6 of 6 - Forging forward with GenAI

Introduction

Part 6, this blog post, will be the final blog post in this series. This blog post will explore the unique security challenges that are present in systems that rely on generative artificial intelligence (genAI) as part of its workflow.

The preceding blog posts in this series are located here:

• Part 1 Recap of the Security Navigator 2025 chapter on AI

• Part 2 The potential impact of genAI on the world

• Part 3 High-level overview of how large language models (LLMs) function

• Part 4 Continuing and wrapping up part 3

• Part 5 Examining agentic AI and the various pieces of this new paradigm

Everyone is a programmer

On 17 June 2025 Andrej Karpathy delivered a keynote address at the Y Combinator AI Startup School in San Francisco that claimed that LLMs are basically a new type of operating system (OS)¹. Karpathy reasons that this new paradigm is born from an evolution of software.

Originally, programs were written with a programming language or computer code, and this executed natively on a computer. Karpathy refers to this as “Software 1.0”. This evolved with the introduction of neural networks. Here weights are tuned and is “executed” by the neural network to give birth to “Software 2.0”. Karpathy reveals that software has changed again, and programs are written using natural language in the form of prompts. These prompts are interpreted by LLMs that result in actions and outcomes. This new way of creating “programs” or “instructions” means that LLMs can be treated as an OS effectively.

Natural language makes for a very rich and powerful medium through which we can interface with machines when using an LLM. The challenge is that there is a lot of room
for ambiguity or misinterpretation. Clarifying intent and managing expectations of the user requires clear context for the benefit of the LLM, but humans can be intentionally vague, manipulative, careless, lazy, etc.

Classical programming languages, the “Software 1.0” paradigm, have syntax rules that are enforced by a compiler or a run-time environment. These are, for the most part, well defined and exact. This ensures that, for the most part, a system behaves in a predictable manner. Over the years we have learned that certain defensive programming practices must be employed to guard against error or exploitation.

LLMs, in the “Software 3.0” paradigm, are less strict regarding the “programs” they execute. This can result in any number of outcomes when combined with other loosely defined elements that an LLM can leverage. The non-deterministic and stochastic properties of neural networks, its weights, along with other execution parameters is responsible for this “emergent behavior”.

Emergent behavior, as defined using George Dyson’s definition, reads:

“Emergent behavior is that which cannot be predicted through analysis at any level simpler than that of the system as a whole.Emergent behavior, by definition, is what’s left after everything else has been explained.”²

Dan Geer and Dave Aitel highlight this problematic scenario and the implications this has for cybersecurity frameworks:

“Current cybersecurity frameworks—such as the National Institute of Standards and Technology’s Secure Software Development Framework or Open Worldwide Application Security Project guidelines—assume predictable human coders and defined accountability. These assumptions collapse beneath the weight of AI’s velocity, opacity, and autonomy.”³

LLMs are an important underpinning of the current agentic AI ecosystem. Chaining these agentic AI services together makes for a large and complex system with many possible unknown outcomes. This is mostly due to the fact that LLMs process natural language as “instructions” but also as “data”. Mixing data and instructions in the same “execution pipeline” breathes life into this emergent behavior.

What recourse exists when one of these autonomous systems produces unwanted results? Can consumers expect recompence if something goes wrong and who determines that? Certainly, malicious users will do their best to identify and exploit weaknesses in these systems at the expense of someone else.

It is now possible for anyone using a few words to script an agentic AI system into performing serval tasks on behalf of the user, which previously would have required expert programmers to accomplish. Everyone can now create instructions for machines.

¹ https://www.youtube.com/watch?v=LCEmiRjPEtQ

² George Dyson, Darwin Among the Machines, Addison-Wesley, 1997

³ https://www.lawfaremedia.org/article/ai-and-secure-code-generation

Efforts afoot

Secure software development practices have evolved a lot since the early days of the internet. The software development community realized quickly that generative AI has potential, but also there are aspects of the technology that require defined best practices and mitigations to limit the impact of malicious users and to guard against unforeseen side-effects.

