◀︎ // Home

Section 02 // The Three Agent Types

Three Roles, Three Blast Radii

Every enterprise agent lands in one of three roles, and the same layer means something different in each. Data-layer poisoning of a coding agent ends in code execution on a laptop. The same poisoning of a productivity agent ends in exfiltrated data from Drive. Of a first-party agent, it ends in enterprise-wide compromise.

Coding Agents

Endpoint // Local Shell
Copilot
Claude Code
Github Copilot
Chat GPT Codex
Snowflake Cortex Code
Trust Posture

Direct access to local filesystem, shell execution, and package managers on the developer's machine.

Primary attack surface

RCE via shell-init modification and workspace-boundary violations; binary supply chain from local MCP servers.

Dominant outcome

Remote code execution on the developer endpoint.

Defender's job

Sandbox; sign & pin MCP binaries; disable auto-execution of agent-generated commands.

Productivity Agents

Straddle // OAuth
Claude Cowork
ChatGPT Enterprise
Slack AI
Asana AI
browser agents
Trust Posture

OAuth-scoped access to connected SaaS; processes high volumes of untrusted external content by design.

Primary attack surface

The same connectors that make them useful are both the injection channel and the exfiltration channel.

Dominant outcome

91% of successful attacks end in silent data exfiltration.

Defender's job

Minimize connector scopes; require approvals for irreversible actions; treat tool results as untrusted.

first-Party Agents

Remote // operator trust
Microsoft Foundry
Amazon Bedrock AgentCore
Google Gemini Enterprise
Databricks Mosaic AI
Snowflake Cortex
Trust Posture

Elevated operator trust; broad access to internal APIs, RAG corpora, and enterprise data fabrics.

Primary attack surface

Tool registry and per-tool authorization; internal connector content trusted by default.

Dominant outcome

Enterprise-wide blast radius — one compromise propagates in seconds.

Defender's job

Harden the tool registry; enforce per-tool authorization; treat internal content as untrusted input.

The three deployment roles, by trust posture, primary attack surface, and dominant outcome. The meter shows escalating trust and blast radius.

The surfaces shared by all three

The three roles differ, but two surfaces cut across all of them. MCP standardizes how any agent reaches its tools; Skills package the instructions an agent loads as trusted context. Both are shared supply chains — a single poisoned MCP server or Skill can compromise a coding agent, a productivity agent, and a first-party agent at once. Section 6 quantifies the MCP supply chain.

Common Questions

Which type of AI agent is the most dangerous — coding, productivity, or first-party?

It depends on blast radius. Coding agents are highest-risk on a single endpoint — 36% of successful attacks reach remote code execution on the developer's machine. Productivity agents fail most silently — 91% of successful attacks end in data exfiltration across connected SaaS. First-party (enterprise-built) agents have the largest blast radius — one compromise can reach the whole data fabric. Same attack mechanism, three very different consequences.

What is the difference between coding, productivity, and first-party AI agents?

Coding agents (Cursor, Claude Code, GitHub Copilot) run on a developer's machine with shell and filesystem access. Productivity agents (Microsoft 365 Copilot, Slack AI, browser agents) hold OAuth-scoped access across SaaS and process untrusted external content by design. First-party agents are the ones an enterprise builds itself on platforms like Microsoft Foundry or Snowflake Cortex, running with elevated operator trust inside the company's own systems.

Why does the same vulnerability cause different damage in different agents?

Because the agent's deployment context sets the blast radius. The same data-layer poisoning that triggers code execution on a developer's laptop becomes silent data exfiltration in a productivity agent and an enterprise-wide breach in a first-party agent. That is the core insight of the Straiker STAR Framework: the layer tells you the mechanism, the agent type tells you the consequence.

Get the Full Report

Read everything here, free. Enter your email and we'll send the full PDF, including the complete defender playbook.