Each tool, API, and data source connected to an agent creates a new attack surface that may not be inventoried. The attack surface changes at runtime.
Traditional asset management tracks systems and data stores that the organization operates. Security teams maintain asset registers: servers, databases, applications, networks. Security controls are designed around known assets.
Agents dynamically connect to tools and APIs. Each connection creates a new attack surface: the agent, the tool, and the communication channel. If agents discover and connect to tools at runtime, the attack surface is not static and cannot be fully enumerated at design time.
Additionally, tool connections may not be tracked in asset registers. An agent connecting to an external API is a tool connection that may not appear in the organization's asset inventory. Security teams may not know what external systems agents are communicating with, making it impossible to assess risk or monitor those connections.
A financial services company has an asset register tracking internal systems (core banking platform, customer database, risk management systems), external integrations (payment processors, credit bureaus, AML screening services), and network infrastructure.
The company deploys agents that discover and invoke tools from a shared marketplace. Agents integrate with tools dynamically based on capabilities needed for their task.
An agent needs to verify customer identity. The agent queries the marketplace for identity verification tools and discovers "ID-Verify-Standard", "ID-Verify-Premium", and "ID-Verify-OpenID". The agent selects "ID-Verify-OpenID" because it offers the best match for the required capability.
The agent invokes "ID-Verify-OpenID" to verify a customer's identity. The tool is a third-party service not in the company's asset register. The company has no contract with the service provider, no security assessment, no data processing agreement. The agent sends customer identification documents (name, address, ID number) to the external service. The company's CISO later discovers this connection during an audit and realizes the company has exposed customer identity documents to an unknown external service not in the asset register and not subject to security oversight.
| Dimension | Score | Rationale |
|---|---|---|
| D - Detectability | 3 | Tool connections are difficult to detect because agents invoke tools dynamically. Registry of connections is incomplete. |
| A - Autonomy Sensitivity | 4 | High when agents autonomously discover and connect to tools. |
| M - Multiplicative Potential | 4 | Affects every agent-tool connection. At scale, many connections exist. |
| A - Attack Surface | 5 | Every tool connection is an attack surface. Undocumented connections cannot be defended. |
| G - Governance Gap | 4 | Asset management and TPRM frameworks assume known, static assets and vendors. Dynamic tool discovery is outside traditional governance. |
| E - Enterprise Impact | 3 | Expands attack surface and may expose customer data to unknown third parties. Regulatory and reputational impact. |
| Composite DAMAGE Score | 3.7 | High. Requires dedicated controls and monitoring. Should not be accepted without mitigation. |
How severity changes across the agent architecture spectrum.
| Agent Type | Impact | How This Risk Manifests |
|---|---|---|
| Digital Assistant | Low | Human selects tools manually. Tools are known and assessed. |
| Digital Apprentice | Medium | Agents discover tools but require human approval. Tools are tracked. |
| Autonomous Agent | High | Agents discover and invoke tools autonomously. Tool connections are not tracked. |
| Delegating Agent | Critical | Primary function is tool invocation. Every tool invoked creates untracked attack surface. |
| Agent Crew / Pipeline | High | Crew agents invoke multiple tools. Tool surface is complex and difficult to track. |
| Agent Mesh / Swarm | Critical | Mesh agents dynamically invoke tools. Attack surface is constantly expanding and impossible to fully enumerate. |
| Framework | Coverage | Citation | What It Addresses | What It Misses |
|---|---|---|---|---|
| NIST CSF 2.0 | Partial | ID.AM-1 (Asset Inventory) | Asset identification and inventory. | Dynamic tool connections and asset discovery. |
| NIST SP 800-53 | Partial | CA-7, CM-2 | Configuration management and monitoring. | Dynamic agent-tool connections. |
| COBIT 5 | Partial | DSS06 (Manage IT Assets) | IT asset management. | Agent-driven asset expansion. |
| PCI DSS | Partial | Requirement 1 (Network Segmentation) | Network security. | External tool connectivity and segmentation. |
Regulators assess whether institutions have visibility and control over their systems and data. If agents are connecting to external systems not in asset registers, the institution has lost visibility. Regulators will require that all external connections be documented, assessed, and monitored.
Additionally, connecting to external systems exposes customer data. Regulations require that institutions maintain control over customer data and vet any third parties with access. Unvetted tool connections represent a governance failure regardless of whether the tool itself is malicious.
Attack Surface Expansion via Tool Connectivity requires architectural controls that go beyond what existing frameworks provide. Our advisory engagements are purpose-built for banks, insurers, and financial institutions subject to prudential oversight.
Schedule a Briefing