From Interns to Intelligence: How Agentic AI Will Transform AppSec and DevSecOps

By APIsec University | APIsec|CON 2025 Recap

🚀 Introducing Agentic AI: Not Just Smarter, But Autonomous

AI agents have been helping teams automate tasks like inventory checks and shipment tracking. But now, the world is entering a new frontier: Agentic AI—where multiple specialized agents operate autonomously, coordinate workflows, and adapt in real time. At APIsec|CON ‘25, product leader Balaji Undara took the audience on a guided tour through the security implications, system architecture, and risk mitigation strategies of this paradigm shift.

For AppSec and DevSecOps professionals, this isn’t just an AI evolution—it’s a call to build security into the future of intelligent, API-driven systems.

🧠 What Is Agentic AI?

Agentic AI refers to a system of intercommunicating AI agents that collectively manage complex, cross-domain workflows—like supply chains, ERP, or CRM. Each agent handles a specific task (e.g., planning, inventory, procurement), but more importantly, they collaborate and adapt autonomously, correcting each other’s errors, minimizing human input, and optimizing outcomes.

Key Differentiators:

• AI Agent: A single-task executor—like an intern.
• Agentic AI: A coordinated workforce—like a department solving problems dynamically and collectively.

🔓 The First Layer of the Onion: Security

Balaji opened his talk with a reality check: every breakthrough in AI brings with it a new attack surface. Agentic AI systems, with their sprawling inter-agent communications, require a fundamentally different security posture. Consider this:

• What happens when a rogue planning agent over-orders?
• What if it communicates flawed logic to a restocking agent?
• What if APIs misbehave and inject hallucinated logic into critical workflows?

This isn’t hypothetical. Agentic AI systems run on APIs—and just like any software stack, they’re only as secure as their weakest link.

🧬 Architecture: Autonomy Meets Accountability

Balaji walked the audience through a schematic model of agentic AI where multiple agents interact with dedicated LLMs, report to a coordination layer, and execute against business logic. But where traditional systems rely on user prompts or static orchestration, agentic AI systems self-prompt, self-correct, and self-balance.

But with great autonomy comes greater risk:

• Memory poisoning
• Tool misuse
• Service account abuse
• Rogue agents breaking workflow integrity

⚠️ Threat Modeling for Agentic AI

Borrowing from the traditional OSI model and established frameworks like STRIDE and PASTA, Balaji introduced MAESTRO (Multi-Agent Environment Security Threat Risk and Outcome)—a security threat framework tailored for agentic AI. Initiated by the Cloud Security Alliance and OWASP, MAESTRO outlines 15 key threats, including:

• Memory poisoning
• Agent manipulation
• API hijacking
• Hallucination propagation

These are complemented by the OWASP API Security Top 10, highlighting how Agentic AI security is inseparable from API security.

🔧 Proactive, Reactive, and Detective Controls

Agentic AI systems demand a multi-pronged defense model:

🔹 Proactive

• Secure by design
• Identity federation across agents
• Privilege control at the service level
• Guardrails against prompt injection and tool misuse

🔹 Reactive

• Quarantine rogue agents
• Rollback flawed decisions
• Revoke compromised access dynamically

🔹 Detective

• Granular logging
• Auditing inter-agent communications
• Human-in-the-loop monitoring

Balaji emphasized: “There’s no replacing humans. Agentic AI still needs our judgment.”

🛡️ APIs: The Backbone of Intelligence—and the Attack Surface

Balaji’s most powerful takeaway? There is no AI without API. Every agent’s action—whether it’s procurement, routing, or monitoring—is executed via an API. That means:

• Agentic AI inherits all existing API vulnerabilities
• If APIs are unsecured, agents hallucinate, misbehave, or worse—expose sensitive data

To mitigate this, teams must:

• Apply OWASP API Top 10 rigorously
• Build comprehensive playbooks for each domain (supply chain, healthcare, etc.)
• Prioritize threats by use case (must-have, may-have, not-needed)

🔮 What’s Next? AI Defending AI

In the Q&A, Balaji touched on an exciting prospect: Threat-solving AI agents. If agents can orchestrate logistics, why can’t agents detect and fix security issues autonomously?

While still in early research, the vision of a self-defending, self-healing agentic system is on the horizon—provided that AppSec and DevSecOps teams lay the secure foundation today.

‍