From Secure Agentic AI to Secure Agentic Web: Challenges, Threats, and Future Directions

TL;DR

This paper surveys the security challenges of deploying large language models as agentic systems on the web, analyzing threats, defenses, and future research directions for trustworthy agent ecosystems.

Contribution

It provides a comprehensive threat taxonomy and reviews defense strategies, extending the discussion from AI models to the broader agentic web environment.

Findings

Threats include prompt abuse, memory attacks, and toolchain exploitation.

Defense strategies encompass prompt hardening, runtime monitoring, and privilege control.

Escalated risks in the web context involve delegation chains and cross-domain interactions.

Abstract

Large Language Models (LLMs) are increasingly deployed as agentic systems that plan, memorize, and act in open-world environments. This shift brings new security problems: failures are no longer only unsafe text generation, but can become real harm through tool use, persistent memory, and interaction with untrusted web content. In this survey, we provide a transition-oriented view from Secure Agentic AI to a Secure Agentic Web. We first summarize a component-aligned threat taxonomy covering prompt abuse, environment injection, memory attacks, toolchain abuse, model tampering, and agent network attacks. We then review defense strategies, including prompt hardening, safety-aware decoding, privilege control for tools and APIs, runtime monitoring, continuous red-teaming, and protocol-level security mechanisms. We further discuss how these threats and mitigations escalate in the Agentic Web, where delegation chains, cross-domain interactions, and protocol-mediated ecosystems amplify risks via propagation and composition. Finally, we highlight open challenges for web-scale deployment, such as interoperable identity and authorization, provenance and traceability, ecosystem-level response, and scalable evaluation under adaptive adversaries. Our goal is to connect recent empirical findings with system-level requirements, and to outline practical research directions toward trustworthy agent ecosystems.