One in eight. That is the share of reported AI security breaches now involving autonomous agentic systems, according to HiddenLayer's 2026 AI Threat Landscape Report. A year ago, that number was closer to one in twenty. The shift reflects something real: enterprises are moving from AI experiments to AI production, and agentic deployments are outpacing the security controls designed to contain them.
The numbers
The HiddenLayer 2026 report surfaces two statistics that security teams should not read past quickly. First: prompt injection appears in 73% of production AI deployments. OWASP has ranked it the number one LLM vulnerability for the second year running. Second: agentic AI systems account for more than 1 in 8 reported AI breaches as enterprises move from experimentation to production. HiddenLayer has also disclosed 48 CVEs in ML frameworks since the company's founding, tracking the underlying code-level risk in the infrastructure AI runs on.
Why agentic AI changes the threat model
A prompt injection attack against a standalone chat interface is annoying. The same attack against an agentic system with tool access is a security incident. Agentic AI systems are designed to take actions: they call APIs, read files, send messages, write code, and query databases. A successful prompt injection against an agent does not just produce misleading output. It can exfiltrate data, take unauthorized actions on connected systems, and move laterally through anything the agent is authorized to touch.
Traditional security models draw a hard line between computation and action. The agent collapses that line by design. When you deploy an agent with write access to a database and the ability to send external API requests, you have created a new attack surface that does not map cleanly onto perimeter security, identity and access management, or application security controls as they currently exist.
The Model Context Protocol factor
The HiddenLayer report flags the rise of Model Context Protocol (MCP) and tool-using agents as a specific threat multiplier. MCP creates a standardized way for AI systems to connect to external tools and data sources: databases, APIs, file systems, calendar systems, and messaging platforms. This is powerful for productivity. It also means a single successful prompt injection can now cascade across every tool in the MCP graph. The attack surface is not the model. It is everything the model can reach.
This is not a theoretical concern. OWASP's number one LLM risk being present in 73% of production deployments means the majority of organizations running AI in production have an exploitable injection surface right now. The question is not whether your AI is vulnerable. The question is whether your security team knows what an AI exploitation incident looks like and has the logging in place to detect it.
What defenders should do
Treat prompt injection as a perimeter-level control problem, not an application-level afterthought. Start by inventorying every agentic AI deployment in your environment and documenting what tools and data sources each agent can access. Apply least-privilege to that access: an agent that only needs to read a database should not have write access. Build logging for agent actions, not just inputs and outputs. If an agent takes an action, that action should appear in your security telemetry.
For organizations using MCP-connected agents: treat the MCP tool graph as an access control boundary, not just a configuration setting. Each tool connection is a potential lateral movement path if an injection attack succeeds. Red team your agents with adversarial prompt inputs before putting them in production. The HiddenLayer report is a data point; the action item is treating AI deployment with the same security rigor you would apply to deploying a new API-connected application with broad data access.
Gigia Tsiklauri is a Security Architect and founder of Infosec.ge. Get in touch if your organization is deploying agentic AI and needs help thinking through the security model.