Community groups such as OWASP and the Cloud Security Alliance (CSA) were among the first to publish guidance on how to secure generative AI powered applications. Here is a non-exhaustive list of prominent projects that address challenges in this space:

• OWASP Top 10 for LLM Application ⁴
• OWASP Securing Agentic Application Guide 1.0 ⁵
• OWASP Multi-Agentic system Threat Modelling Guide v1.0 ⁶
• OWASP Agentic AI – Threats and Mitigations ⁷
• CSA Agentic AI Red Teaming Guide ⁸
• CSA Agentic AI Identity & Access Management ⁹
• CSA Secure Agentic System Design: A Trait-Based Approach ¹⁰
• CAS Agentic AI Threat Modeling Framework: MAESTRO ¹¹
• MITRE ATLAS (Adversarial Threat Landscape for Artificial Intelligence Systems) ¹²

The list of resources is growing; some address specific elements of agentic AI systems such as weakness in the model context protocol (MCP) itself.¹³

Individually these resources provide good guidance based on current capabilities of LLMs and their respective ecosystems. LLMs as a technology are rapidly growing in capability as a lot of effort is invested due to fierce competition among vendors in this space. The authors of these resources will have to keep pace with the emergent threat landscape as well in conjunction with LLM capabilities.

These guidelines and best practices are based on a common understanding of how systems work and the perceived impact. Please evaluate these in terms of your own use case and implementations to find an acceptable balance between risk mitigation and threat identification.

⁴https://genai.owasp.org/llm-top-10/
⁵https://genai.owasp.org/resource/securing-agentic-applications-guide-1-0/
⁶https://genai.owasp.org/resource/multi-agentic-system-threat-modeling-guide-v1-0/
⁷https://genai.owasp.org/resource/agentic-ai-threats-and-mitigations/
⁸https://csa-website-production.herokuapp.com/artifacts/agentic-ai-red-teaming-guide
⁹https://cloudsecurityalliance.org/artifacts/agentic-ai-identity-and-access-management-a-new- approach
¹⁰https://cloudsecurityalliance.org/artifacts/secure-agentic-system-design
¹¹https://cloudsecurityalliance.org/blog/2025/02/06/agentic-ai-threat-modeling-framework-maestro
¹²https://atlas.mitre.org/
¹³https://adversa.ai/mcp-security-top-25-mcp-vulnerabilities/

Step-by-step approach for trait-based security analysis

Trait-based security analysis is an iterative process that allows system designers and implementers to identify requirements and initial scope by asking questions such as:

• What is the purpose of the system?
• What are the core capabilities?
• Who are the stakeholders and users of the system?
• What are the operational constraints of the system?
• How sensitive is the data and what privacy concerns should be considered?
• What are the high-level security goals?
• What fail-safe mechanisms must be present?

Next the key agentic traits and their patterns must be identified. Select traits from the list of 7 categories.

Once the traits and patterns are identified, analyze interactions and assess the associated risks. Each pattern and trait will have known risks associated with the respective trait. Interactions that cross boundaries that impact other traits are also highlighted.

Once this task is completed, design and implement mitigations. Each trait pattern has a list of risks and applicable mitigation. Risks must be prioritized based on likelihood and potential impact of the risk with the specific system being analyzed.

Finally, the loop reaches the monitor, evaluate and adapt phase that acts to identify areas to correct or improve. Use this to close the feedback loop and adjust the security posture appropriately. This requires periodic review and analysis of the system.

Trait-based analysis and threat modeling

The trait-based analysis is well suited to working with existing security practices, software development lifecycles, etc. including threat modeling. It is possible to map the MAESTRO framework and trait-based categories to perform a system decomposition of agentic traits in terms of potential threats for a given system. The following is an example taken from the CSA Secure Agentic System Design: A Trait- Based Approach document mentioned in the “Efforts afoot” section:

This mapping can also be useful when using other tools such as MITRE’s ATLAS matrix to identify specific tactics for a given trait category. For example, “Decentralized Control”, that falls under the Control & Orchestration trait, could be linked to MITRE ATLAS “Takeover Attacks” or “Policy Bypassing” tactics.

“Traits and Patterns” were not covered in much detail and could easily require its own blog post to discuss. The “Traits and Patterns” section describes risks that could originate from outside the system but also could be risks that materialize because of design or implementation faults.