The seven new failure modes it has recognized are:
- Agentic Provide Chain Compromise —agent conduct might be affected by pure language quite than malicious code;
- Objective Hijacking — adversarial directions seem aligned with professional activity completion, whereas silently redirecting the agent’s terminal purpose;
- Inter-Agent Belief Escalation —a compromised agent asserts false id or inflates claimed permissions to an orchestrator;
- Laptop Use Agent (CUA) Visible Assault — brokers working by means of graphical interfaces might be manipulated by means of content material that carries adversarial directions for the agent;
- Session Context Contamination —an adversary introduces information that biases the agent’s reasoning in subsequent steps, with out triggering security controls at any particular person step;
- MCP / Plugin Abuse — an replace on the unique taxonomy’s protection of perform compromise round MCP and plugin protocols, particularly assault surfaces particular to these protocols;
- Functionality / Structure Disclosure —an agent reveals inside implementation particulars similar to device names and schemas, system-prompt construction, reminiscence interfaces, or consent/human-in-the-loop set off logic.
Microsoft advises safety groups utilizing these definitions to affect their planning to stock their your provide chain, producing a software program invoice of supplies (SBOM) for each deployed agent, to confirm agent id cryptographically, not positionally, by issuing attestable credentials at provisioning, so as to add the seven new failure modes to their red-team protection matrix, and to audit the human-in-the-loop person expertise as a safety management.
