The shift to agentic RAG, which enables systems to plan, reason, carry out complex tasks and fix their own errors, has resolved reliability issues. However, this development has also introduced significant security challenges.
Part II: The 2026 threat landscape
As agents transition from passive text generators to active entities with tool access, the security paradigm has shifted. The OWASP Top 10 for LLM applications, updated for late 2025, reflects this reality. The risk is no longer just offensive content. It is unauthorized action, data exfiltration and financial exhaustion.
Indirect prompt injection: The “zero-click” exploit
Indirect prompt injection is widely considered the most critical vulnerability in agentic systems. Unlike direct jailbreaking, where a user attacks the model, Indirect Injection occurs when the agent processes external content that contains hidden malicious instructions.