A compromised agent can reach systems that network controls would otherwise isolate, because agent tool connections constitute authorized cross-boundary communication.
Network segmentation creates security boundaries: the payment network is isolated from customer data networks, which are isolated from trading systems. Segmentation is enforced through network access controls: firewalls prevent direct connections between segments.
Agent architectures, particularly delegating agents and agent meshes, cross these segmentation boundaries by design. An agent in the payment network delegates to an agent in the customer data network by invoking MCP tools or A2A delegation. This delegation creates an authorized communication path that bypasses traditional network segmentation.
If an attacker compromises the first agent, the attacker can use the agent's delegation capability to move laterally to other networks. The attacker does not need to break through the firewall; the compromised agent has legitimate access to delegated networks. Traditional EDR systems monitor for lateral movement within a network segment. But when agents cross segments through authorized delegation, EDR may not flag the movement as suspicious because the agent had legitimate authorization.
A large financial institution has network segmentation: Credit-Cards network (isolated), Payment-Processing network (isolated), Risk-Management network (isolated). Agent-CreditCards operates in Credit-Cards network. Agent-PaymentProcessor operates in Payment-Processing network. Risk-Agent operates in Risk-Management network.
For integrated operations, Agent-PaymentProcessor is authorized to delegate to Agent-CreditCards (to retrieve cardholder data during payment processing). This delegation crosses the network segment boundary, but the cross-segment access is authorized.
An attacker compromises Agent-PaymentProcessor through a prompt injection attack (injects instruction to install backdoor). The attacker uses Agent-PaymentProcessor's established delegation channel to access Agent-CreditCards. Agent-PaymentProcessor invokes Agent-CreditCards with a query: "Return all customer credit card numbers for customers with accounts >$100K balance." Agent-CreditCards, receiving the query from a legitimate agent with authorized access, returns the data.
The attacker exfiltrates the card data through Agent-PaymentProcessor to an external server. Network segmentation did not prevent this attack because the agent delegation was legitimate. EDR did not flag the activity as suspicious because both agents were performing authorized operations.
| Dimension | Score | Rationale |
|---|---|---|
| D - Detectability | 4 | Lateral movement via agent chains may be difficult to detect because agent delegation is legitimate. Requires behavior analysis to distinguish normal from malicious delegation. |
| A - Autonomy Sensitivity | 5 | High when agents autonomously delegate without human approval. |
| M - Multiplicative Potential | 5 | Every agent delegation is a potential lateral movement path. In large ecosystems, many paths exist. |
| A - Attack Surface | 4 | Agent delegation channels are attack surfaces. Compromising any agent in the delegation chain enables lateral movement. |
| G - Governance Gap | 4 | Institutions may not consider agent delegation when designing network segmentation. Segmentation policies assume agent access is transitive. |
| E - Enterprise Impact | 5 | Enables access to networks behind firewall boundaries. Full impact depends on what data is in target networks. |
| Composite DAMAGE Score | 4.3 | Critical. Requires immediate architectural controls. Cannot be accepted. |
How severity changes across the agent architecture spectrum.
| Agent Type | Impact | How This Risk Manifests |
|---|---|---|
| Digital Assistant | Low | Human controls delegation manually. Unusual cross-segment access requires approval. |
| Digital Apprentice | Low | Agents escalate before delegating across network boundaries. |
| Autonomous Agent | High | Agents autonomously delegate across segments if targets are in scope. |
| Delegating Agent | Critical | Primary function is delegation. Compromised delegating agent is a lateral movement highway. |
| Agent Crew / Pipeline | High | Crew agents may be distributed across network segments. Compromise of one agent affects crew-wide access. |
| Agent Mesh / Swarm | Critical | Mesh agents are designed to cross network boundaries. Compromise of any mesh node enables mesh-wide lateral movement. |
| Framework | Coverage | Citation | What It Addresses | What It Misses |
|---|---|---|---|---|
| NIST CSF 2.0 | Partial | DE.CM-1 (Unauthorized Communications) | Detection of unauthorized communications. | Lateral movement via agent delegation. |
| NIST Zero Trust | Partial | Microsegmentation | Continuous segmentation and verification. | Agent delegation and cross-segment movement. |
| NIST SP 800-53 | Partial | SC-7 (Boundary Protection) | Network boundary protection. | Agent-enabled boundary traversal. |
| COBIT 5 | Partial | DSS01 (Access Control) | Access control and monitoring. | Agent-based lateral movement. |
| CIS Controls | Partial | 6.1 (Network Segmentation) | Segmentation. | Agent delegation and cross-segment movement. |
Network segmentation is a foundational security control in regulated industries. Auditors verify that sensitive data networks are isolated from less-sensitive networks. If agents create lateral movement paths that bypass segmentation, the institution's security posture is degraded.
Additionally, data breach investigations typically show lateral movement as a key attack phase. If agents enable lateral movement, the institution must ensure monitoring catches agent-based lateral movement patterns. Failure to do so may constitute a regulatory control deficiency.
Lateral Movement via Agent Chains requires architectural controls that go beyond what existing frameworks provide. Our advisory engagements are purpose-built for banks, insurers, and financial institutions subject to prudential oversight.
Schedule a Briefing