◀︎ // Home

Section 05 // First-Party Agents

The Internal Blast Radius

Bottom line for leadership

Agents your own teams build carry an enterprise-wide blast radius. One compromise can reach the data warehouse, the production database, and the systems of record in seconds.

Do this:
enforce least-privilege tool registries and treat internal content (wikis, tickets, RAG sources) as untrusted input.


First-party agents are the ones an enterprise builds for itself. They run on the company's own infrastructure, connect to internal systems of record, and operate inside the trust boundary drawn around its data. Every major cloud now ships a platform for building them.

Every cloud now ships an agent platform

PlatformWhat it is
Microsoft FoundryBuild, deploy, and govern custom agents on Azure.
Bedrock AgentCoreRuntime and tooling for production agents on AWS.
Gemini EnterpriseAgents run as first-class distributed-systems citizens (Google).
Cortex AgentsAgents that operate over the Snowflake data cloud.
Mosaic AIBuild and serve agents on the Databricks lakehouse.

Every major cloud now ships a platform for building first-party agents.

Enterprises deploy these agents with elevated operator trust and access to the systems the business runs on. That elevated trust is also the structural risk: a compromise reaches everything inside the boundary.

Open Quote Streamline Icon: https://streamlinehq.com

First-class distributed systems citizens, complete with identity, permissions, runtime environments, observability, and deployment pipelines."

// Google, on enterprise agents

Open Quote Streamline Icon: https://streamlinehq.com

"The unified control plane for the agentic enterprise."

// Snowflake, on its agent platform

Same compromise, three sizes of blast

Coding agent

Reaches the developer's machine: local files, shell, SSH keys, cloud credentials, source.

RCE on one endpoint

Productivity agent

Reaches the apps the user linked via OAuth: email, Drive, Calendar, CRM, Slack.

silent exfiltration across linked apps

First-party agent

Reaches the data warehouse, production database, internal API surface, and systems of record.

enterprise-wide compromise in seconds

Reach scales with trust. The deeper an agent sits inside the boundary, the more a single compromise can touch. Rings are illustrative, not to scale.

Three ways First-Party Agents Fail

Risk 01

Internal RAG poisoning

An attacker who can write to any source the agent indexes (a wiki page, shared drive, or ticket) plants instructions that steer the agent for every user. One poisoned source serves every employee.

Risk 02

Over-permissioned tool registry

The agent is registered with access to every tool the team thought it might need. Attackers chain low-privilege tools into high-privilege outcomes no single tool would allow.

Risk 03

Data-fabric exfiltration

The agent has standing access to data lakes, warehouses, and internal APIs. A LAVA-driven instruction redirects that same access to an attacker-controlled destination.

In practice: Emergent hardened Wingman before launch

Emergent, an AI app-builder, brought Straiker STAR Labs in to red-team its connector-enabled personal agent, Wingman, before launch. Ascend AI ran proof-of-concept exploits across more than 18 connected integrations, exercising the patterns that define first-party risk: cross-connector pivoting, multi-hop trust laundering, and scheduled-task persistence. Wingman's defenses held, and the team hardened controls further before any user logged in, treating model output as a proposal that a separate control layer must clear.

What defenders need to do

// 01

Break RAG poisoning

Restrict RAG corpora to authenticated, authorized sources. Monitor what gets indexed for injection patterns. Apply source-provenance checks like dependency provenance.

// 02

Break the over-permissioned registry

Apply least privilege to the tool registry like identity. Use per-tool authorization, not blanket access. Audit every new tool registration.

// 03

Break the over-permissioned registry

Allowlist destinations for agent outputs. Require approval gates for cross-system transfers. Monitor egress against the agent's declared task purpose.

The cross-cutting control

Runtime monitoring of context against action — the same agent-on-agent model from productivity agents, with higher stakes because the blast radius spans the enterprise. Section 7 returns to the full control set.

Common Questions

What is the blast radius of a first-party (enterprise-built) AI agent?

Enterprise-wide. Agents built on Microsoft Foundry, Amazon Bedrock AgentCore, Google Gemini Enterprise, Snowflake Cortex, or Databricks Mosaic AI run with elevated operator trust — so one compromise can reach the data warehouse, production database, and systems of record in seconds.

How do first-party AI agents get compromised?

Three main ways: internal RAG poisoning (a planted instruction in a wiki, drive, or ticket steers the agent for every user), an over-permissioned tool registry (attackers chain low-privilege tools into high-privilege outcomes), and data-fabric exfiltration (standing data access redirected to an attacker-controlled destination).

How do you secure custom enterprise AI agents?

Apply least privilege to the tool registry with per-tool authorization, restrict RAG corpora to authenticated sources and monitor what gets indexed, allowlist destinations for agent outputs, and require approval gates for cross-system transfers. Treat internal content as untrusted and monitor context against action at runtime.

Get the Full Report

Read everything here, free. Enter your email and we'll send the full PDF, including the complete defender playbook.