R-AC-06 Agent Communication & Interoperability DAMAGE 3.7 / High

Event-Driven Trigger Exploitation

An adversary who can publish to an event stream can trigger agent actions at will. Event infrastructure was designed for stateless consumers, not autonomous actors.

The Risk

Event-driven agent architectures enable agents to be triggered by events published to event streams or message queues (Kafka, RabbitMQ, EventBridge). An event occurs (customer account created, transaction completed, threshold exceeded) and agents subscribe to the event stream, triggering agent actions when matching events occur.

The vulnerability: agents trust that events come from legitimate sources. If an adversary can publish events to the event stream, the adversary can trigger agent actions by forging events. The agent does not verify the event source; it simply processes the event. For example, an agent-driven account onboarding system is triggered by "AccountCreated" events. An adversary gains write access to the event stream and publishes a fabricated event for a fake account. The Onboarding-Agent processes the fake event and creates an account.

How It Materializes

A cryptocurrency exchange processes customer account onboarding through an agent-driven system. When a new customer signs up, the frontend application publishes an "AccountCreated" event to a Kafka event stream. Multiple agents subscribe: Onboarding-Agent, KYC-Agent, and Account-Setup-Agent.

An attacker compromises the exchange's cloud infrastructure and gains write access to the Kafka event stream. The attacker publishes a fabricated "AccountCreated" event with customer details: name = "John Smith", email = "attacker@gmail.com", kyc_status = "verified".

The Onboarding-Agent receives the fake event and triggers the onboarding workflow. KYC-Agent receives the event and notes that kyc_status is "verified," so it marks the account as KYC-complete without conducting actual verification. Account-Setup-Agent creates API keys and sets up trading permissions. Within minutes, a fully functional account has been created without KYC verification.

The attacker uses the account to conduct illicit transactions (money laundering, sanctions evasion). By the time the exchange discovers the account through suspicious trading activity, the attacker has already conducted transactions and disappeared.

DAMAGE Score Breakdown

Dimension Score Rationale
D - Detectability 3 Forged events can appear legitimate if they conform to expected format. Statistical anomalies can trigger detection.
A - Autonomy Sensitivity 4 High when agents autonomously process events without human verification.
M - Multiplicative Potential 5 Every event published to stream can trigger agent actions. Forged events affect all subscribing agents.
A - Attack Surface 5 Event stream is attack surface. Write access to stream enables attack.
G - Governance Gap 4 Institutions may not have controls validating event source authenticity or requiring authorization for event publication.
E - Enterprise Impact 5 Enables creation of fake accounts, fraudulent transactions, and unauthorized actions executed by agents.
Composite DAMAGE Score 3.7 High. Requires dedicated controls and monitoring. Should not be accepted without mitigation.

Agent Impact Profile

How severity changes across the agent architecture spectrum.

Agent Type Impact How This Risk Manifests
Digital Assistant Low Human approves significant events before agents act.
Digital Apprentice Low-Med Agents verify event authenticity before processing.
Autonomous Agent High Agents autonomously process events without verification.
Delegating Agent Medium Delegating agent triggered by events. Forged events trigger unauthorized delegations.
Agent Crew / Pipeline High Multiple agents in crew subscribe to event stream. Forged events trigger crew-wide actions.
Agent Mesh / Swarm Very High Mesh agents heavily rely on event-driven coordination. Forged events trigger distributed actions.

Regulatory Framework Mapping

Framework Coverage Citation What It Addresses What It Misses
NIST AI RMF 1.0 Partial MAP 5.1 (Input Validation) Input validation. Event source authentication and authorization.
NIST CSF 2.0 Partial PR.AC-1 (Authorization) Access control and authorization. Event publisher authentication.
Zero Trust (NIST SP 800-207) Partial Implicit Trust Zones Never trust, always verify. Event source authentication.
OWASP Agentic Top 10 Not Directly Agentic security. Event-driven trigger exploitation.

Why This Matters in Regulated Industries

In financial services, account creation and account changes must be controlled and auditable. An attacker creating fake accounts through forged events is a material compliance violation. Additionally, transactions executed through fake accounts are fraudulent and expose the institution to money laundering liability.

Controls & Mitigations

Design-Time Controls

  • Implement cryptographic signing of all events. Events published to event streams must be digitally signed by the event publisher. Agents must verify signatures before processing.
  • Use Component 2 (Cryptographic Identity) to establish identity of event publishers. Only authorized publishers with valid cryptographic identity can publish events to critical streams.
  • Implement access controls on event stream topics. Only authorized applications can publish to sensitive event topics.
  • Design agents to validate event contents against external sources before acting. For AccountCreated events, agent should verify that the account exists in the authoritative customer database.

Runtime Controls

  • Implement event source validation. Before agents process events, validate that the event came from a trusted source by verifying cryptographic signature or publisher identity.
  • Monitor event stream for anomalies. Track publisher identity, event frequency, and event structure. Flag events from unexpected publishers.
  • Implement rate limiting on event-driven agent actions to prevent rapid exploitation.
  • Use Component 3 (JIT Authorization Broker) to validate that event publication is authorized before allowing agents to process the event.

Detection & Response

  • Conduct regular audits of event streams. Verify that events published match events expected from known publishers. Identify unauthorized events.
  • Monitor agent actions triggered by events. Track which events trigger which agent actions and verify that actions are appropriate.
  • Implement audit logging of event processing. Log event source, publisher, timestamp, and resulting agent action.
  • Implement incident response for compromised event streams. Halt all event-driven agent actions until stream integrity is verified.

Related Risks

R-AC-01 Communication
A2A Agent Card Manipulation

Forged agent cards enable event stream compromise.
R-CS-03 Cybersecurity
Lateral Movement via Agent Chains

Forged events can trigger agent chains that achieve lateral movement.

Address This Risk in Your Institution

Event-Driven Trigger Exploitation requires architectural controls that go beyond what existing frameworks provide. Our advisory engagements are purpose-built for banks, insurers, and financial institutions subject to prudential oversight.

Schedule a Briefing
Agentic AI Risk & Controls Workshop Our Methodology Regulatory Landscape