 72-hour breach notification obligation under Article 33 GDPR, and may be unable to accurately identify affected data subjects.

Recommendations for Organisations

For legal and compliance teams advising on AI agent deployments, we recommend the following immediate steps:

First, map your agentic surface. Conduct a comprehensive inventory of all AI agents operating within your environment — including those deployed without formal IT approval. Shadow AI Discovery tools from vendors like CrowdStrike now make this technically feasible. You cannot protect what you cannot see.

Second, conduct a DPIA for all agentic deployments. Map the specific threats in the OWASP Agentic Top 10 and DASF v3.0 against each agent’s actual capabilities, data access, and autonomy level. Identify the highest-risk deployments — those with access to sensitive personal data, financial systems, or the ability to take external actions — and prioritise security controls accordingly.

Third, implement technical controls aligned with published frameworks. The DASF v3.0 controls — least privilege, human oversight for high-stakes actions, sandboxing, AI gateways, agentic tracing, and supply chain security for MCP servers — provide a defensible baseline. Engage your technology teams to assess which of these controls are in place and which require remediation.

Fourth, evaluate purpose-built agentic security products. The products announced by CrowdStrike, NVIDIA, and Palo Alto Networks represent the leading edge of a rapidly maturing market. Evaluate their capabilities against your specific threat profile, particularly in the areas of prompt injection detection, shadow AI governance, memory integrity, and agent identity management.

Conclusion

Agentic AI is no longer a future technology — it is probably already operating inside your organisation, your suppliers’ organisations, and the systems of your customers and regulators. The security frameworks, regulatory guidance, and commercial products described in this article represent the field’s current best understanding of how to deploy agents safely. But the threat landscape is evolving fast.

For data protection lawyers, the legal obligations that apply to agentic AI are largely already in place, mapped onto Article 5, Article 22, Article 25, Article 32, and Article 35 of the GDPR. What is new is the technical threat environment that must be assessed against those obligations. The organisations that recognise this now, and act accordingly, will be better placed to defend their compliance posture when the inevitable incidents occur.

The ones who wait unfortunately risk spending 2027 in incident response.