Skip to main content
Security & Compliance6 min read

Agentjacking: The New Security Risk in AI Agents

July 16, 2026By ChatGPT.ca Team

AI agents, systems that read data and take actions on their own, are quickly becoming some of the most useful tools in business. They are also becoming a fresh target. Security researchers recently demonstrated "agentjacking": hijacking an AI agent by feeding it a single poisoned piece of data, in one case a booby-trapped error report that quietly took control of a coding agent. The unsettling part is how ordinary the attack looks. No dramatic break-in, just malicious instructions slipped into something the agent was going to read anyway. If you are deploying agents, this is worth understanding now, not later.

Why agents are a new kind of target

A traditional hack exploits a bug in code. Agentjacking exploits something subtler, the AI's eagerness to follow instructions. Because an agent's whole job is to read information and act on it, an attacker does not need to force their way in. They just need to plant malicious instructions somewhere the agent will encounter them: an error message, a web page, a support ticket, a shared document. The agent, doing exactly what it was designed to do, reads the poisoned input and follows it. The autonomy that makes agents valuable, acting on data without a human checking every step, is precisely what opens this door.

What good agent security looks like

The reassuring news is that this risk is manageable, and it comes down to how you set an agent up rather than whether you use one at all. The contrast is stark between a reckless deployment and a careful one.

Risky deploymentSafe deployment
Broad access to everythingLeast privilege, only what the task needs
Acts on any data, unquestionedCaution with untrusted, external input
No human review, no monitoringHuman sign-off on big actions, activity monitored

This builds directly on the guardrails we covered in the security risks of agentic AI, agentjacking is a concrete example of why those guardrails are not optional as agents take on more real work.

Security is a habit, not a one-time setting

The biggest shift agentjacking should prompt is in mindset: agent security is a live, ongoing concern, not a policy you write once and file away. Because agents act continuously on fresh data, you have to keep watching them, the way you would supervise a capable new employee with real system access. Limit what each agent can reach and do, be careful about the outside data it ingests, require a human to approve consequential actions, and monitor its behaviour so anything unusual gets caught fast. None of this cancels the benefit of agents; it is what makes that benefit safe to rely on.

The takeaway

Agentjacking is a reminder that every powerful new capability arrives with a matching new risk, and AI agents are no exception. But the response is not to shy away from agents; it is to deploy them the way you would trust any capable worker with access to your systems, with clear limits, oversight, and monitoring. Businesses that build those habits in from the start get the enormous upside of agents without handing attackers an easy lever. The agents are worth using. Just don't give them the keys to everything and look away.

Frequently Asked Questions

What is "agentjacking"?

Agentjacking is when an attacker hijacks an AI agent, a system that reads data and takes actions on its own, by feeding it poisoned input. Security researchers recently showed that a single crafted piece of data (in their case, a booby-trapped error report) could take control of a coding agent and make it do the attacker’s bidding. The key insight is that AI agents often act on data from outside sources, and if that data is malicious, the agent can be turned against you. It is a new twist on an old problem: untrusted input causing trusted software to misbehave.

How is this different from a normal hack?

A traditional hack usually targets a flaw in code. Agentjacking targets the AI’s willingness to follow instructions. Because an agent reads and acts on data, an attacker does not need to break in the old-fashioned way, they just need to slip malicious instructions into something the agent will read: an error log, a document, a web page, a support ticket. The agent, trying to be helpful, follows them. The same autonomy that makes agents useful, acting on information without a human checking each step, is exactly what makes this attack possible.

Should this stop us from using AI agents?

No, but it should shape how you deploy them. AI agents are genuinely valuable, and this risk is manageable with the right setup. The mistake is giving an agent broad powers and unrestricted access to act on any data it encounters, with no oversight. The fix is to treat agent security as an ongoing, runtime concern, not a one-time policy: limit what each agent can access and do, be careful about what untrusted data it ingests, and keep humans in the loop for consequential actions. Used with guardrails, agents are an asset; used recklessly, they are an open door.

How do we protect our business from agentjacking?

Follow the principle of least privilege: give each AI agent only the access and permissions its task truly requires, so a hijack has a small blast radius. Be cautious about the data your agents automatically act on, especially anything from outside your organization. Require human approval for high-stakes actions (moving money, sending external messages, changing records). Monitor what your agents actually do, so unusual behaviour is caught quickly. And keep your general security fundamentals strong. These steps do not remove the benefit of agents, they let you capture it safely.

What should a Canadian business do about this now?

If you are deploying AI agents, treat their security as seriously as you would a new employee with system access. Map what each agent can reach and do, and tighten it to the minimum. Identify where agents ingest data you do not fully control, and add checks there. Put human approval on anything consequential, and set up basic monitoring so you would notice an agent acting strangely. If you are not yet using agents, build these habits into your plan from the start, it is far easier to deploy agents safely than to secure them after something goes wrong.

Deploy AI agents without opening new doors

We help Canadian businesses roll out AI agents safely, with least-privilege access, human checkpoints, and monitoring, so a helpful agent stays helpful.

Related Articles

Security & Compliance

AI Agents Are Now the #1 Enterprise Security Risk: What Your Business Should Do

June 30, 2026Read more →
Security & Compliance

Canada’s New Privacy Law (Bill C-36) and Your AI

July 13, 2026Read more →
Security & Compliance

When AI Agents Become Accountable: The SEC-Registered AI Advisor and What It Signals

June 18, 2026Read more →
AI
ChatGPT.ca Team

AI consultants with 100+ custom GPT builds and automation projects for 50+ Canadian businesses across 20+ industries. Based in Markham, Ontario. PIPEDA-compliant solutions.

Stay ahead of AI in Canada

Weekly case studies, new tools, and ROI playbooks for Canadian SMEs. One email, zero spam.