◀︎ // Home
Section 02 // The Three Agent Types
Three Roles, Three Blast Radii
Every enterprise agent lands in one of three roles, and the same layer means something different in each. Data-layer poisoning of a coding agent ends in code execution on a laptop. The same poisoning of a productivity agent ends in exfiltrated data from Drive. Of a first-party agent, it ends in enterprise-wide compromise.
Coding Agents
Direct access to local filesystem, shell execution, and package managers on the developer's machine.
RCE via shell-init modification and workspace-boundary violations; binary supply chain from local MCP servers.
Remote code execution on the developer endpoint.
Sandbox; sign & pin MCP binaries; disable auto-execution of agent-generated commands.
Productivity Agents
OAuth-scoped access to connected SaaS; processes high volumes of untrusted external content by design.
The same connectors that make them useful are both the injection channel and the exfiltration channel.
91% of successful attacks end in silent data exfiltration.
Minimize connector scopes; require approvals for irreversible actions; treat tool results as untrusted.
first-Party Agents
Elevated operator trust; broad access to internal APIs, RAG corpora, and enterprise data fabrics.
Tool registry and per-tool authorization; internal connector content trusted by default.
Enterprise-wide blast radius — one compromise propagates in seconds.
Harden the tool registry; enforce per-tool authorization; treat internal content as untrusted input.
The three deployment roles, by trust posture, primary attack surface, and dominant outcome. The meter shows escalating trust and blast radius.
The surfaces shared by all three
The three roles differ, but two surfaces cut across all of them. MCP standardizes how any agent reaches its tools; Skills package the instructions an agent loads as trusted context. Both are shared supply chains — a single poisoned MCP server or Skill can compromise a coding agent, a productivity agent, and a first-party agent at once. Section 6 quantifies the MCP supply chain.

Common Questions
Which type of AI agent is the most dangerous — coding, productivity, or first-party?
It depends on blast radius. Coding agents are highest-risk on a single endpoint — 36% of successful attacks reach remote code execution on the developer's machine. Productivity agents fail most silently — 91% of successful attacks end in data exfiltration across connected SaaS. First-party (enterprise-built) agents have the largest blast radius — one compromise can reach the whole data fabric. Same attack mechanism, three very different consequences.
What is the difference between coding, productivity, and first-party AI agents?
Coding agents (Cursor, Claude Code, GitHub Copilot) run on a developer's machine with shell and filesystem access. Productivity agents (Microsoft 365 Copilot, Slack AI, browser agents) hold OAuth-scoped access across SaaS and process untrusted external content by design. First-party agents are the ones an enterprise builds itself on platforms like Microsoft Foundry or Snowflake Cortex, running with elevated operator trust inside the company's own systems.
Why does the same vulnerability cause different damage in different agents?
Because the agent's deployment context sets the blast radius. The same data-layer poisoning that triggers code execution on a developer's laptop becomes silent data exfiltration in a productivity agent and an enterprise-wide breach in a first-party agent. That is the core insight of the Straiker STAR Framework: the layer tells you the mechanism, the agent type tells you the consequence.
Get the Full Report
Read everything here, free. Enter your email and we'll send the full PDF, including the complete defender playbook.






