◀︎ // Home
Section 05 // First-Party Agents
The Internal Blast Radius
Bottom line for leadership
Agents your own teams build carry an enterprise-wide blast radius. One compromise can reach the data warehouse, the production database, and the systems of record in seconds.
Do this: enforce least-privilege tool registries and treat internal content (wikis, tickets, RAG sources) as untrusted input.
First-party agents are the ones an enterprise builds for itself. They run on the company's own infrastructure, connect to internal systems of record, and operate inside the trust boundary drawn around its data. Every major cloud now ships a platform for building them.
Every cloud now ships an agent platform
Enterprises deploy these agents with elevated operator trust and access to the systems the business runs on. That elevated trust is also the structural risk: a compromise reaches everything inside the boundary.
First-class distributed systems citizens, complete with identity, permissions, runtime environments, observability, and deployment pipelines."
// Google, on enterprise agents
"The unified control plane for the agentic enterprise."
// Snowflake, on its agent platform
Same compromise, three sizes of blast
Three ways First-Party Agents Fail
Risk 01
Internal RAG poisoning
An attacker who can write to any source the agent indexes (a wiki page, shared drive, or ticket) plants instructions that steer the agent for every user. One poisoned source serves every employee.
Risk 02
Over-permissioned tool registry
The agent is registered with access to every tool the team thought it might need. Attackers chain low-privilege tools into high-privilege outcomes no single tool would allow.
Risk 03
Data-fabric exfiltration
The agent has standing access to data lakes, warehouses, and internal APIs. A LAVA-driven instruction redirects that same access to an attacker-controlled destination.
In practice: Emergent hardened Wingman before launch
Emergent, an AI app-builder, brought Straiker STAR Labs in to red-team its connector-enabled personal agent, Wingman, before launch. Ascend AI ran proof-of-concept exploits across more than 18 connected integrations, exercising the patterns that define first-party risk: cross-connector pivoting, multi-hop trust laundering, and scheduled-task persistence. Wingman's defenses held, and the team hardened controls further before any user logged in, treating model output as a proposal that a separate control layer must clear.

What defenders need to do
// 01
Break RAG poisoning
Restrict RAG corpora to authenticated, authorized sources. Monitor what gets indexed for injection patterns. Apply source-provenance checks like dependency provenance.
// 02
Break the over-permissioned registry
Apply least privilege to the tool registry like identity. Use per-tool authorization, not blanket access. Audit every new tool registration.
// 03
Break the over-permissioned registry
Allowlist destinations for agent outputs. Require approval gates for cross-system transfers. Monitor egress against the agent's declared task purpose.
The cross-cutting control
Runtime monitoring of context against action — the same agent-on-agent model from productivity agents, with higher stakes because the blast radius spans the enterprise. Section 7 returns to the full control set.
Common Questions
What is the blast radius of a first-party (enterprise-built) AI agent?
Enterprise-wide. Agents built on Microsoft Foundry, Amazon Bedrock AgentCore, Google Gemini Enterprise, Snowflake Cortex, or Databricks Mosaic AI run with elevated operator trust — so one compromise can reach the data warehouse, production database, and systems of record in seconds.
How do first-party AI agents get compromised?
Three main ways: internal RAG poisoning (a planted instruction in a wiki, drive, or ticket steers the agent for every user), an over-permissioned tool registry (attackers chain low-privilege tools into high-privilege outcomes), and data-fabric exfiltration (standing data access redirected to an attacker-controlled destination).
How do you secure custom enterprise AI agents?
Apply least privilege to the tool registry with per-tool authorization, restrict RAG corpora to authenticated sources and monitor what gets indexed, allowlist destinations for agent outputs, and require approval gates for cross-system transfers. Treat internal content as untrusted and monitor context against action at runtime.
Get the Full Report
Read everything here, free. Enter your email and we'll send the full PDF, including the complete defender playbook.






