Last updated: July 2026 · Orchesis reference

Agent Impersonation

Agent impersonation is when a malicious actor or a rogue AI agent poses as a trusted agent, user, or service to gain access, issue commands, or exfiltrate data. In multi-agent systems it exploits weak agent identity: if agents accept instructions from other agents without verifying who they truly are, an attacker can inject a fake agent or spoof a legitimate one and have its commands trusted. The consequence is that authority flows to the wrong party — a privileged agent acts on a forged request. The core defense is strong, verifiable agent identity: authenticate every agent-to-agent and agent-to-tool call with signed credentials or mutual TLS.

How agent impersonation works

Multi-agent systems route tasks between specialized agents and shared tools. Many early designs trust the channel rather than the sender — any message that arrives on the internal bus is treated as coming from a legitimate agent. An attacker who can post to that bus, register a new agent, or replay a captured message can impersonate a trusted component. Because downstream agents act on their own privileges, the forged request executes with real authority.

Examples of agent impersonation

How to prevent agent impersonation

  1. Strong agent identity — give each agent a cryptographic identity, not a shared secret.
  2. Authenticate every message — verify signed credentials or mutual TLS on all agent-to-agent and agent-to-tool calls.
  3. Short-lived scoped tokens — bind authority to identity and expire it quickly.
  4. Verify the sender, not the channel — never trust a request just because it arrived internally.
  5. Anti-replay — use nonces or timestamps so captured requests cannot be reused.
  6. Attribute and log — record the verified identity behind every action to detect and trace impersonation.

Context

Agent impersonation maps onto OWASP's agentic-AI risks around identity, trust, and excessive agency, and it is catalogued in the CASURA taxonomy of AI-agent vulnerabilities. As multi-agent and agent-to-agent (A2A) architectures spread in 2025–2026, verifiable agent identity has become the foundational control: without it, every other agent-security measure can be bypassed by a convincing forgery.

Sources: OWASP Agentic Security Project · CASURA taxonomy (Orchesis) · agent-to-agent (A2A) identity guidance. Reference maintained by Orchesis, an open-source AI-agent security proxy.