The seven new failure modes it has recognized are:
- Agentic Provide Chain Compromise —agent habits may be affected by pure language relatively than malicious code;
- Objective Hijacking — adversarial directions seem aligned with reputable job completion, whereas silently redirecting the agent’s terminal aim;
- Inter-Agent Belief Escalation —a compromised agent asserts false id or inflates claimed permissions to an orchestrator;
- Pc Use Agent (CUA) Visible Assault — brokers working via graphical interfaces may be manipulated via content material that carries adversarial directions for the agent;
- Session Context Contamination —an adversary introduces knowledge that biases the agent’s reasoning in subsequent steps, with out triggering security controls at any particular person step;
- MCP / Plugin Abuse — an replace on the unique taxonomy’s protection of perform compromise round MCP and plugin protocols, particularly assault surfaces particular to these protocols;
- Functionality / Structure Disclosure —an agent reveals inside implementation particulars corresponding to device names and schemas, system-prompt construction, reminiscence interfaces, or consent/human-in-the-loop set off logic.
Microsoft advises safety groups utilizing these definitions to affect their planning to stock their your provide chain, producing a software program invoice of supplies (SBOM) for each deployed agent, to confirm agent id cryptographically, not positionally, by issuing attestable credentials at provisioning, so as to add the seven new failure modes to their red-team protection matrix, and to audit the human-in-the-loop consumer expertise as a safety management.