Your customer service agent just wrote to a database it should have been reading from, and nobody told it to do so. Somewhere upstream, a poisoned support ticket had convinced the agent that the user was an admin, and being helpful, it obliged. This is the working day for anyone running autonomous AI in production. Prisma AIRS from Palo Alto Networks Networks sits in the middle of that traffic, inspecting tool calls and network flows rather than only the natural-language prompts on the surface, and catching the moment when an agent stops chatting and starts acting. Palo Alto Networks calls this shift “agents with hands” — models that can hit APIs, query databases, and execute tasks without a human in the loop. The convenience opens a lethal trifecta of private data access, exposure to untrusted content, and an outbound channel; none of these is dangerous in isolation, but combined they describe the route by which data quietly leaves your network. Multi-agent setups compound the problem, because east-west traffic between agents means a hallucination in one place can ripple through the entire chain. Standardized connectors offer no defense here: protocols like MCP describe how an agent talks to a tool, but say nothing about whether the request is legitimate in the first place. The named attacks grow more creative by the week. Memory poisoning, for instance, plants instructions that an agent learns and executes weeks later, while “confused deputy” attacks trick a read-only agent into writing. Rugpulls are nastier still: a tool that has worked reliably for months — long enough to earn trust — one day begins quietly siphoning data, after the organization has come to depend on it. None of these are theoretical, and all of them slip past keyword-based guardrails. Amazon Bedrock Guardrails and similar text filters work well enough for governance and content safety, but they will not catch SQL injection buried inside a tool payload, nor will they contain the dynamic reasoning of an autonomous agent. Prisma AIRS is built to take a second pass, watching the payloads themselves and killing connections when an agent suddenly demands admin privileges. The same approach blocks memory-poisoning attempts and tool-schema extraction before the malicious instruction ever lands. Genuine protection in an agentic AI environment depends on knowing where to look for hidden risks. Shadow agents accumulate inside any reasonably sized estate, inactive identities cling to permissions long after the projects that required them have shipped, and east-west traffic that historically passed unobserved through enterprise datacenters now demands scrutiny. Discovering those exposures before an attacker does requires a new generation of tooling. Agentic AI is moving quickly while the threat models that should constrain it are still being written. The sensible response is to treat the security layer the way you treated network security in 2010 — assume the perimeter is already inside, and watch what the agents do rather than only what they say. Sponsored by Palo Alto Networks.