
Product Manager @ Microsoft 👉 Sign up to Entra.News my weekly newsletter on all things Microsoft Entra | Creator of cmd.ms & idPowerToys.com
In a recent YouTube episode hosted by Merill Fernando, security researcher Thomas Roccia lays out how attackers are shifting their focus toward the parts of the AI ecosystem that most organizations cannot clearly see. He argues that threats now extend beyond models and include the infrastructure around agents, such as servers, packages, and keys. Consequently, defenders must rethink where they look and how they assign responsibility for protection.
The video frames the problem as a collision of components: agents, MCP servers, skills, packages, API keys, prompts, and identity. Thomas explains that each component can introduce risk, and that attackers often exploit the weakest link rather than attempting glamorous autonomous hacks. Moreover, the conversation highlights how these risks compound when agents operate across SaaS systems and internal tooling.
Importantly, the episode emphasizes that security teams rarely have full visibility into agent behavior, which makes detection difficult. As a result, defenders may miss subtle chains of events that start with a malicious package or a leaked credential. Therefore, the discussion moves from abstract threats to practical observability gaps that teams must close.
Thomas points out a set of pragmatic attack vectors that adversaries prefer because they are low-effort and high-impact, such as malicious packages, untrusted MCP servers, hostile skills, and leaked API keys. He also warns about prompt injection and the risks of insecure AI-generated code, which can execute unexpected behavior once deployed. Consequently, attackers can gain persistent influence without needing to compromise a model outright.
Another theme is the notion of invisibility: attackers can manipulate recommendation systems or agent memory in ways users do not notice, a tactic sometimes referred to as AI Recommendation Poisoning. On the tradeoff side, these methods are easier to implement at scale but require defenders to shift from perimeter thinking to continuous validation. Therefore, remediation must combine code hygiene, supply chain controls, and runtime Monitoring to be effective.
The video gives special attention to identity as a control plane, especially with tools like Entra Agent ID and the broader concept of Agent ID or non-human identity. Thomas explains that assigning identities to agents helps teams apply policies, trace actions, and set sponsorship, but identity alone does not answer what an agent can discover or call. Thus, identity is necessary but not sufficient for comprehensive protection.
In practice, governance requires additional measures such as workload identity controls, detailed logging, and the ability to replay an agent’s activity for investigation. However, organizations face tradeoffs: richer logs improve forensic capability but raise storage costs and privacy concerns. Consequently, teams must balance the need for actionable telemetry with resource and compliance constraints.
Thomas recommends treating agents more like potential threat actors and monitoring them accordingly, yet that approach introduces operational strain. Agents often act faster than humans can review, which forces teams to choose between manual oversight that slows processes and automated checks that might miss nuanced misuse. Therefore, defenders must design layered detection that mixes automation with targeted human review.
Another challenge is standardization: agents and skills come from diverse sources and lack consistent security standards, making scale difficult for security teams. For this reason, the episode mentions emerging efforts to create standards and playbooks to reduce variability. Still, implementing standards across legacy systems and third-party services requires coordination and sustained investment.
Finally, the YouTube discussion delivers concrete steps for teams: vet packages before use, lock down API keys, validate third-party MCP servers, and review AI-generated code with security in mind. Training and threat intelligence are also essential, because human reviewers need to understand how agents can be weaponized and what signals indicate compromise. Yet teams must weigh these practices against speed and Developer productivity to avoid blocking innovation.
In conclusion, the episode hosted by Merill Fernando and featuring Thomas Roccia reframes AI security around visibility and governance of agent ecosystems. While identity tools like Entra Agent ID provide a foundation, defenders must add observability, supply-chain checks, and standards to manage the tradeoffs between automation and control. Looking ahead, organizations that invest in both tooling and process will be better positioned to detect and mitigate these emerging threats.
AI ecosystem security, attackers targeting AI, AI supply chain attacks, invisible AI threats, adversarial machine learning attacks, model poisoning vulnerabilities, AI infrastructure vulnerabilities, defending AI systems