The bottom line: Of 100 tested AI agents, only 11 offer an acceptable balance between performance and security; 98 % exhibit the same critical combination of broad data access, missing input controls, and uncontrolled authorization.
Adversa AI has analyzed 100 autonomous AI agents and documented significant security deficiencies: only 11 of the examined systems simultaneously meet performance requirements and protection standards. The risk lies structurally in the combined threat from access to sensitive data, processing of untrusted content, and independent authorization for external actions.
Security firm Adversa AI conducted an analysis of 100 autonomous AI agents, examining them across ten categories: general assistants, workplace copilots, browser and conversational systems, tailored workflows, platform operations, data engineering, computer and programming agents. The central finding: only 11 agents are considered both performant and adequately protected against attacks. 98 % of the tested systems show an identical constellation of weaknesses: unrestricted access to private data, processing of content from untrusted sources, and authorization to perform outbound actions without appropriate controls.
For computer and programming agents, the risk is particularly critical. Computer agents receive comprehensive operating system access to function properly, which if successfully compromised results in full computer control. A fundamental problem is the lack of transparency: users see only input and output, not the intermediate actions. Even integrated confirmation dialogs offer no reliable protection, since humans and AI models operate at different levels of abstraction and actual system actions can be misunderstood. For coding agents, the attack surface is particularly large: they not only access code suggestions but directly access shell commands, dependencies, and authentication tokens. Conventional code reviews at the end of the process provide insufficient protection, since the agent may already have retrieved secrets, executed tests against production systems, or changed configurations before verification. According to the report, tool execution accounts for 76 % of the potential damage radius.
Adversa AI documents a structural market characteristic: “The same vendors that deliver the most performant agents also deliver the largest attack surface.” 83 % of protection measures claimed by manufacturers are not publicly verifiable. The analysis recommends a strategic reorientation of the security concept away from input control — prompt injection cannot be permanently prevented due to the non-deterministic nature of AI models — toward strict output controls. This includes monitoring data flow (egress control) as well as restrictive policies for identity and authorization management.
Source: www.it-daily.net · Published June 8, 2026
Lumi AI News — AI-assisted curation according to Art. 50 EU AI Act. Paraphrase and classification by Lumi News Pipeline v1.6.5.