5 Principles for Securing AI Agents (Based on Frontier Lab Consensus)
OpenAI, Google DeepMind, and Anthropic built their agent security frameworks independently and reached the same conclusions. Here's what they agree on.
This is Part 3 of a 3-part series on semantic detection in agentic AI.
Google DeepMind, OpenAI, Microsoft, Meta, and Anthropic have each published their approach to securing AI agents. They built these frameworks independently and arrived at the same conclusion.
The consensus: securing AI agents is not a one-time configuration. It is an ongoing practice, closer to defending against fraud than patching a software vulnerability. The threat evolves continuously. Defense has to evolve faster.
What follows are the five principles those frameworks share, translated into what they mean for your organization.
1. Assume everything your agent reads could be an attack
Your agent reads a lot. Email, documents, web pages, database records, outputs from the tools it connects to. Any of that content can carry a hidden instruction. And your agent, by design, follows instructions.
Research on poisoned document databases showed that hiding five malicious instructions inside a database of millions of documents is enough to redirect an agent’s behavior over 90% of the time. The attacker needs one entry point. You need to secure the entire surface. The only workable response to that asymmetry is to treat all external content as untrusted until a detection layer has evaluated it.
2. Limit what your agents can do
Microsoft’s guidance is direct: “reduce the agent’s ability to cause harm even when successfully manipulated”. An agent whose access is limited to what its specific task requires has a contained blast radius when something goes wrong.
Meta formalizes this as the Rule of Two: any agent that simultaneously has access to sensitive data, processes untrusted content, and can communicate externally requires additional human oversight. When all three are present together, automated systems alone are not enough. That’s the standard operating condition of most enterprise agents, not an edge case in your deployments.
3. Watch what your agents do, not just what they’re asked
An attack that unfolds across several steps is invisible if you are only looking at individual requests. You need to watch the sequence. What did this agent do in the last five interactions? Does this action make sense given what came before? Is this chain of behavior consistent with what this agent is supposed to be doing?
That’s the core of intent detection for AI agents: evaluating purpose across a full sequence of actions, not scanning individual inputs for known patterns. It is the difference between a security camera that only takes
snapshots and one that records continuously. Snapshots miss everything that happens between frames.
4. Treat your security posture as something that expires
Every major AI lab OpenAI, Google DeepMind, Anthropic describes its security practice as continuous. New attack techniques are identified, analyzed, and trained against on an ongoing basis. The reason is straightforward: attackers adapt fast. A technique that bypasses today’s detection will be in wide use within weeks.
Anthropic’s research found that deceptive behaviors can survive standard model safety training, meaning even rigorous internal updates don’t close every gap. The security posture you validated at your last review is already degrading. Building for continuous evolution is not optional. It is the baseline.
5. Use security that understands what your agents understand
That’s the principle the whitepaper builds its entire case around, and the one most directly actionable when evaluating your options.
Semantic detection works because it evaluates meaning, not just the surface form of an input, but what that input is trying to accomplish. It watches the full sequence of agent behavior and asks whether that sequence is consistent with the agent’s intended purpose. It catches attacks it has never seen before because it understands language the same way the agent does. Pattern-based security cannot do this. It has a ceiling, and modern attacks have already passed it.
Agentic security built on semantic detection is not a feature that you add to your existing stack. It is a different approach to the problem, one built for the threat environment your agents are actually operating in.
The business case
Your agents are taking actions that matter, on your data, in your systems, on behalf of your organization. Runtime security is what stands between your agents and the attacks already targeting them. The question is not whether to secure them. It is whether your current approach can keep up with the attacks already being used against production systems right now.
This is Part 3 of a 3-part series on semantic detection in agentic AI.
Google DeepMind, OpenAI, Microsoft, Meta, and Anthropic have each published their approach to securing AI agents. They built these frameworks independently and arrived at the same conclusion.
The consensus: securing AI agents is not a one-time configuration. It is an ongoing practice, closer to defending against fraud than patching a software vulnerability. The threat evolves continuously. Defense has to evolve faster.
What follows are the five principles those frameworks share, translated into what they mean for your organization.
1. Assume everything your agent reads could be an attack
Your agent reads a lot. Email, documents, web pages, database records, outputs from the tools it connects to. Any of that content can carry a hidden instruction. And your agent, by design, follows instructions.
Research on poisoned document databases showed that hiding five malicious instructions inside a database of millions of documents is enough to redirect an agent’s behavior over 90% of the time. The attacker needs one entry point. You need to secure the entire surface. The only workable response to that asymmetry is to treat all external content as untrusted until a detection layer has evaluated it.
2. Limit what your agents can do
Microsoft’s guidance is direct: “reduce the agent’s ability to cause harm even when successfully manipulated”. An agent whose access is limited to what its specific task requires has a contained blast radius when something goes wrong.
Meta formalizes this as the Rule of Two: any agent that simultaneously has access to sensitive data, processes untrusted content, and can communicate externally requires additional human oversight. When all three are present together, automated systems alone are not enough. That’s the standard operating condition of most enterprise agents, not an edge case in your deployments.
3. Watch what your agents do, not just what they’re asked
An attack that unfolds across several steps is invisible if you are only looking at individual requests. You need to watch the sequence. What did this agent do in the last five interactions? Does this action make sense given what came before? Is this chain of behavior consistent with what this agent is supposed to be doing?
That’s the core of intent detection for AI agents: evaluating purpose across a full sequence of actions, not scanning individual inputs for known patterns. It is the difference between a security camera that only takes
snapshots and one that records continuously. Snapshots miss everything that happens between frames.
4. Treat your security posture as something that expires
Every major AI lab OpenAI, Google DeepMind, Anthropic describes its security practice as continuous. New attack techniques are identified, analyzed, and trained against on an ongoing basis. The reason is straightforward: attackers adapt fast. A technique that bypasses today’s detection will be in wide use within weeks.
Anthropic’s research found that deceptive behaviors can survive standard model safety training, meaning even rigorous internal updates don’t close every gap. The security posture you validated at your last review is already degrading. Building for continuous evolution is not optional. It is the baseline.
5. Use security that understands what your agents understand
That’s the principle the whitepaper builds its entire case around, and the one most directly actionable when evaluating your options.
Semantic detection works because it evaluates meaning, not just the surface form of an input, but what that input is trying to accomplish. It watches the full sequence of agent behavior and asks whether that sequence is consistent with the agent’s intended purpose. It catches attacks it has never seen before because it understands language the same way the agent does. Pattern-based security cannot do this. It has a ceiling, and modern attacks have already passed it.
Agentic security built on semantic detection is not a feature that you add to your existing stack. It is a different approach to the problem, one built for the threat environment your agents are actually operating in.
The business case
Your agents are taking actions that matter, on your data, in your systems, on behalf of your organization. Runtime security is what stands between your agents and the attacks already targeting them. The question is not whether to secure them. It is whether your current approach can keep up with the attacks already being used against production systems right now.
