Guozhen AIGlobal AI field notes and model intelligence

Realtime AI News

Trend Micro tests 13 AI models in PwC-backed AI agent risk study

Trend Micro's TrendAI and PwC Consulting released a joint report on July 17 revealing that stored prompt injection attacks succeed across multiple large language models from different vendors. The 2,600-test evaluation found the vulnerability stems from AI agent architecture itself, not any specific model, and proposed a new governance framework called AI-CAL.

Published

Trend Micro's enterprise-focused TrendAI brand and PwC Consulting released a joint report on July 17 titled “The Age of Autonomous AI: Cyber Risks and Practical Governance for AI Agents.” The report combines PwC Consulting's analysis of risk, controls, and implementation roadmaps with TrendAI's empirical security validation, revealing structural security risks in agent-based AI systems.

TrendAI built a proof-of-concept environment modeled on realistic corporate systems and tested whether attacks on AI agents could be carried out. It ran 2,600 parallel tests using 200 automatically generated attack prompts against 13 AI models from four vendors: Anthropic, OpenAI, Google, and DeepSeek. The tests confirmed that attacks succeeded on models from multiple vendors, indicating that stored prompt injection is not tied to a specific model or vendor but stems from the architecture of AI agents. In such attacks, malicious instructions are embedded in legitimate business data and later executed when an AI agent reads that data.

In one demonstration scenario, an AI agent reading and classifying support tickets submitted through a public web form was targeted by embedding malicious instructions in the ticket text. In another, an identity-verification system using uploaded passport images was attacked by disguising malicious instructions inside a passport image as an “AUDIT NOTE.” In the test environment, the AI agent was misdirected into calling database tools in sequence and succeeded in exfiltrating confidential information including authentication tokens, as well as obtaining other customers' passport data such as names, passport numbers, dates of birth, expiration dates, and nationality. The company emphasized these were demonstrations in a verification environment, not attacks on real-world systems.

The report argues that current language models have an inherent architectural property in which they cannot strictly distinguish between data and instructions. As AI agents autonomously chain together multiple tool calls, the impact of a prompt injection attack can spread from an initial input to information theft or data tampering. Consequently, core countermeasures lie less in switching AI models than in system design and operational controls, including enforcing least-privilege access, restricting tool calls, and improving observability and controllability.

PwC Consulting organized risks using five levels of AI-agent autonomy from L1 to L5 across five functional domains. It also proposed an “AI Control Assurance Level” (AI-CAL) framework intended to help executives and security teams discuss the control maturity of AI agents using a common language. The report groups priority actions into three areas: establishing access governance, building foundations for observability and control, and institutionalizing AI-CAL assessment processes.

AI agents, capable of interpreting inputs and triggering software tools with limited human intervention, are being adopted more widely in customer support, internal operations, and identity verification. Their expanding use has heightened concern over prompt injection and tool abuse, particularly when agents connect directly to databases, workflow systems, or external applications. The report provides a structured framework for enterprises deploying AI agents to assess and mitigate these emerging risks.

Why it matters

This study shifts the AI agent security conversation from model-level fixes to architectural and governance-level controls, urging enterprises to focus on system design and operational guardrails rather than simply choosing a safer model.

Trend MicroPwCAI AgentCybersecurityPrompt Injection
Back to realtime news

Nearby Updates

All