Agentic AI Security Assessment — CBRN and Cyber Espionage
Conduct a threat-model assessment of agentic AI deployments covering high-consequence misuse vectors, including chemical, biological, radiological, and nuclear (CBRN) facilitation and AI-orchestrated cyber espionage, and implement mitigations proportionate to the identified risk.
Objective
Ensure organizations deploying agentic AI systems have explicitly assessed and mitigated the risk that their systems could be weaponized or co-opted for high-consequence attacks, and can demonstrate to regulators and counterparties that this risk was considered and addressed.
Maturity Levels
Initial
Agentic AI systems are deployed without explicit assessment of high-consequence misuse risk. Security assessments cover conventional IT threats but not AI-specific attack vectors.
Developing
Security teams are aware of CBRN and cyber espionage risk in AI contexts but assessments are informal and not documented. No structured threat model exists for agentic deployments.
Defined
A formal threat model assessment is conducted for each agentic AI deployment, covering CBRN facilitation risk (based on the agent's tool access and the domains in which it can retrieve and synthesize information) and cyber espionage risk (based on the agent's access to internal systems, credentials, and network). Mitigations are documented and implemented.
Managed
Assessments are reviewed annually and when an agent's capabilities or access scope changes materially. Results are reported to the AI governance committee and, for high-risk findings, to the board-level AI safety committee (BRD-003). Mitigations are tested.
Optimizing
External red-team exercises specifically targeting high-consequence misuse vectors are conducted on a defined cadence for the highest-risk agentic systems. Assessment methodology is updated as the threat landscape evolves. The organization engages with AI safety research to stay current on emerging attack vectors.
Evidence Requirements
What an auditor or assessor would expect to see for this control.
- —Threat model assessment for each production agentic AI system covering CBRN facilitation and cyber espionage risk, with scoping rationale, findings, and implemented mitigations.
- —Evidence of AI governance committee review for all assessments with material findings.
- —Annual reassessment records or documented rationale for no material change.
Implementation Notes
Why this is a distinct control
General AI security controls address adversarial inputs, prompt injection, and system compromise. This control addresses a different threat model: an adversary who does not attack the agent itself but instead uses the agent — by persuading it to help, by exploiting its access, or by co-opting it as part of a larger attack chain — to cause harm at a scale or in a domain that was not anticipated at deployment.
This risk is not hypothetical. International AI safety research (including the 2026 International AI Safety Report and ARI's 2025 Safety Highlights) has documented cases of AI-facilitated CBRN information synthesis, AI-orchestrated cyber espionage campaigns, and agentic AI systems used to execute cyberattacks with minimal human oversight.
Scoping the assessment
Not all agentic AI systems carry material CBRN or espionage risk. The assessment scope should be calibrated to the agent's capabilities:
CBRN facilitation risk indicators:
- Agent has access to scientific literature retrieval (chemistry, biology, materials science).
- Agent can synthesize multi-step research or planning outputs without human review.
- Agent has access to procurement tools, supplier databases, or logistics systems.
- Agent operates in life sciences, defense, or research contexts.
Cyber espionage risk indicators:
- Agent has read access to internal systems, codebases, or credential stores.
- Agent can make outbound network connections or send data to external endpoints.
- Agent has access to communication systems (email, Slack, document repositories).
- Agent has elevated privileges or can assume other identities.
For agents with no indicators in either category, a brief documented scoping justification is sufficient. Full assessment is required for agents with material indicators.
Assessment components
CBRN facilitation threat model:
- Enumerate domains of knowledge the agent can access and synthesize.
- Assess whether retrieval and synthesis could meaningfully assist in CBRN attack planning.
- Identify and implement safeguards: content filters on CBRN-adjacent queries, retrieval boundaries excluding relevant scientific domains, refusal training if the agent is a general-purpose LLM.
- Document residual risk and acceptance rationale.
Cyber espionage threat model:
- Map all internal system access the agent holds.
- Assess whether an adversary who controlled the agent (via prompt injection or direct access) could exfiltrate sensitive data, pivot to other systems, or conduct reconnaissance.
- Implement mitigations: network egress controls, data exfiltration monitoring, least-privilege access, prompt injection defenses.
- Conduct red-team probe if risk level warrants it.
Regulatory and counterparty context
Several enterprise customers and government contractors now require explicit CBRN and dual-use risk assessments for AI systems as a procurement condition. Defense, life sciences, and critical infrastructure organizations should expect these requirements to expand. Pre-emptive assessment positions the organization favorably.
Example Implementation
Agentic AI Security Assessment — Threat Model Summary
Agent: Internal Research Synthesis Agent | Assessment date: 2026-05-20 | Assessor: CISO + external red-team (Vendor X)
Scoping determination:
- CBRN facilitation: Material risk indicators present. Agent has access to PubMed, bioRxiv, and internal research database. Can synthesize multi-step research summaries without per-output human review.
- Cyber espionage: Moderate risk indicators. Agent has read access to internal Confluence and Jira. No credential store or network egress access.
CBRN facilitation findings:
- The agent's retrieval scope includes biology, chemistry, and materials science literature without restriction.
- Red-team probe: 15 adversarial queries designed to elicit synthesis of dual-use biological research were tested. 12 were refused by the underlying model. 3 produced partial outputs that stopped short of actionable synthesis.
- Mitigation implemented: Retrieval scope restricted to exclude specific bioweapons-adjacent MeSH terms. Output classifier added that flags and routes for human review any synthesis touching designated dual-use categories.
- Residual risk: Low. Accepted by CISO and CAIO on 2026-05-20.
Cyber espionage findings:
- Agent can read Confluence pages including internal system architecture documents. Cannot write or exfiltrate via direct API.
- Risk: An adversary controlling the agent via prompt injection could extract architecture documentation.
- Mitigation implemented: Confluence retrieval scope limited to public and internal-general spaces. Architecture and security namespaces excluded from retrieval index.
- Residual risk: Acceptable. Prompt injection defenses (AGT-002) further reduce risk.
Board committee reporting: No material unmitigated findings. Summary shared with AI Governance Committee on 2026-05-25. No escalation to Board AI Safety Committee required.