Last updated: July 2026 · Orchesis reference

Data Exfiltration Through AI Agents

Data exfiltration through AI agents is when an attacker abuses an agent's tool access to steal sensitive data. A prompt injection or poisoned tool instructs the agent to read secrets, files, or database records and send them to an attacker-controlled destination — an outbound API call, a crafted URL, or even a rendered image link that leaks data in its query string. Because the agent acts with its own legitimate permissions, the theft blends into normal activity. The core defense is an egress allowlist plus least-privilege tool scoping, so a hijacked agent has nowhere to send the data.

How data exfiltration through an agent works

Agents combine read access (files, email, databases, internal APIs) with the ability to make outbound requests (web fetch, HTTP tools, sending messages). Exfiltration chains those two capabilities: the attacker injects an instruction — through a document the agent reads, a poisoned tool description, or a tool result — telling the agent to collect sensitive data and transmit it outward. The user sees a normal task; the agent quietly adds an exfiltration step.

Common exfiltration channels

How to prevent data exfiltration through AI agents

  1. Egress allowlist — permit only approved outbound destinations; deny by default.
  2. Least privilege — scope each tool and credential to the minimum data it needs.
  3. Isolate untrusted input — treat documents, tool descriptions, and results as untrusted so injected instructions cannot drive an outbound step.
  4. Block auto-rendering — prevent agent output from making arbitrary requests through images or links.
  5. Human approval — require sign-off before the agent sends data to a new destination.
  6. Inspect and log egress with a security proxy between the agent and the network.

Context

Data exfiltration is a primary impact of prompt injection and falls under the OWASP Top 10 for agentic applications; it is catalogued in the CASURA taxonomy of AI-agent vulnerabilities. Documented 2025 cases showed agents leaking secrets through rendered image URLs and connector tools, confirming that outbound-path control — not just input filtering — is the decisive defense.

Sources: OWASP Agentic Security Project · CASURA taxonomy (Orchesis) · published prompt-injection exfiltration case studies. Reference maintained by Orchesis, an open-source AI-agent security proxy.