After the Notion and ChatGPT Agent Exploits, CISOs Need to Ask Their Vendors Three Questions
How ‘service-side’ agent exploits create a new mandate for verifiable governance.
While security leaders have been focused on managing the risks of generative AI at the prompt, security research into major platforms like Notion and OpenAI's ChatGPT has validated a new, more insidious category of threat: service-side agent exploits.
The research demonstrated how an AI agent could be manipulated by ingested data from a PDF or email with a well-crafted prompt inject to exfiltrate sensitive information using its own legitimate, authorized tools. No user clicks are required, the user is blind to anything happening, and the attack leaves no trace on your corporate network.
The bottom line for security leaders is that you are facing a new, autonomous insider threat where the "insider" is a non-human agent operating invisibly within a trusted user session. This threat applies to the full spectrum of agents entering your enterprise, from the collaborative co-pilots and embedded assistants to fully asynchronous workers.
The Architectural Mismatch: Why Your Security Stack is Blind
These new exploits are symptoms of a fundamental architectural mismatch between autonomous agents and the foundational principles of enterprise security. Unfortunately, there’s no simple bug to be patched. Instead, we have a systemic gap created by software that can now act autonomously.
Your current security stack isn’t able to address these agent security risks for three key reasons:
Security is Host-Centric (EDR/XDR): The service-side attack happens entirely within the agent vendor's cloud, never touching a managed endpoint or device. With no host to monitor, your endpoint detection and response tools have no visibility into the agent's actions.
Governance is User-Centric (IAM/PAM): Your identity and access tools can see which user initiated a session, but they can’t see what the agent does autonomously within that session. This creates a critical “attribution blind spot.” Your logs will incorrectly blame the user for the agent's malicious actions, making forensic investigation and compliance reporting impossible.
Data Protection is Exfiltration-Centric (DLP/CASB): Your data loss prevention tools are designed to spot known data patterns leaving the perimeter. But in this scenario, they see a trusted application making an approved tool call. DLP can’t discern the malicious intent or the behavioral anomaly because the tool itself has been weaponized.
The New Mandate: From Vendor Promises to Verifiable Proof
This new reality renders traditional vendor security questionnaires obsolete for assessing agent risk. A vendor's SOC 2 report or cloud security posture, while important, offers no assurance against this new threat class.
The new mandate for CISOs is to demand verifiable proof of real-time behavioral control. The burden of proof has shifted entirely from the buyer's security tools to the vendor's core product architecture.
Three Critical Questions for Every AI Vendor
To enforce this new standard, you must move beyond the standard questionnaire and ask a new set of questions. These should be the “cost of entry” for any agent seeking approval in your enterprise.
1. The Observability Question (The Audit Trail)
“Can you provide an immutable, human-readable audit log of every autonomous action and tool use the agent performs, completely separate from the user's activity logs?”
Why it matters: Without a distinct, agent-focused audit trail, you have a critical governance gap. This type of granular logging is essential for providing the evidence required by compliance frameworks like ISO 42001 and for conducting any meaningful incident response.
2. The Accountability Question (The Identity)
“In the event of an incident, what forensic data can you provide that definitively proves attribution? How do you ensure the agent has a distinct, governable identity, separate from the user, to make this accountability possible?”
Why it matters: Without a distinct agent identity, the principle of least privilege is meaningless. True accountability, both for technical forensics and for legal and HR purposes, is impossible if you can’t differentiate between human and machine action.
3. The Control Question (The Guardrails)
“Can you demonstrate real-time policies that govern how an agent can use its tools—not just which tools it can access? Show me, specifically, how your system would prevent an agent from exfiltrating customer PII via a legitimate search tool.”
Why it matters: Access controls are no longer sufficient. The threat is not an agent accessing an unauthorized tool, but an agent misusing an authorized one. You need proof of preventative, behavioral controls at the point of action.
Enabling Secure Innovation
This new, more stringent mandate is not meant to block AI innovation. Rather, these are necessary questions to create a responsible framework for enabling it at scale. By demanding this higher standard of provable governance, security leaders are moving beyond a reactive posture and proactively shaping a more trustworthy AI ecosystem, building a trusted foundation to accelerate innovation.