AI / Agentic Services

An organization deployed an LLM-based application using Azure and Retrieval-Augmented Generation (RAG) to provide document-based insights with source citations. A security review identified that Azure SAS URLs were exposed in citations, allowing potential unauthorized access to stored documents and complete read/write/delete access to the storage. This vulnerability risked unintended data disclosure beyond user permissions. The issue was mitigated by securing storage access and removing direct SAS URL exposure. The revised approach ensured safe, controlled access to document insights without compromising data security.

An organization implemented an AI-powered application using third-party LLM APIs to process user queries and generate intelligent responses. Blueinfy identified a prompt injection vulnerability caused by insecure handling of user input within the LLM request construction. The issue allowed attackers to manipulate system prompts and influence the model’s behavior. Blueinfy worked with the development team to implement secure input validation, sanitization, and safe prompt design patterns. This remediation ensured controlled LLM behavior and protected the application from prompt injection attacks before production use.

An AI application used by a legal organization allowed users to upload personal and shared documents to Azure Blob Storage and query them via a GPT-based chat interface. During a security assessment, Blueinfy identified two major vulnerabilities: lack of authorization controls in storage access that let users view others’ documents, and the risk of indirect prompt injection from malicious uploaded content. The storage misconfiguration enabled unauthorized data retrieval across user-uploaded files, while malicious documents could feed harmful instructions into the LLM. These flaws risked data confidentiality, compliance violations, and potential phishing or exfiltration attacks. Blueinfy helped implement strict permission enforcement at the blob storage layer and introduced guardrails to prevent harmful outputs, ensuring secure document access and safer LLM responses.

An organization implemented a customizable GPT interface that allowed end users to define system instructions and share tailored personas for contextual conversations with an LLM. During a security review, Blueinfy identified that allowing users to modify the system context introduced significant vulnerabilities, as malicious instructions could alter the model’s behavior. Exploits included attempts to exfiltrate chat history, prompt users for sensitive PII, spread misinformation, and present phishing links. These risks not only threatened data security but also posed reputational harm if the application generated biased, abusive, or unsafe outputs. Blueinfy recommended implementing real-time content filtering, moderation tools, and guardrails to block harmful inputs and protect the LLM’s behavior. The improved safeguards ensured safer, controlled interactions with the customized GPT system.

ACME, approved Copilot Studio as an agent builder platform and wanted to open up the platform for employees to build their own agents. Blueinfy’s case study on AI agent threat simulation highlights how enterprise AI implementations—specifically agents built on Microsoft Copilot Studio—can introduce significant, often hidden security risks despite built-in platform controls. By combining configuration review with controlled threat simulation, the assessment demonstrated how attackers could exploit prompt injection, misuse permissions, create rogue agents, and access MCP tools without proper authentication to exfiltrate sensitive data. A key insight was that vulnerabilities were not always due to obvious misconfigurations but also stemmed from how agents interpret inputs and interact with connected systems. The study reinforces that relying solely on platform security is insufficient; organizations must adopt continuous adversarial testing, stronger governance, and proactive monitoring to validate and secure their AI ecosystems effectively.

The blog highlights that the rapid rise of AI agents—enabled by platforms like Microsoft Copilot Studio and Google Gemini—is transforming enterprise operations while simultaneously introducing a fast-growing, poorly governed attack surface. As business users independently create agents that access sensitive data, integrate with enterprise systems, and perform automated actions, traditional security processes are being bypassed, leaving a significant visibility and control gap. To address this, the article proposes a structured risk-based governance model for AI agents, where agents are classified into tiers based on their data access, integrations, and potential impact. Low-risk agents can move quickly with minimal checks, while higher-risk agents undergo deeper security reviews, including configuration validation, threat modeling, and adversarial testing. This tiered approach ensures scalable oversight, reduces burden on security teams, and aligns security efforts with actual risk—enabling organizations to adopt AI at speed without compromising control.

Blueinfy introduced PenTestPrompt, a tool designed to automate the creation, execution, and evaluation of contextual attack prompts for red teaming LLM implementations. The solution generates targeted prompts, submits them to the application’s LLM API, and analyzes responses for unsafe behavior, greatly improving coverage and testing efficiency. By automating these processes, the team reduced manual effort and accelerated vulnerability detection. This approach empowered developers and security teams to identify and fix prompt injection flaws more effectively, strengthening the overall LLM security posture.

AI/ML implementations are built on distinct algorithms and models with unique features, distinguishing them from traditional applications. These systems are inherently non-deterministic, meaning they can generate different outputs for the same input based on varying conditions. Additionally, AI/ML components often need to integrate with other parts of an application, leading to diverse and intricate architectures for each implementation. It is imperative for testers to understand how to manipulate input data and model behaviours to deceive AI systems and perform context-driven testing. It requires a critical thinking ability which typically automated tools do not have. An ideal risk assessment approach for reviewing AI-driven applications would be human-in-the-loop (HTIL) assessments mainly due to two factors - context-driven scenario based testing and an assessment of risk and impact based on potential business impact of identified vulnerabilities.

Most discussions around AI/LLM security focus on what the vulnerabilities are i.e. prompt injection, data leakage, bias, abuse, or excessive agency. However, during real world engagements, the most important question which needs to be addressed is which part of the AI system is actually introducing these vulnerabilities, and where should those vulnerabilities be fixed? This is a blog series which includes information on the security controls that should be implemented for agentic and non-agentic systems, various layers at which vulnerabilities can be fixed and detailed configuration guidance for various LLM provider guardrails like Azure, GCP etc.

Unauthorized exposure of MCP (Model Context Protocol) servers is emerging as a critical but overlooked security flaw in enterprise AI deployments. MCP servers are designed to expose internal tools, data, and workflows to AI agents in a controlled manner, with proper authentication and access restrictions. However, real-world assessments found that many implementations allow unauthenticated or improperly authenticated connections, enabling external or unauthorized clients to directly invoke MCP tools. This bypasses both application-layer controls and user-based access restrictions, leading to immediate risks such as sensitive data leakage, unintended actions, and even misuse of enterprise workflows. In some cases, third-party or local LLM clients can connect to these servers, or users can reuse valid tokens outside approved interfaces, effectively creating a “side door” into enterprise systems.

This blog provides a security-focused review of emerging AI agent communication protocols beyond the widely discussed Model Context Protocol (MCP). It examines key protocols such as the Agent-to-Agent (A2A) Protocol, Agent Communication Protocol (ACP), and Agent Network Protocol (ANP), highlighting specific vulnerabilities each introduces — for example, spoofing and prompt-injection risks in A2A’s agent cards, optional integrity weaknesses and replay risks in ACP’s registry model, and decentralized identity and negotiation security challenges in ANP. The article concludes that while these protocols offer flexibility and decentralized collaboration capabilities, their architectures contain inherent security trade-offs, and organizations should implement transport-layer protections and central governance to mitigate threats when deploying multi-agent systems.

This series of blogs talks about how the Model Context Protocol (MCP) is quickly becoming one of the most widely used standards for connecting AI agents with external tools, APIs, and enterprise systems. Because MCP makes integrations faster and easier, adoption is growing at a very high pace across the AI ecosystem. At the same time, these blogs highlight that new security risks are being discovered just as quickly — including attack vectors like prompt injection, server spoofing, privilege escalation, and tool poisoning, where attackers can manipulate tool definitions to influence AI behavior. Overall, the rapid rise of MCP is also leading to a rapidly expanding attack surface, making continuous security testing and strong governance essential for safe deployment.